- From: Kimon Zorbas <vp@iabeurope.eu>
- Date: Thu, 25 Oct 2012 22:45:32 +0000
- To: David Wainberg <david@networkadvertising.org>, Rigo Wenning <rigo@w3.org>
- CC: "public-tracking@w3.org" <public-tracking@w3.org>, Walter van Holst <walter.van.holst@xs4all.nl>
- Message-ID: <CCAF88F2.3F815%vp@iabeurope.eu>
Hi David,
not sure, how much DNT reflects EU style law: EU law regulates storing of data on a device (not technology neutral), DNT is about tracking (not sure what that is yet) and is (so far) technology neutral.
Rigo is trying to bridge both (a difficult task – and Rigo correct me if I got it wrong).
I think some of the confusion comes from different legal interpretations. The reality is that because of the very binary approach to data protection / privacy in Europe (only personal data is protected under the law – with exception of the cookies-related provisions; non-personal data is not regulated): Data Protection Authorities seek to increase privacy protection by interpreting many types of data as personal (e.g. IP addresses). Industry needs data to operate and more often than not has no intention to ever identify an individual with the data it processes (e.g. IP addresses), arguing (legally correct in my view) that such data is not personal. (NB: linking e.g. anonymous cookies data with personal information is not possible without consent or another legitimate interest, according to the law).
Thought that brief (and, I admit somehow superficial) but neutral explanation would add some clarity to the debates happening here and the differing views we sometimes see (e.g. I and Rob).
Whether we need different policy approaches is something that adds complexity and needs to be carefully considered in this group.
Hope that helps,
Kimon
From: David Wainberg <david@networkadvertising.org<mailto:david@networkadvertising.org>>
Date: Thursday 25 October 2012 22:29
To: Rigo Wenning <rigo@w3.org<mailto:rigo@w3.org>>
Cc: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Kimon Zorbas <vp@iabeurope.eu<mailto:vp@iabeurope.eu>>, Walter van Holst <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>>
Subject: Re: Proposed Text for Local Law and Public Purpose
Hi Rigo,
First, I do not disagree with taking EU concerns or needs into
consideration. Though I do think we've been confused about the extent
we're doing so, or what it means. Perhaps your Global Considerations
effort will clarify things.
However, the way I read Walter's statements, and, frankly, some
statements of others, is that he would use this W3C process to apply EU
style privacy regulation across the Internet, including in the US. This
is not the proper venue for that. In my view, there's little interest in
the US to have EU-style regulation, but even if there is, it is not for
this working group to provide it. As we're all aware, the U.S. has a
different approach to privacy regulation, as well as a very mature and
complementary self-regulatory program in the digital advertising
industry. We could have an interesting conversation about whether the US
approach or the EU approach is better, but we will never get an answer,
and it's irrelevant. The reality is that approaches to privacy vary
across jurisdictions, and we should honor that. We need a DNT policy
that fits well within existing frameworks in the jurisdictions where it
will be enforced.
-David
On 10/25/12 12:54 PM, Rigo Wenning wrote:
David,
I think Walter is an invited expert and offered his opinion on why
he thinks we should also take the EU system into account. I think
Walter gave a pretty accurate view on current EU feelings as I also
saw them in the hearing of the EU parliament on the new regulation.
There is much emphasis that privacy is a human right and that it
should not under all circumstances be trumped by commercial
considerations. I think you should read his statement like a report
rather than an opinion.
And his EU comments are important for me as I think that global
considerations are important. I think we are much closer to
usefulness of DNT in Europe than many believe. And this is a big
thing if you consider the current UK solution that is not as nice.
So killing the European solution for an alleged impossibility to
comply with MRC raises heat that we should take out again.
Note further that IMHO he is not threatening in any way. I was at
the OECD this week and last week. There are discussions about
transborder data flow and how to achieve that. Many OECD countries
have appropriate protections in place and now urge to create a level
playing field to avoid a race to the bottom. And there are serious
voices questioning the transborder data flow to countries not having
the right protection level. Again, this is rather a report. I do not
have the intention to say: "see you should do this or that". And I
see DNT as an opportunity. Because it can't be mandated by W3C
anyway it can only be an opportunity and never a threat. The threat
is elsewhere.
