Re: Proposals for Compliance issue clean up

On 11/12/12 5:16 AM, Shane Wiley wrote:

> There is a distinction in EU law (ePrivacy Directive) where those
> elements necessary to provide the service requested by the user are
> available without consent ('strictly necessary') - this, in many DPA
> eyes, leans towards a 1st party / 3rd party distinction (albeit, not
> a clean one). 

Dear Shane,

You're referring to the ePrivacy directive as if it is the only source.
It is merely a reiteration (and a flawed one at that) of the Data
Protection Directive wich recognises that data processing can take place
without consent of the data subject (user). This bears no relevance
whatsoever on 1st/3rd party distinctions. Quite the opposite, the Data
Protection Directive has a controller/processor model which in DNT terms
translates to 1st party/same party. And in which DNT automatically
applies to 1st parties.

I hope your extensive interpretation of the ePrivacy directive has not
been provided to you by any professional lawyer because if that is the
case you may have a quality assurance problem there.

 The ePrivacy Directive saga is still being written so
> it's difficult for anyone to presume a detailed legal position at
> this time so I would respectfully ask all of us to stop trying.  When
> you have jurisprudence and actual court cases that has survived the
> highest levels of the US Court of Justice, then we'll have something
> to discuss.

The controller/processor model has been tested in EU courts until the
highest level (European Court of Justice in Luxembourg). There is no
such thing as 3rd party in EU jurisdictions.

For pragmatic reasons I am willing to go along with the 1st/3rd party
distinction. That will not prevent me or others from pointing out where
its consequences become unworkable. Redirects are just one example of that.

> outcome than P3P).  It's important to note that DNT is not necessary
> to comply with the ePrivacy Directive BUT it could be a useful tool
> depending on the approach taken.

My view is that a DNT standard should be flexible enough that it can be
applied in compliance with the Data Protection Directive (and by
extension the ePrivacy Directive _and_ Safe Harbor) but also that it
makes sense in a jurisdiction in which the primary recourse of users
will be consumer law. For that reason alone I would consider it unwise
to use DNT as a vehicle to export EU privacy laws to other jurisdictions
because it uses fundamentally different mechanisms than consumer law.

So the bottom line is: do we make sense, technically, commercially and
legally? The answer is: not always and we should fix that.

Regards,

 Walter

Received on Monday, 12 November 2012 09:34:54 UTC