Rigo, It's not just retention, but also purpose is a defining factor (e.g. for enforcement purposes, IP address can be seen as PII / personal data in some countries). Than we have anonymisation, pseudonymisation, which make it (unfortunately) very complex in dealing with a simple question (is an IP address personal data or not?). Again, in my view, designing DNT as a compliance instrument will be very challenging. Kind regards, Kimon ----- Reply message ----- From: "Rigo Wenning" <rigo@w3.org> To: "public-tracking@w3.org" <public-tracking@w3.org> Cc: "Alan Chapell" <achapell@chapellassociates.com>, "Jeffrey Chester" <jeff@democraticmedia.org>, "Roy T. Fielding" <fielding@gbiv.com>, "Jonathan Mayer" <jmayer@stanford.edu> Subject: Towards a Grand Compromise Date: Mon, Jun 18, 2012 3:47 pm On Monday 18 June 2012 08:28:58 Alan Chapell wrote: > How would you suggest we define define personally identifiable? Whereas 26 of Directive 95/46EC is pretty established as a definition and working pretty well. http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML The only serious hickup is to accept or not accept whether IP addresses are personally identifiable. But we can write our assumption about IP addresses into the Specification and allow/disallow without deciding whether IP addresses are personally identifiable (in fact some are and some are not). As one has to process IP addresses on the Internet anyway, all IP address discussion will result in a discussion on retention times. We have that anyway. Rigo
Received on Monday, 18 June 2012 14:03:57 UTC