RE: issue-205 from Mike O'Neill on 2013-06-30 (public-tracking@w3.org from June 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sun, 30 Jun 2013 19:32:51 +0100
To: "'Vinay Goel'" <vigoel@adobe.com>
Cc: "'Shane Wiley'" <wileys@yahoo-inc.com>, <public-tracking@w3.org>, "'Justin Brookman'" <justin@cdt.org>, "'Nicholas Doty'" <npdoty@w3.org>
Message-ID: <005c01ce75c0$3aeffca0$b0cff5e0$@baycloud.com>
Vinay,

 

I know that is the conventional wisdom but this is not the case. The ePrivacy Directive does not mention “implied consent” anywhere and the member states enabling law I have read (UK & IE)  does not either. The only reference in the amendments to the “implied” adjective, where anyway it did not refer to consent, was to remove it from the 2003 Regulation. Maybe DPA reps could chime in on that.

 

One or two DPAs have issued (in my opinion ambiguous) guidance on the interpretation of the law which indicates that consent may be “implied” in certain circumstances but, as Shane says, the term is too easily misinterpreted. The actual written law does not refer to it.

 

>From Article 5(3) of the Directive, introduced in 2009:

 

Member States shall ensure that the storing of information. . . in the terminal equipment of a user is only allowed on condition that the [user] concerned has given his or her consent, having being provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.

 

Which is enabled in the UK by the Privacy and Electronic Communications Regulations 2003 (Amended May 2011). Here is the relevant article 6(1).

 

6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. 

(2) The requirements are that the subscriber or user of that terminal equipment-- 

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and 

(b) has given his or her consent. 

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use. 

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent. 

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information-- 

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or 

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

 

 

Mike

 

 

From: Vinay Goel [mailto:vigoel@adobe.com] 
Sent: 30 June 2013 18:29
To: Mike O'Neill
Cc: Shane Wiley; public-tracking@w3.org; Justin Brookman; Nicholas Doty
Subject: Re: issue-205

 

Mike

 

Explicit consent is not required by most EU countries under current law; and the term unambiguous consent is in proposed amendments to legislation. We should not be Codifying the standard against unfinished legislation. 

 

Vinay 

Sent from my phone


On Jun 30, 2013, at 1:04 PM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:

Hi Shane,

 

That text was in the TPE and I thought it was better, as did Justin because he put the same phrase in his change proposal, which this is. My main issue was to get the reference to explicit consent in EU law put back in.

 

I agree the “implied” adjective is subject to misinterpretation, especially when it has been used to avoid the necessity for obtaining consent. 

 

How about:

 

A user agent MUST have a default tracking preference of unset (not enabled) unless a another specific tracking preference is clearly and unambiguously indicated to the user prior to installation, or is required to comply with applicable laws, regulations and judicial processes.

 

It would be good  also to get input from Justin.

 

Mike

 

From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 30 June 2013 17:01
To: Mike O'Neill; public-tracking@w3.org
Cc: 'Justin Brookman'; Nicholas Doty
Subject: RE: issue-205

 

Mike,

 

The term “implied by the decision” seems far too open to interpretation.  All 3rd parties could argue users have agreed to ignore DNT since it’s implied they’ve consented by visiting the web page they’re on (I don’t agree with that stance but use it demonstrate how easy it is to apply the term “implied” in a given context).

 

- Shane

 

NOTE – on vacation this week so replies will be delayed.

 

From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: Saturday, June 29, 2013 1:05 AM
To: public-tracking@w3.org
Cc: 'Justin Brookman'; Nicholas Doty
Subject: issue-205

 

I added the phrase about local law to Justin’s text on the wiki, as per my change submission.

 

 

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent, or another default preference is required to comply with applicable laws, regulations and judicial processes.

 

Justification.

 

The original wording in the TPE, allowing the choice of a privacy oriented user-agent, was better so why lose it, and it is possible that rights-based jurisdictions like the EU with an assumed right to privacy may require user-agents be supplied with DNT set by default.
Received on Sunday, 30 June 2013 18:33:22 UTC