- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 15 Mar 2012 17:29:28 +0100
- To: public-tracking@w3.org
- Cc: Sean Harvey <sharvey@google.com>, Jonathan Mayer <jmayer@stanford.edu>
On Wednesday 14 March 2012 00:13:47 Sean Harvey wrote: > Easy discoverability was the main > issue to my knowledge. In this case, look at the P3P 1.1 protocol that defined exactly this. http://www.w3.org/TR/P3P11/#oho I think this part of the P3P 1.1 Specification is from Matthias and Jack Humphrey In this case, we would not make a definition, but a file-format to allow for assertions. As assertions can be wrong and as voluntarily wrong assertions are called lies, there is some vulnerability involved in that approach. It also makes the system heavier, because we need yet more round trips. Coming from P3P, I guess the best we could do is a response header where a party asserts what it believes it is. And leave the definition of "same legal entity" to the legal system. Because I don't know if "affiliate" is the right term as it extends to all contractual relationships. This would also do partly the trick of harmonization EU/US required by Chris, as the quality of data controller is "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; " This concept is somewhat debated at the moment in the EU because everyone of us is a data controller to a certain extend because we have deal with personal data of others all the time. And this puts too much burden on ordinary people. But for what we try to define here, I think legally, it does the trick. For transatlantic reasons, I would not copy the EU definition, but rather define the first party to be "the legal entity" having factual control over the service the user believes she is interacting with. As Amy said in Brussels, and I confirm, lawyers have a pretty precise idea about what is still the same person (legal or natural) and what is not. Re- inventing it is a bit too much IMHO. Note that this also may contain naughty surprises for advertisers as managers love to outsource and buy-back-in all kinds of parts of companies. And that can be a stepping stone, because the front-ends won't change operations. But I confess that I haven't read the paper from Jonathan and Tom yet, so we may need additional safeguards. The legal entity approach fails somewhat for super-mega-large companies and governments. As one government is one legal entity.. Again, we do not have to re-invent data protection here, but I have to take the time to read Jonathan's and Tom's paper. URI? Best, Rigo
Received on Thursday, 15 March 2012 16:29:59 UTC