Re: Request for thoughts: US, EU, and international DNT

Hereby the handouts of the presentation at the meeting in Brussels.

You can contact me via the list or off-list for further discussion.

Kind regards,
Rob

On 10-1-2012 11:25, Aleecia M. McDonald wrote:
> Greetings,
>
> I've been giving some thought to how we can make our work relevant in 
> the EU and US, despite some strong differences. Nations have borders 
> but the Internet does not. How can we support different regional 
> cultures, norms, and laws on the Internet? I am putting this out as 
> some things to think about and discuss further.
>
> Here are a few of my starting assumptions:
>
> * In the US, a first v. third party distinction is very important to 
> businesses.
>    In many (but not all) EU countries, first party is not an 
> interesting or meaningful way to look at things.
> * Key word in Europe: Consent
> - Users who do not consent to data practices must have their privacy 
> protected.
> - A global consent may not be sufficient; consent must be particular 
> to a company and to a description of data use (in at least some countries)
> - We should at least address Article 5(3) of the 2002 ePrivacy 
> Directive [1]
> - There is wide interest in finding a way to implement the revised 
> framework of the Article 5(3) ePrivacy Directive without a deeply 
> painful (on business or users) implementation, and DNT may help [2]
> - The exemptions we consider would not be valid in the EU without 
> specific consent [3]
> * Key word in US: Choice
> - Users who choose to interact with a site do not need as much privacy 
> protection as they do from sites they do not choose to interact with
> - We should at least fulfill the requirements for DNT set out in the 
> FTC staff report [4]
> - We should co-exist with existing industry self-regulation mechanisms [5]
>
> Here are three areas where I think we can have a uniform underlying 
> technical standard that is flexible enough to accommodate different 
> national and regional policy priorities:
>
> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable 
> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have 
> not made a selection.
> In the US, no DNT signal gets viewed as "users did not choose to 
> enable DNT" and treated as DNT: 0.
> In some of the EU, no DNT signal gets viewed as "users did not consent 
> to tracking"  and treated as DNT: 1.
> (B) In the US, site-specific exceptions will allow users to "opt back 
> in" for specific first and third party pairs (perhaps along the likes 
> of what Shane and Nick co-authored). In the EU, some (but not all) 
> countries will require consent on a site-by-site basis, rather than a 
> global "DNT: 0" signal or no DNT signal at all. The site-specific 
> exemptions mechanism becomes the path to enable users to consent per site.
> (C) In the US, first parties have minimal responsibilities when 
> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan 
> and Tom co-authored). In some (but not all) EU countries, there may be 
> nothing that applies globally to all first and third parties, (and 
> more to the point, the data controller) perhaps making the first/third 
> party distinction irrelevant.
>
> I think this could be good enough in enough different ways for enough 
> different interests. I'd like to hear other reactions. Does anyone 
> have better or simpler ideas? Is this still too US-centric to work in 
> Europe?
>
> If we find something we think will work, we could add a non-normative 
> section to one of the specifications, or we could issue a note. Either 
> way, I think specifications shouldn't be hard-coded to specific 
> regulations and laws. However, since I think this approach could be 
> confusing to those implementing the specification, I would like to 
> give implementors a fighting chance by providing our opinions (and not 
> legal advice!) with pointers to additional information. How does this 
> approach sound?
>
> And last but not least: any volunteers to work on these topics?
>
> Aleecia
>
> Thanks to a few TPWG members for taking time to step me through some 
> of the issues here. All mistakes are, of course, my own. Citations and 
> useful reading:
>
> [1] For the before & after versions of 5(3), see [7], p 7
> [2] See slides from Carl Christian Buhr, a member of Commissioner 
> Kroes' Cabinet (European Commission), particularly slides 11-13, 
> suggesting DNT could satisfy 5(3): 
> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
> [3] As per 5(3), "Exceptions to the obligation to provide information 
> and offer the right to refuse should be limited to those situations 
> where the technical storage or access is strictly necessary for the 
> legitimate purpose of enabling the use of a specific service 
> explicitly requested by the subscriber or user" is a given, but are 
> other exemptions allowed? Recital 25 reads to me as: yes with consent, 
> and no without consent. For example, billing for ad impressions is not 
> part of the service explicitly requested, and seems to require 
> informed consent. See [7], p 8
> [4] FTC staff report, starting p 63, 
> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
> [5] In particular, it would be unfortunate if DNT off with an opt-out 
> cookie was interpreted one way by self-regulatory bodies, and another 
> way in the DNT recommendations. We likely will reach different end 
> points than the self-regulation guidelines, but they remain a very 
> fruitful source of background information, including the recent 
> multi-site data principles (http://www.aboutads.info/msdprinciples) 
> and the OBA principles (http://www.aboutads.info/obaprinciples).
> [6] A very readable summary of [7] discussing where industry 
> self-regulation is seen to fall short of 
> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie. 
>
> [7] The actual report itself: 
> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf 
> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf> (COCOM10-34, 
> Implementation of the revised Framework– Article 5(3) of the ePrivacy 
> Directive)
> [8] The whole text is worth at least skimming, including a brief note 
> on children under 12. In particular the section on consent for cookies 
> starting on p 8, and examples of consent not using pop ups on p 9: 
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf