Fwd: extension of the TPWG mandate

Hi Folks,

we received very strong support from the EU (enclosed) that endorse our
renewed focus on compliance with EU regulations
and would welcome browser/tool-support for opt-in to data collection in
the EU.

Regards,
matthias


-------- Forwarded Message --------
Subject:  extension of the TPWG mandate
Date:  Fri, 16 Dec 2016 11:27:54 +0000
From:  ALBRECHT Jan Philipp <jan.albrecht@europarl.europa.eu>
To:  'timbl@w3.org' <timbl@w3.org>, 'jeff@w3.org' <jeff@w3.org>,
'mts-std@schunter.org' <mts-std@schunter.org>,
'public-tracking-comments@w3.org' <public-tracking-comments@w3.org>



Dear friends in the W3C,

Allow me to address you with a few remarks on the W3C Tracking Protection Working Group and its future work.

1. The EU General Data Protection Regulation, for which I had the honour of being rapporteur, will be applied from May 2018. Among other things, it introduces statutory obligations on any company, wherever it is located, that collects or processes the personal data of persons in the EU. Personal data is defined as “any information relating to an identified or identifiable natural person” and can include data processed for singling-out individuals online such as “online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags”. Sanctions for breaches of these obligations can be up to 4% of a company’s annual worldwide turnover or €20 million, whichever is greater.

2. On many web sites, including those run by the major online publishers, there can be several hundred “third-party” servers accessed when a page is visited. If personal data is processed by these servers, the GDPR requires that the identity of the relevant data controller, its claimed legal basis and purpose for processing be declared. Other than described in the Do Not Track Tracking Preference Expression (TPE) document, there is currently no standardised web platform method for doing this. The current TPE includes mechanisms allowing companies to inform users, and any privacy tools that they employ, of the identity and policies of all companies that respect the DNT signal.

3. The GDPR also requires companies to obtain a user’s informed consent for, or in some circumstances support an automated right to object to, online personal data collection and processing, with users being given the ability to revoke their consent at any time. The Article 29 Working Party has called for this to be within their user agent as well as via the web resource. The current TPE includes mechanisms for communicating the user’s informed consent for tracking to all or to a set of third-parties on a specific web site, which gives users much more control than that made available via HTTP cookies or other state persistence mechanism subject to the Same Origin Policy, as users are far more comfortable giving their consent in the context of a particular website than across the entire web. The web platform currently has no API mechanism for doing this, other than the DNT Consent API.

4. Separating the signalling of user consent to a particular request header (DNT), supports the ability of sites to use “expiry” based caching via the “Vary” header. Existing mechanisms for indicating user specific consent, such as HTTP Cookies, do not allow for this. Legislation such as the GDPR is bound to introduce much more web traffic that relies on user consent, and the restrictions on caching could badly affect the performance of the web platform.

5. Users are increasingly turning to other methods to protect their privacy online such as content and ad blockers. These are designed to detect attempts to collect data or particular web servers or resources and block them, but have to be far blunter tools than they need to be. The building blocks within the TPE offer ways for them to operate with more finesse and allows legally compliant companies to establish trust of users making the use of such tools less necessary.

6. There are other rights for individuals laid out in the GDPR, including the right to access, amend or erase personal data. The transparency mechanisms described in the TPE can and should be extended to allow companies to support these rights.

7. There is evidence that at the moment about 12-14% of web requests to European websites have the DNT header set, which must reflect the desire of a significant proportion of Europeans to have their preference  respected.

8. The current draft of the upcoming proposal for a new EU ePrivacy Regulation (http://g8fip1kplyr33r3krz5b97d1.wpengine.netdna-cdn.com/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf) also addresses the possibility of consenting with technical settings in the browser, see Article 9(2). It also introduces an obligation for browser manufacturers to respect the privacy by design principle, see Article 10(2).

9. For all these reasons, there is more work to do in your area of expertise. I urge you therefore to extend the mandate of the TPWG until after the end of 2016.

Best regards,

Jan Philipp Albrecht

--
*************************
Ralf Bendrath
Senior Policy Advisor to Jan Philipp Albrecht MEP
European Parliament, ASP 05 F341
Rue Wiertz 60, B-1047 Brussels
Tel: +32 2 28 37060
ralf.bendrath@europarl.europa.eu
http://www.janalbrecht.eu
http://www.respect-my-privacy.eu  

Received on Friday, 16 December 2016 12:11:15 UTC