Re: ACTION-255: Work on financial reporting text as alternative to legal requirements

Hi Rob - 

Thanks for providing the regulators' perspective. Some thoughts below...

On 10/2/12 4:42 AM, "Rob van Eijk" <> wrote:

>You wrote:
>>>> There are going to be legitimate exceptions for the use
>>>> of data. And each exception should be weighed on the merits -
>>>> benefit to creating the exception vs risks of keeping the
>>>> exception. My issue with your approach is that you aren't really
>>>> explaining what you think the harm is to allowing my specific
>>>> exception.
>Let me make the smoking gun more explicit: asking for motivated
>arguments to show harm does make sense. The logical fallacy however is
>that without prove for harm, the data collection would be a legitimate
>Although many arguments for permitted uses have been put forward by
>stakeholders to make clear that the collection of data is necessary, in
>the EU the need for data collection is not equal to legal compliance. A
>permitted use under DNT compliance will still have to have to pass the
>legal test, i.e. a business still needs a legal ground for the
>collection of the data, for example consent (Directive 7a), contract
>(Directive 7b) or legitimate business interest (Directive 7f).
>Since a permitted use bypasses the consent of the user, the legal
>ground for legitimate business interest is interesting to look at in
>detail. This legal ground balances the need for collection by a business
>with the impact on the privacy for a user. In other words, the motivated
>argument would have to balance A. proportionality of the data collection
>(how big is your gun, why is it necessary) in combination with
>subsidiarity (what are the privacy friendly alternatives) against C. the
>impact of the collection of data on the privacy of the user.

Perhaps I'm being an optimist, but I think we're saying very similar
things here. I think there should be a balance as well. What I haven't
heard from Rigo or others, is the impact on the User privacy side of the

And there's a broader point I'm trying to make - perhaps not clearly
enough previously. The PMCPA has a set of requirements designed to
regulate the pharmaceutical industry. Are they legitimate? Honestly, I
have no idea. But I'm pretty sure that the PMCPA believes they are
legitimate and intends to enforce them. Unfortunately, the PMCPA is not at
the table at W3C. As someone who works with companies who will attempt to
meet the standards we create here, we don't have the luxury of simply
ignoring the PMCPA code. In other words, by agreeing to comply with these
set of standards without some flexibility, I place my clients in an
absolutely unwinnable position. That would seem to be something that we
should want to address. And the PMCPA is only one example: Kathy Joe has
offered some re: research. And from my perspective, I fear that there are

>Since Rigo addressed the history of privacy in this discussion, I would
>like to add 2 cents. The latter, the impact of the collection of data on
>the privacy of the user may be seen as the US-concept of harm, but in
>the EU it stems from article 8 of the European Convention on Human
>Rights and article 17 of the International Covenant on Civil and
>Political rights. Obligations with regard to the protection of personal
>data also follow from the OECD Guidelines on the Protection of Privacy
>and Transborder Flows of Personal Data (1980) and the UN Guidelines
>concerning computerized personal data files (1990).

This is a great point. However, this also seems like an argument in favor
of bifurcating compliance for each jurisdiction.

