Re: Letter from Dr. Dix (German data protection authority) from Ninja Marnau on 2013-07-01 (public-tracking@w3.org from July 2013)

From: Ninja Marnau <nmarnau@datenschutzzentrum.de>
Date: Mon, 01 Jul 2013 10:23:11 +0200
To: mts-std@schunter.org, public-tracking@w3.org
Message-ID: <51D13C6F.2050604@datenschutzzentrum.de>

Thanks for forwarding this letter to the group.

Just to make sure we are on the same page regarding the Google Analytics 
agreement: The Data Protection Commissioner of Hamburg negotiated in 
2011 with Google to allow German web site owners (data controllers) to 
use Google Analytics in a lawful way. According to our compliance spec 
Google Analytics would be a service provider (not a third party).

Therefore, we talk about additional requirements for first parties and 
their service providers here: (These additional requirements result 
mainly from the facts that 1) the Safe Harbor self-certification alone 
is deemed insufficient by German DPA for a legal ground for data 
transfer to the US, 2) Google is a huge party and a siloing of data from 
different customers and separation of first party services and service 
provider services could not be verified.)

- Opt-out option for users (data subjects) regarding the use of service 
providers like Google Analytics

- "De-identification" (by deleting the last IP address segment) 
immediately before any data transfer to the US occurs

ninja


Am 28.06.2013 01:30, schrieb mts-std@schunter.org:
>
>
> Dear Team,
>
>
> Peter and I have received the enclosed letter from Dr. Dix as input for
> our consideration.
>
> It contains
>   - a cover letter,
>   - a position statement on web-tracking outlining
>     the requirements of the International Working Group
>     on Data Protection in Telecommunications ("the Berlin Group"),
>   - and a press statement in German.
>
>
> Regards,
> matthias
>
> PS: My (non-normative) translation of the Press statement:
>
> The Press statement says that Google and the German DPA have agreed on
> guidelines how how to adjust Google Analytics in a way that is in line
> with the German DPA requirements. Basically (no guarantee for correct
> translation) these requirements have been fulfilled:
>   1. Opt-out for users
>   2. Ability to enterprise users to ask Google to anonimize the
>      IP addresses collected (by dropping the last part)
>   3. Contracts between Google and Enterprises using Analytics
>      that satisfy the requrements of Google acting as Data Processor.
>
>
> ---------------------------- Original Message ----------------------------
> Subject: Web Tracking
> Date: Thu, June 27, 2013 11:28
> --------------------------------------------------------------------------
>
> Dear Prof. Swire,
> Dear Mr. Schunter,
>
> please find attached a letter of Dr. Dix and the enclosures.
>
> Yours sincerely,
>
> Sandra Ließmann
>

-- 

Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein

Received on Monday, 1 July 2013 08:24:04 UTC