Re: ACTION-174: Write up implication of origin/* exceptions in EU context

Thanks for that - however, relying on legally not binding opinions of Art. 29 that often are not followed by the very DPAs that sit in Art 29 might not be very solid as working assumption.
And, with due respect, I disagree with the opinion in the first place.

Agree with Rigo that we should move towards pragmatic solutions. And apologies to the group for the European debate we are having.

Kind regards,

----- Reply message -----
From: "Ninja Marnau" <>
To: "Kimon Zorbas" <>
Cc: "<> (" <>
Subject: ACTION-174: Write up implication of origin/* exceptions in EU context
Date: Wed, Jun 6, 2012 5:49 pm

Kimon, the WG decided at a very early point that first parties are not
in the same way restricted as third parties are by the DNT compliance
spec. The ePrivacy Directive does not make a difference between site
owners and third party content. Though the Directive needs to be
transposed into national law, the wording leaves no leeway for
interpretation on e.g. cookie-based tracking for targeted ads (Rob
already pointed that out). Therefore, we have at least some commen
ground for evaluating DNT.

I know that the working group does not address a specific national or
regional legislation. But what is up to the WG is whether we find a
consensus specification that will meet the requirements of a consensus
mechanism for third parties that could work in Europe (I again refer to
what Rob wrote here). If not, DNT wont be supported by European authorities.

In what way DNT has an impact on the European Privacy Seal will depend
on final details on the spec and the evaluation of DNT by the Art. 29 WP
and my colleagues from EuroPriSe. If the recommendation fails to meet
the legal requirements in Europe by far, it will probably get ignored.

Best regards,

Am 06.06.2012 17:07, schrieb Kimon Zorbas:
> Hi Ninja,
> The E-Privacy Directive is not directly applicable and it depends how
> the EU Member States have transposed this point. I also cannot see that
> there is a difference between first and third parties in the Directive
> (or in the national transpositions we have seen).
> Do you believe that DNT should be a compliance instrument for the
> E-Privacy Directive? And how does DNT work together with the privacy
> seal ULD grants?
> Kind regards,
> Kimon
> Kimon Zorbas
> Vice President IAB Europe
> IAB Europe - The Egg –Rue Barastraat 175 –1070 Brussels - Belgium
> Phone +32 (0)2 5265 568
> Mob +32 494 34 91 68
> Fax +32 2 526 55 60
> Twitter: @kimon_zorbas
><> and<>
> IAB Europe supports the .eu domain name<>
> IAB Europe is supported by:
> Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Finland,
> France, Germany, Greece, Hungary, Ireland, Italy, Netherlands, Norway,
> Poland, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden,
> Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000
> members. The IAB network represents over 90% of European digital
> revenues and is acting as voice for the industry at National and
> European level.
> IAB Europe is powered by:
> Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising
> Europe, AudienceScience, BBC Advertising, CNN, CoAdvertise, comScore
> Europe, CPX Interactive, Criteo, eBay International Advertising, Expedia
> Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google,
> GroupM, Hi-Media, Koan, Microsoft Europe, Millward Brown, News
> Corporation,, Nielsen Online, OMD, Orange Advertising Network,
> PHD, Prisa, Publicitas Europe, Quisma, Sanoma Digital, Selligent,
> TradeDoubler, Triton Digital, United Internet Media, ValueClick,
> Verisign, Viacom International Media Networks, Webtrekk, White & Case,
> Yahoo! and zanox.
> IAB Europe is associated with:
> Advance International Media, Banner, Emediate, NextPerformance, Right
> Media, Tribal Fusion and Turn Europe
> ----- Reply message -----
> From: "Ninja Marnau" <>
> To: "<> ("
> <>
> Subject: ACTION-174: Write up implication of origin/* exceptions in EU
> context
> Date: Wed, Jun 6, 2012 3:20 pm
> There has been a long discussion on the explicit/explicit exception
> pairs. It kind of bogged down some weeks ago.
> I want to further motivate that we keep at least the option of a non-"*"
> exception in the spec. I will list the reasons that I already mentioned
> in DC but did not write down. Some of these arguments were already made
> in the related discussions referred below.
> 1) Liability:
> A site-wide exception requested by the provider can be translated to (I
> am quoting Ian here): "I ask you to trust me to pick reputable third
> parties."
> The issue here is that this blanket exception request creates under
> several legislations an (additional) unintentional liability of the
> first party for its third parties. Although under the EU Directive 95/46
> the first party (data controller) already is responsible for its data
> processors' behaviour, it is generally not responsible for third parties
> who are data controllers themselves. Outside the EU there may be no
> liability for third parties without site-wide exceptions in the
> beginning. But this changes when the first party steps up and asks the
> user to trust its choice of third parties without giving further
> information on who will be responsible. If a (to the user unknown) third
> party misuses the data, the user may sue the first party (if she can
> track the misuse back to a specific first party), which then may have to
> prove to chose and control its third parties with special diligence
> ("reputable" for sure is not sufficient in Germany at least).
> 2)Informed consent:
> Consent may be site wide, but to be considered "informed", the user must
> be able to gain knowledge about the third parties that are considered
> data controllers (collect and process data on their own behalf). These
> data controllers are legally responsible in the EU. Therefore, the user
> needs to be able to determine who they are (even outside the EU this is
> of importance for reasons of litigation, objection, etc.)
> If we want the exceptions to at least partly work as an opt-in according
> to the ePrivacy Directive (only for third parties) transparency is
> necessary, granularity in choice would be the most convinient way to
> implement this in the DNT recommendation imho.
> I went through all of these related threads. I apologise if I missed
> some arguments.
> Action 172: Write up more detailed list of use cases for origin/origin
> exceptions
> The discussion thread on "explicit-explicit exception pairs"
> ISSUE-129: User-granted Exceptions a) Site-wide Exceptions (mysite,
> any-third party)
> ISSUE-147: Transporting Consent via the Exception / DNT mechanisms
> Ninja
> --
> Ninja Marnau
> mail: -
> Telefon: +49 431/988-1285, Fax +49 431/988-1223
> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
> Independent Centre for Privacy Protection Schleswig-Holstein


Ninja Marnau
mail: -
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein

Received on Wednesday, 6 June 2012 16:56:33 UTC