- From: Tamir Israel <tisrael@cippic.ca>
- Date: Thu, 14 Jun 2012 22:56:23 -0400
- To: Kimon Zorbas <vp@iabeurope.eu>
- CC: "rob@blaeu.com" <rob@blaeu.com>, "Vinay Goel (Adobe)" <vigoel@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <4FDAA457.8090800@cippic.ca>
Hi Kimon, Ok. I would simply reiterate that I think it's a good idea to at least try and create a mechanism that will take care of as many regulatory problems as possible. I also feel legal regimes, opinions and requirements are a good touchstone so social norms and that this should guide the process. But I'm a lawyer and every problem looks like a regulatory problem to me : P Best, Tamir On 6/14/2012 4:00 PM, Kimon Zorbas wrote: > Tamir, > > don't get me wrong: I always believe every well-intended idea is worth > discussing and be given room for presentation. And we should certainly > find room discussing this in Seattle. (We actually had a great > discussion with our members and Rigo on this a couple of days ago). > > However, the real question is: are we trying to agree on a legal > compliance instrument (for Europe)? Or are we trying to agree on a > technical standard (that could be supported by the entire ecosystem > and self-regualtion initiatives)? > We support the latter. How a standard then fits with law and can be > supplemented by self-regulatory instruments is the next step – but am > not sure this is part of the job of W3C. But maybe I got W3C's mission > wrong. > > > Kimon > > > From: Tamir Israel <tisrael@cippic.ca <mailto:tisrael@cippic.ca>> > Date: Thursday 14 June 2012 21:14 > To: Kimon Zorbas <vp@iabeurope.eu <mailto:vp@iabeurope.eu>> > Cc: "rob@blaeu.com <mailto:rob@blaeu.com>" <rob@blaeu.com > <mailto:rob@blaeu.com>>, "Vinay Goel (Adobe)" <vigoel@adobe.com > <mailto:vigoel@adobe.com>>, "public-tracking@w3.org > <mailto:public-tracking@w3.org>" <public-tracking@w3.org > <mailto:public-tracking@w3.org>> > Subject: Re: Examples of successful opt-in implementations > Resent-From: Nicholas Doty <npdoty@w3.org <mailto:npdoty@w3.org>> > Resent-Date: Thursday 14 June 2012 21:34 > > Hi Kimon -- not to wade too deeply into choppy EU waters, but even if > we do not take Art29WP outputs as 'fact', certainly you do not > advocate that we ignore them altogether? > > At least in the short term, I'd argue there's a high probability that > at least some EU jurisdictions end up deploying as the WP suggests. In > the long term, the UK might get taken to task on its regime. > > So I don't think it hurts to try and get an understanding of what Rob > and his colleagues have in mind, even if we do not treat this as > definitive. > > I certainly would find it useful to understand what an 'ideal' (from > the Art29WP perspective) explicit consent mechanism might look like. > > Best, > Tamir > > On 6/14/2012 2:33 PM, Kimon Zorbas wrote: >> Rob, colleagues, >> >> I am sorry, but I have serious problems with the way this group works >> and operates. I do not believe that we need to delve into (European) >> legal discussion and would appreciate if we could conclude in Seattle >> for once and forever about the role of Article 29 WP. >> >> Rob, you are pushing so hard for the acceptance of Article 29 WP >> opinion as the word of God on data protection issues (and others >> also, to be fair) and I don't understand what you are trying to >> achieve with this. >> We may like what Article 29 WP says or not, but FACT is that it is >> JUST an opinion. It is not the law. And, frankly the UK, one of the >> most engaged EU Member States, is not following the supposed 'baseline'. >> >> Kind regards, >> Kimon >> >> >> From: Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com>> >> Reply-To: "rob@blaeu.com <mailto:rob@blaeu.com>" <rob@blaeu.com >> <mailto:rob@blaeu.com>> >> Date: Thursday 14 June 2012 20:07 >> To: "Vinay Goel (Adobe)" <vigoel@adobe.com >> <mailto:vigoel@adobe.com>>, "public-tracking@w3.org >> <mailto:public-tracking@w3.org>" <public-tracking@w3.org >> <mailto:public-tracking@w3.org>> >> Subject: Re: Examples of successful opt-in implementations >> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>> >> Resent-Date: Thursday 14 June 2012 20:08 >> >> Hi Vinay, >> >> Thanks for the rapid respons. I see you are addressing three things. The >> opinion, the mind model >> and the scope. >> >> First the opinion: I argue that the opinion isn't just an opinion. It is >> a common baseline, expressed >> by the dpa's who will enforce the legal framework. That expression is, >> in the light of differences >> in national implementations, not to be taken lightly. The common >> baseline expresses what all dpa's >> see as a reasonable and defendable position that doesn't conflict with >> national laws. You can see >> clearly in the case of the first party analytics, how far the consensus >> went. >> >> p. 10: "However, the Working Party considers that first party analytics >> cookies are not likely to >> create a privacy risk when they are strictly limited to first party >> aggregated statistical purposes >> and when they are used by websites that already provide clear >> information about these >> cookies in their privacy policy as well as adequate privacy safeguards. >> Such safeguards are >> expected to include a user friendly mechanism to opt-out from any data >> collection and >> comprehensive anonymization mechanisms that are applied to other >> collected identifiable >> information such as IP addresses." >> >> This means that not all dpa's were able to see first party analytics as >> functional with respect >> of the national implementations. >> >> An important function of the opinion is to give advice to the European >> legislator. That is why >> on the next page we included an advise. >> >> p. 11: "In this regard, should article 5.3 of the Directive 2002/58/EC >> be re-visited in the future, the >> European legislator might appropriately add a third exemption criterion >> to consent for cookies >> that are strictly limited to first party anonymized and aggregated >> statistical purposes. >> First party analytics should be clearly distinguished from third party >> analytics, which use a >> common third party cookie to collect navigation information related to >> users across distinct >> websites, and which pose a substantially greater risk to privacy." >> >> Second, the mind model applied to first-party analytics: in most >> countries you wouln't >> need to call for an exception. As explained above, getting first-party >> analytics into the >> category of functional cookies in all jurisdictions just wasn't possible. >> >> Third, the scope: no, I am not arguing for a scope increase. Getting a >> standard to Last Call >> with the scope as it is, is already a difficult task. What I ask for, is >> to have the usefulness >> of the re-usable technical building blocks in the back of our minds >> while creating a meaningful >> standard. The scope is what it is. >> >> mvg::Rob >> >> On 14-6-2012 19:07, Vinay Goel wrote: >>> Hi Rob, >>> >>> Hoping you can help me understand your mind model since applying it is >>> complex given the very different approaches to ePrivacy compliance >>> across >>> the member states. Different markets are defining what a 'functional >>> cookie' is differently. And, I know you shared the Working Party's >>> opinion; but its just that -- an opinion by the Working Party, not >>> specific law or guidance from a DPA. >>> >>> Assuming you take the Working Party's opinion that first-party site >>> analytics is not a strictly necessary function, is your mind model >>> suggesting that the first party needs to use the DNT exception mechanism >>> or well-known URL in order to use the data for users that have DNT:1 for >>> first-party analytics? If so, isn't that an increase in the scope >>> (where >>> you say "I am also not arguing that first parties must be subject to >>> DNT")? >>> >>> Thanks in advance. >>> >>> -Vinay >> >>
Received on Friday, 15 June 2012 02:57:08 UTC