Re: Deidentification (ISSUE-188)

On August 21, 2014, at 9:04 AM, David Singer <> wrote:

> I think Roy’s point is that such a requirement does not belong in the definition of the term, and I tend to agree with him.  
> Is there a better place where we could say that {de-identification} procedures should be publicly documented?

Yes, I think it would make sense for the proposal to be to add a requirement to "Server Compliance" (or a related section) like the following:
 A party that complies with a user's tracking preference by deidentification of data (as described above) SHOULD describe those measures publicly, for example, in a privacy policy.
And that would be orthogonal to the definitional question, as it could apply to any of the proposals. (We could have two separate sections in the Call for Objections questionnaire, no problem.)

Optimistically, I've added that text to the wiki here in place of the extra bullet point in the proposed definition:

And I've also made some smaller text edits to David's definition, which I think just clarify or fix grammatical structure.

Vincent, did you have a sense whether David's most recent proposal would be sufficient for your purposes that we didn't need the separate Article-29-style proposal in a Call for Objections?


Received on Monday, 25 August 2014 20:52:23 UTC