RE: Proposals for Compliance issue clean up

Walter,

There is a distinction in EU law (ePrivacy Directive) where those elements necessary to provide the service requested by the user are available without consent ('strictly necessary') - this, in many DPA eyes, leans towards a 1st party / 3rd party distinction (albeit, not a clean one).  The ePrivacy Directive saga is still being written so it's difficult for anyone to presume a detailed legal position at this time so I would respectfully ask all of us to stop trying.  When you have jurisprudence and actual court cases that has survived the highest levels of the US Court of Justice, then we'll have something to discuss.

With respect to the distinction between 1st party and 3rd party, this is a mostly settled item (except for an interesting hiccup in Amsterdam - that I would recommend we manage separately...if at all).  The Working Group has initially agreed there is a meaningful distinction between a user who directly interacts with a known party (1st party) and one they may not be aware of (3rd party).  In the former case, if the user doesn't feel comfortable with the data practices of that particular web site, they need not visit it (may be slightly different for government web sites).  In the latter case, the user is not able to easily determine which 3rd parties are present and what each of their data practices are, so it was felt a tool like Do Not Track would appropriately provide users a level of control in this situation while still allowing the minimum necessary elements of the Internet to continue to work as intended.

Please remember this is a voluntary standard.  If we overly apply EU concepts in the standard, then non-EU companies may be less apt to adopt the standard.  So you'd be able to claim a victory in developing a standard, but you'd fail on gaining any adoption (worse outcome than P3P).  It's important to note that DNT is not necessary to comply with the ePrivacy Directive BUT it could be a useful tool depending on the approach taken.

Thank you,
Shane

-----Original Message-----
From: Walter van Holst [mailto:walter.van.holst@xs4all.nl] 
Sent: Saturday, November 10, 2012 8:51 AM
To: public-tracking@w3.org
Subject: RE: Proposals for Compliance issue clean up

On 2012-11-10 17:40, Mike O'Neill wrote:
> My opinion is that there should be no difference in the compliance 
> spec between 1st and 3rd parties, the DNT:1 signal should mean UUIDs 
> must not be allocated or used without consent, and we should put more 
> effort in designing an effective and transparent exception protocol.
> As has been pointed out many times this distinction cannot apply in 
> Europe anyway. The reason most of us are here is to respond to 
> people’s unease about privacy and loss of trust in the web, and we 
> should primarily address that.

May I also add that the technical reality is also that the UA intereacts through HTTP with both 1st and 3rd parties as if they are all 1st parties. So both at the technical level as within the European legal context, this distinction is not particularly helpful.

Not all is lost though, I think the discussions about Same-Party as a result of the 1st and 3rd party distinction have been helpful and the mechanism proposed is a good start to ensure accountability.

Regards,

  Walter

Received on Monday, 12 November 2012 04:17:35 UTC