>Alan Chapell schreef op 2012-10-02 01:49:
>> The only thing you and I agree upon here is that you can't provide
>> the
>> smoking gun. (:
>> More belowİ
>> On 10/1/12 7:01 PM, "Rigo Wenning" <> wrote:
>>>On Monday 01 October 2012 16:51:45 Alan Chapell wrote:
>>>> I appreciate your taking the time - and the willingness to engage
>>>> in dialog. However, you really did not directly answer my
>>>> questions. You are providing high level examples of privacy
>>>> issues - most of which will not be addressed by DNT unless we
>>>> radically change our approach.
>>>If DNT would not address some of those issues, you wouldn't see me
>>>engaged. :)
>>>But this IMHO. I also know that I can't provide the
>>>smoking gun. I guess, Ninja and Rob could. W3C as a community is a
>>>pretty good indication whether something is going on. People are
>>>afraid. This can kill the entire market. That's why we are
>>>discussing here.
>>>more inline
>>>> On 10/1/12 4:27 PM, "Rigo Wenning" <> wrote:
>>>> >blocking tools. I can show you how easy it is. If this is still
>>>> >an issue in 5 years, this may even be more damaging to the
>>>> >industry than DNT ever could be.
>>>> How is DNT going to stop this practice? If I'm buying my tickets
>>>> via, Delta is a 1st party and would not be subject to a
>>>> DNT signal for these purposes.
>>>Oh, Airline XYZ can only do so because they have bought the profile
>>>that tells them I can afford the higher price... - just as an
>>>example - That we do not address first parties is irrelevant for the
>>>EU and a sign of careful nudging of the US community.
>> In my experience, it would be unlikely (at best) that airline
>> would operate in the way that you're suggesting. We need to
>> distinguish
>> what is POSSIBLE in theory from what is PRACTICAL. Going back to your
>> initial hypo:  you explained that a) you went to in the
>> afternoon
>> and got one price and b) you re-visited that site later in the
>> evening and
>> got a different price. And you believe that had purchased a
>> profile between your afternoon and evening visits to resulted
>> in
>> your seat price increasing???? A MUCH more likely scenario is that
>> the
>> airline has booked some additional seats on that flight and is now
>> charging more for each incremental seat. Or perhaps the airline just
>> charges more for flights at night than during the day.
>> So if this is your example of harm, you may want to keep looking (:
>>>> >2/ Democratic values
>>>> >In confirmation of Godwin's law let me tell you that I think that
>>>> >totalitarianism doesn't need computers. But it makes life easier
>>>> >for them. The concentration of high amounts of personal data in
>>>> >few hands is a risk in the power balance.
>>>> I agree - concentration of data in a small number of players is
>>>> problematic. How do you see DNT addressing this issue? In fact, I
>>>> think one can make a plausible argument that DNT will concentrate
>>>> data in a smaller number of entities. I believe that's a horrible
>>>> outcome that many in this group may be missing and/or choosing to
>>>> ignore.
>>>You fail to give an argument for your assertion. While one can make
>>>a plausible argument, you'll have to make that argument to
>>>contradict me. Why should the number of players be smaller if I can
>>>refuse collection? Note: a first party -by definition- can't collect
>>>cross site. Leaves you the 2-3 big fish. Those have a different
>>>incentive: They are targets.
>> If you put the third party intermediaries out of business - by
>> definition
>> the marketplace will be smaller.
>>>> My point - There are going to be legitimate exceptions for the use
>>>> of data. And each exception should be weighed on the merits -
>>>> benefit to creating the exception vs risks of keeping the
>>>> exception. My issue with your approach is that you aren't really
>>>> explaining what you think the harm is to allowing my specific
>>>> exception.
>>>Because there is a fundamental transatlantic divide. We have that
>>>even internally. While the eastern part believes that the
>>>availability of organized personal data is very prone to abuse, the
>>>western part believes that it is all about use limitations. Give the
>>>data to the junkie but say: "do not use!". Some believe, some don't.
>>>Note that those legitimate exceptions are law in EU. Self regulation
>>>has to re-invent those. For the unregulated, this is a test whether
>>>we can find a reasonable compromise without the formal democratic
>> I have no idea what you mean hereİ But while we're on the subject of
>> providing arguments for your assertions, I'd invite you to provide a
>> specific argument of harm that addresses the request for exemptions.
>> If
>> the is the best you can do, well...
>>>> >It is therefore essential that somebody can just indicate to the
>>>> >system not to be recorded. And that the system just does not
>>>> >record, or at least throws away after a very short time. So DNT
>>>> >is just a tiny tool, a little aspect in this overall picture.
>>>> >But it could be a useful tool. Now you may understand that
>>>> >recording the same information for accounting or PCMCP (a pure
>>>> >use limitation that is) is not sufficient for most people.
>>>> What are these people you cite? Are you representing the interests
>>>> of consumers in the same way that Jeff and John are?
>>>People just meant my grandma. I neither represent consumers nor
>>>industry nor W3C Team. Because the answer given here are not
>>>coordinated with the W3C Team. I'm just talking to you from my ivory
>>>tower of 15 years of privacy research. This is my second exercise
>>>after P3P, XACML privacy extensions and the like... But I see the
>>>polls that indicate that over 56% of Europeans erase _all_ their
>>>cookies at least once a month. 25% weekly (from the top of my head,
>>>search for eurobarometer).
>>>2002, the industry thought: "danger banned, no privacy provisions in
>>>the US, move on". And the browsers thought: "we manage cookies by
>>>blocking tools". Ten years after, we are back to the core semantic
>>>problem: "Can I trust your assertions?". What does that tell me?
>>>Everybody has to optimize in some direction. That's what this effort
>>>is all about. I have to optimize in the direction of excellence...
>>>And putting in question the bases of the effort for financial
>>>reporting is against my optimization target. And there, your wording
>>>was much better (and stronger) than mine.
>> Thank you. Its interesting that you reference P3P. Do you believe
>> that P3P
>> was a success?

Received on Tuesday, 2 October 2012 14:27:05 UTC