- From: Rob van Eijk <rob@blaeu.com>
- Date: Wed, 25 Jan 2012 10:45:25 +0100
- To: public-tracking@w3.org
- Message-ID: <4F1FCF35.501@blaeu.com>
Hereby the handouts of the presentation at the meeting in Brussels. You can contact me via the list or off-list for further discussion. Kind regards, Rob On 10-1-2012 11:25, Aleecia M. McDonald wrote: > Greetings, > > I've been giving some thought to how we can make our work relevant in > the EU and US, despite some strong differences. Nations have borders > but the Internet does not. How can we support different regional > cultures, norms, and laws on the Internet? I am putting this out as > some things to think about and discuss further. > > Here are a few of my starting assumptions: > > * In the US, a first v. third party distinction is very important to > businesses. > In many (but not all) EU countries, first party is not an > interesting or meaningful way to look at things. > * Key word in Europe: Consent > - Users who do not consent to data practices must have their privacy > protected. > - A global consent may not be sufficient; consent must be particular > to a company and to a description of data use (in at least some countries) > - We should at least address Article 5(3) of the 2002 ePrivacy > Directive [1] > - There is wide interest in finding a way to implement the revised > framework of the Article 5(3) ePrivacy Directive without a deeply > painful (on business or users) implementation, and DNT may help [2] > - The exemptions we consider would not be valid in the EU without > specific consent [3] > * Key word in US: Choice > - Users who choose to interact with a site do not need as much privacy > protection as they do from sites they do not choose to interact with > - We should at least fulfill the requirements for DNT set out in the > FTC staff report [4] > - We should co-exist with existing industry self-regulation mechanisms [5] > > Here are three areas where I think we can have a uniform underlying > technical standard that is flexible enough to accommodate different > national and regional policy priorities: > > (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable > DNT, DNT: 0 means do not enable DNT, and nothing sent means users have > not made a selection. > In the US, no DNT signal gets viewed as "users did not choose to > enable DNT" and treated as DNT: 0. > In some of the EU, no DNT signal gets viewed as "users did not consent > to tracking" and treated as DNT: 1. > (B) In the US, site-specific exceptions will allow users to "opt back > in" for specific first and third party pairs (perhaps along the likes > of what Shane and Nick co-authored). In the EU, some (but not all) > countries will require consent on a site-by-site basis, rather than a > global "DNT: 0" signal or no DNT signal at all. The site-specific > exemptions mechanism becomes the path to enable users to consent per site. > (C) In the US, first parties have minimal responsibilities when > receiving a DNT: 1 signal (perhaps along the lines of what Jonathan > and Tom co-authored). In some (but not all) EU countries, there may be > nothing that applies globally to all first and third parties, (and > more to the point, the data controller) perhaps making the first/third > party distinction irrelevant. > > I think this could be good enough in enough different ways for enough > different interests. I'd like to hear other reactions. Does anyone > have better or simpler ideas? Is this still too US-centric to work in > Europe? > > If we find something we think will work, we could add a non-normative > section to one of the specifications, or we could issue a note. Either > way, I think specifications shouldn't be hard-coded to specific > regulations and laws. However, since I think this approach could be > confusing to those implementing the specification, I would like to > give implementors a fighting chance by providing our opinions (and not > legal advice!) with pointers to additional information. How does this > approach sound? > > And last but not least: any volunteers to work on these topics? > > Aleecia > > Thanks to a few TPWG members for taking time to step me through some > of the issues here. All mistakes are, of course, my own. Citations and > useful reading: > > [1] For the before & after versions of 5(3), see [7], p 7 > [2] See slides from Carl Christian Buhr, a member of Commissioner > Kroes' Cabinet (European Commission), particularly slides 11-13, > suggesting DNT could satisfy 5(3): > http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum > [3] As per 5(3), "Exceptions to the obligation to provide information > and offer the right to refuse should be limited to those situations > where the technical storage or access is strictly necessary for the > legitimate purpose of enabling the use of a specific service > explicitly requested by the subscriber or user" is a given, but are > other exemptions allowed? Recital 25 reads to me as: yes with consent, > and no without consent. For example, billing for ad impressions is not > part of the service explicitly requested, and seems to require > informed consent. See [7], p 8 > [4] FTC staff report, starting p 63, > http://www.ftc.gov/os/2010/12/101201privacyreport.pdf > [5] In particular, it would be unfortunate if DNT off with an opt-out > cookie was interpreted one way by self-regulatory bodies, and another > way in the DNT recommendations. We likely will reach different end > points than the self-regulation guidelines, but they remain a very > fruitful source of background information, including the recent > multi-site data principles (http://www.aboutads.info/msdprinciples) > and the OBA principles (http://www.aboutads.info/obaprinciples). > [6] A very readable summary of [7] discussing where industry > self-regulation is seen to fall short of > 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie. > > [7] The actual report itself: > ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf > <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf> (COCOM10-34, > Implementation of the revised Framework– Article 5(3) of the ePrivacy > Directive) > [8] The whole text is worth at least skimming, including a brief note > on children under 12. In particular the section on consent for cookies > starting on p 8, and examples of consent not using pop ups on p 9: > http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf
Attachments
- application/pdf attachment: W3C_v2.pdf
Received on Wednesday, 25 January 2012 09:46:11 UTC