Re: Towards a Grand Compromise

Rigo,

It's not just retention, but also purpose is a defining factor (e.g. for enforcement purposes, IP address can be seen as PII / personal data in some countries).
Than we have anonymisation, pseudonymisation, which make it (unfortunately) very complex in dealing with a simple question (is an IP address personal data or not?).

Again, in my view, designing DNT as a compliance instrument will be very challenging.

Kind regards,
Kimon

----- Reply message -----
From: "Rigo Wenning" <rigo@w3.org>
To: "public-tracking@w3.org" <public-tracking@w3.org>
Cc: "Alan Chapell" <achapell@chapellassociates.com>, "Jeffrey Chester" <jeff@democraticmedia.org>, "Roy T. Fielding" <fielding@gbiv.com>, "Jonathan Mayer" <jmayer@stanford.edu>
Subject: Towards a Grand Compromise
Date: Mon, Jun 18, 2012 3:47 pm



On Monday 18 June 2012 08:28:58 Alan Chapell wrote:
> How would you suggest we define define personally identifiable?

Whereas 26 of Directive 95/46EC is pretty established as a
definition and working pretty well.
http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML


The only serious hickup is to accept or not accept whether IP
addresses are personally identifiable. But we can write our
assumption about IP addresses into the Specification and
allow/disallow without deciding whether IP addresses are personally
identifiable (in fact some are and some are not). As one has to
process IP addresses on the Internet anyway, all IP address
discussion will result in a discussion on retention times. We have
that anyway.

Rigo

Received on Monday, 18 June 2012 14:03:57 UTC