Apart from that I concur to Kimon. Measures are done anonymously and
this is part of the innovation challenge. Then outreach is out of
the way. This is why I talked about "transition". In the sixties we
had nice cars, but consumption was 7mpg. Now we still have nice cars
and consumption is 60mpg and they are even faster. Better outreach
measures with less personal data. We can talk about how far we get
with Version 1 if there is a will to innovate. But just saying: "DNT
will not change my business" would misunderstand the commitments and
the unease in the market and between the regulators.
Rigo
On Wednesday 24 October 2012 18:14:22 David Wainberg wrote:
Rob, Rigo, Ninja, what are your thoughts?
On 10/24/12 6:12 PM, David Wainberg wrote:
Hi Kimon,
I would not suggest that MRC is or should be relevant in Europe.
My questions to other Europeans in the group is whether they
share Walter's position, quoted below, regarding U.S. law and
the goals for the DNT standard.
-David
On 10/24/12 11:32 AM, Kimon Zorbas wrote:
David,
I am struggling to understand why MRC should be relevant in
Europe? (I am a bit lost in this debate – it seems to me that
MRC certifies products to conduct measurement - in the US). If
companies operate in Europe, they need to comply with our
strict laws.
Audience measurement in Europe is to my knowledge conducted via
anonymous data. Safe Harbor wouldn't apply to such data. If
audience data is transferred to outside the EEA (and adequate
countries), then there is no issue (with anonymous data sets).
If personal data is collected, then you could benefit of the
Safe Harbor regime as a US based company. Not sure that has
anything to do with MRC (being only a certification body, if I
understand correctly).
Kind regards,
Kimon
From: David Wainberg <david@networkadvertising.org<mailto:david@networkadvertising.org>
<mailto:david@networkadvertising.org>>
Date: Wednesday 24 October 2012 17:15
To: Walter van Holst <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>
<mailto:walter.van.holst@xs4all.nl>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>>
Subject: Re: Proposed Text for Local Law and Public Purpose
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>> Resent-Date: Wednesday 24
October 2012 17:15
Is this the view of other Europeans participating in this
working group?>>
On 10/24/12 10:39 AM, Walter van Holst wrote:
Actually, from a EU perspective this standard as a
whole
is unnecessary
because most business practices, at least the one
that
are publicly
known, in this field are in violation of EU-law
already.
So why do we keep talking about it in terms of EU law?
Why do we
continue to have proposals aimed at suiting EU
requirements?
Well, I am going to be offensive again and maybe even
patronising, but
the US legal context for privacy discussions is not quite
up to
par with
the rest of the industrialised world. For all its defects,
the
European
legal framework embodies a coherent framework of concepts
on this
subject matter. Which sadly the USA does not have. So,
apart from
my own
geographical bias by virtue of being Dutch, other than in
terms of consent it is difficult to discuss this in
outside the terms of EU law.
Not to mention that similar frameworks have been adopted by
Canada, Australia, South-Africa, Japan, Korea and Brazil
as well as that India
is in the process of moving in a similar direction.
I will be
happy if we can once and for all determine that this
Having a
mechanism for consent in the form of DNT is much
more
significant in the
US context than in the EU context. The fact that
various
EU parties are
sitting at the table in this process is in itself a
sign
that the lack
of appetite by the US to import EU concepts (unlike
most
other
democracies on the planet) has been noticed in the
EU.
Are you saying that EU participation in this forum is
precisely for the
purpose of trying to impose EU concepts on US
companies?
No, it is an acknowledgement that EU law is not applicable
in the USA and that merely leaning back basking in an
ill-conceived dream of EU-superiority in this regard is
not going to be helpful at all if large
parts of the relevant industries are (for now) out of scope
of EU
law.
Therefore it is still useful to participate in a
self-regulatory
approach, despite it being unnecessary in the EU-context.
But to my previous question, if the EU can impose these
concepts
extra-territorially through regulation then why try to
do it
through
this DNT process?
Well, why get to what you want by asking nicely if you can
do it by holding a gun to someone's head? The former is
rather more constructive,
one would think.
Regards,
Walter
Received on Thursday, 25 October 2012 22:46:18 UTC