- From: イアンフェッティ <ifette@google.com>
- Date: Thu, 14 Jun 2012 11:39:26 -0700
- To: Kimon Zorbas <vp@iabeurope.eu>
- Cc: "rob@blaeu.com" <rob@blaeu.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <CAF4kx8dOqqO5TqR++rLgJsaf5UHRooJTY1u5z-OM+PBuK5vg3Q@mail.gmail.com>
FYI apologies if I appear to have gone down a rathole. It just seems this topic comes up frequently in one form or another and I wanted to just have a frank, direct discussion so that I understood what certain people were asking for, as opposed to trying to divine it from various arguments scattered across multiple email threads. On Thursday, June 14, 2012, Kimon Zorbas wrote: > Rob, colleagues, > > I am sorry, but I have serious problems with the way this group works > and operates. I do not believe that we need to delve into (European) legal > discussion and would appreciate if we could conclude in Seattle for once > and forever about the role of Article 29 WP. > > Rob, you are pushing so hard for the acceptance of Article 29 WP opinion > as the word of God on data protection issues (and others also, to be fair) > and I don't understand what you are trying to achieve with this. > We may like what Article 29 WP says or not, but FACT is that it is JUST an > opinion. It is not the law. And, frankly the UK, one of the most engaged EU > Member States, is not following the supposed 'baseline'. > > Kind regards, > Kimon > > > From: Rob van Eijk <rob@blaeu.com <javascript:_e({}, 'cvml', > 'rob@blaeu.com');>> > Reply-To: "rob@blaeu.com <javascript:_e({}, 'cvml', 'rob@blaeu.com');>" < > rob@blaeu.com <javascript:_e({}, 'cvml', 'rob@blaeu.com');>> > Date: Thursday 14 June 2012 20:07 > To: "Vinay Goel (Adobe)" <vigoel@adobe.com <javascript:_e({}, 'cvml', > 'vigoel@adobe.com');>>, "public-tracking@w3.org <javascript:_e({}, > 'cvml', 'public-tracking@w3.org');>" <public-tracking@w3.org<javascript:_e({}, 'cvml', 'public-tracking@w3.org');> > > > Subject: Re: Examples of successful opt-in implementations > Resent-From: <public-tracking@w3.org <javascript:_e({}, 'cvml', > 'public-tracking@w3.org');>> > Resent-Date: Thursday 14 June 2012 20:08 > > Hi Vinay, > > Thanks for the rapid respons. I see you are addressing three things. The > opinion, the mind model > and the scope. > > First the opinion: I argue that the opinion isn't just an opinion. It is > a common baseline, expressed > by the dpa's who will enforce the legal framework. That expression is, > in the light of differences > in national implementations, not to be taken lightly. The common > baseline expresses what all dpa's > see as a reasonable and defendable position that doesn't conflict with > national laws. You can see > clearly in the case of the first party analytics, how far the consensus > went. > > p. 10: "However, the Working Party considers that first party analytics > cookies are not likely to > create a privacy risk when they are strictly limited to first party > aggregated statistical purposes > and when they are used by websites that already provide clear > information about these > cookies in their privacy policy as well as adequate privacy safeguards. > Such safeguards are > expected to include a user friendly mechanism to opt-out from any data > collection and > comprehensive anonymization mechanisms that are applied to other > collected identifiable > information such as IP addresses." > > This means that not all dpa's were able to see first party analytics as > functional with respect > of the national implementations. > > An important function of the opinion is to give advice to the European > legislator. That is why > on the next page we included an advise. > > p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC > be re-visited in the future, the > European legislator might appropriately add a third exemption criterion > to consent for cookies > that are strictly limited to first party anonymized and aggregated > statistical purposes. > First party analytics should be clearly distinguished from third party > analytics, which use a > common third party cookie to collect navigation information related to > users across distinct > websites, and which pose a substantially greater risk to privacy." > > Second, the mind model applied to first-party analytics: in most > countries you wouln't > need to call for an exception. As explained above, getting first-party > analytics into the > category of functional cookies in all jurisdictions just wasn't possible. > > Third, the scope: no, I am not arguing for a scope increase. Getting a > standard to Last Call > with the scope as it is, is already a difficult task. What I ask for, is > to have the usefulness > of the re-usable technical building blocks in the back of our minds > while creating a meaningful > standard. The scope is what it is. > > mvg::Rob > > On 14-6-2012 19:07, Vinay Goel wrote: > > Hi Rob, > > Hoping you can help me understand your mind model since applying it is > complex given the very different approaches to ePrivacy compliance across > the member states. Different markets are defining what a 'functional > cookie' is differently. And, I know you shared the Working Party's > opinion; but its just that -- an opinion by the Working Party, not > specific law or guidance from a DPA. > > Assuming you take the Working Party's opinion that first-party site > analytics is not a strictly necessary function, is your mind model > suggesting that the first party needs to use the DNT exception mechanism > or well-known URL in order to use the data for users that have DNT:1 for > first-party analytics? If so, isn't that an increase in the scope (where > you say "I am also not arguing that first parties must be subject to DNT")? > > Thanks in advance. > > -Vinay > > > >
Received on Thursday, 14 June 2012 18:39:58 UTC