W3C home > Mailing lists > Public > public-tracking@w3.org > November 2012

RE: Proposals for Compliance issue clean up

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Tue, 13 Nov 2012 12:44:57 -0800
To: Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8027484D7DA7E@SP2-EX07VS02.ds.corp.yahoo.com>

I was referring to ePrivacy in this context as we were speaking to 'consent' and it felt most applicable based on your reference.  I agree the DPD treats any data collector outside of a service provider (data processor) the same regardless of party position (data controller) but we've already covered that ground as a working group so I thought you were moving with the discussion.  If this is an attempt to move the strict data controller perspective into the DNT standard, I believe you'd understand why many in the group would push back on that position.  It is an important detail for EU implementations though, hence the creation of the Global Considerations document.

- Shane 

-----Original Message-----
From: Walter van Holst [mailto:walter.van.holst@xs4all.nl] 
Sent: Monday, November 12, 2012 2:34 AM
To: public-tracking@w3.org
Subject: Re: Proposals for Compliance issue clean up

On 11/12/12 5:16 AM, Shane Wiley wrote:

> There is a distinction in EU law (ePrivacy Directive) where those 
> elements necessary to provide the service requested by the user are 
> available without consent ('strictly necessary') - this, in many DPA 
> eyes, leans towards a 1st party / 3rd party distinction (albeit, not a 
> clean one).

Dear Shane,

You're referring to the ePrivacy directive as if it is the only source.
It is merely a reiteration (and a flawed one at that) of the Data Protection Directive wich recognises that data processing can take place without consent of the data subject (user). This bears no relevance whatsoever on 1st/3rd party distinctions. Quite the opposite, the Data Protection Directive has a controller/processor model which in DNT terms translates to 1st party/same party. And in which DNT automatically applies to 1st parties.

I hope your extensive interpretation of the ePrivacy directive has not been provided to you by any professional lawyer because if that is the case you may have a quality assurance problem there.

 The ePrivacy Directive saga is still being written so
> it's difficult for anyone to presume a detailed legal position at this 
> time so I would respectfully ask all of us to stop trying.  When you 
> have jurisprudence and actual court cases that has survived the 
> highest levels of the US Court of Justice, then we'll have something 
> to discuss.

The controller/processor model has been tested in EU courts until the highest level (European Court of Justice in Luxembourg). There is no such thing as 3rd party in EU jurisdictions.

For pragmatic reasons I am willing to go along with the 1st/3rd party distinction. That will not prevent me or others from pointing out where its consequences become unworkable. Redirects are just one example of that.

> outcome than P3P).  It's important to note that DNT is not necessary 
> to comply with the ePrivacy Directive BUT it could be a useful tool 
> depending on the approach taken.

My view is that a DNT standard should be flexible enough that it can be applied in compliance with the Data Protection Directive (and by extension the ePrivacy Directive _and_ Safe Harbor) but also that it makes sense in a jurisdiction in which the primary recourse of users will be consumer law. For that reason alone I would consider it unwise to use DNT as a vehicle to export EU privacy laws to other jurisdictions because it uses fundamentally different mechanisms than consumer law.

So the bottom line is: do we make sense, technically, commercially and legally? The answer is: not always and we should fix that.



Received on Tuesday, 13 November 2012 20:45:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:00 UTC