- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 06 Jun 2012 17:06:37 +0200
- To: public-tracking@w3.org
- Cc: Ninja Marnau <nmarnau@datenschutzzentrum.de>
Ninja, ad hoc advertisement auctions would be impossible under the rules you describe here. This means the DPAs consider a multi-billion dollar industry illegal. This is exactly the kind of gap between the real world and the data protection system that makes things so difficult. To remedy the situation, I suggested to have transitive permissions. The price to pay is that the first data controller using the transitive permission to hand data to sub-data controllers would be liable for his/her choice. To complete ACTION-174, I would like you to also inquire about the possibility that such a system of transitive permissions is acceptable. Can you ask back inside the DPA system? Rigo On Wednesday 06 June 2012 15:20:45 Ninja Marnau wrote: > There has been a long discussion on the explicit/explicit > exception pairs. It kind of bogged down some weeks ago. > > I want to further motivate that we keep at least the option of a > non-"*" exception in the spec. I will list the reasons that I > already mentioned in DC but did not write down. Some of these > arguments were already made in the related discussions referred > below. > > 1) Liability: > A site-wide exception requested by the provider can be translated > to (I am quoting Ian here): "I ask you to trust me to pick > reputable third parties." > The issue here is that this blanket exception request creates > under several legislations an (additional) unintentional > liability of the first party for its third parties. Although > under the EU Directive 95/46 the first party (data controller) > already is responsible for its data processors' behaviour, it is > generally not responsible for third parties who are data > controllers themselves. Outside the EU there may be no liability > for third parties without site-wide exceptions in the beginning. > But this changes when the first party steps up and asks the user > to trust its choice of third parties without giving further > information on who will be responsible. If a (to the user > unknown) third party misuses the data, the user may sue the first > party (if she can track the misuse back to a specific first > party), which then may have to prove to chose and control its > third parties with special diligence ("reputable" for sure is not > sufficient in Germany at least). > > 2)Informed consent: > Consent may be site wide, but to be considered "informed", the > user must be able to gain knowledge about the third parties that > are considered data controllers (collect and process data on > their own behalf). These data controllers are legally responsible > in the EU. Therefore, the user needs to be able to determine who > they are (even outside the EU this is of importance for reasons > of litigation, objection, etc.) If we want the exceptions to at > least partly work as an opt-in according to the ePrivacy > Directive (only for third parties) transparency is necessary, > granularity in choice would be the most convinient way to > implement this in the DNT recommendation imho. > > > I went through all of these related threads. I apologise if I > missed some arguments. > > Action 172: Write up more detailed list of use cases for > origin/origin exceptions > http://www.w3.org/2011/tracking-protection/track/actions/172 > > The discussion thread on "explicit-explicit exception pairs" > http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0196.h > tml > > ISSUE-129: User-granted Exceptions a) Site-wide Exceptions > (mysite, any-third party) > http://www.w3.org/2011/tracking-protection/track/issues/129 > > ISSUE-147: Transporting Consent via the Exception / DNT mechanisms > http://www.w3.org/2011/tracking-protection/track/issues/147 > > Ninja
Received on Wednesday, 6 June 2012 15:07:05 UTC