- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Mon, 3 Oct 2016 13:54:05 +0100
- To: "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>, <public-tracking@w3.org>
The GDPR includes rights for subjects and obligations of controllers for
supplying information and to offer user control. Some of these are already
addressed in the TPE but there could be additions to the Tracking Status
Resource to meet others. For example at TPAC Matthias suggested a "legal
basis" property where the controller could claim legitimate interest (where
the "right to object" is important), there could be others to cover the
right of access and erasure. There were some suggested in my DNTBugs
document (deleteDataUri & dataHeldUri)
https://trackingprotection.github.io/Implementation/DNTBugs/#rep.deleteDataU
ri
With programmatic ad insertion it is often impossible for a first-party site
to know what third-parties are being embedded ( an ad exchange or similar
can load arbitrary iframes that in turn load others). I suggested an API on
the WICG (Web Platform Incubator Community Group) site
https://discourse.wicg.io/t/api-to-monitor-subresources/1723/22. While it is
possible to limit embedded domains using the Content-Security-Policy API
sites have no prior knowledge of domains an ad exchange is likely to use. An
API to make this information transparent (say in a widget on the first-party
site) would be a good start, maybe later we could suggest new CSP
declarations that would block domains without a TSR. Anyway take a look and
let me know.
I have extracted the relevant articles from the GDPR below:
Legal basis of processing, Consent
Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one
of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in
the public interest or in the exercise of official authority vested in the
controller;
(f) processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular where
the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried
out by public authorities in the performance of their tasks.
Proof of Consent
Article 7
Conditions for consent
1. Where processing is based on consent, the controller shall be able to
demonstrate that the data subject has consented to processing of his or her
personal data.
2. If the data subject's consent is given in the context of a written
declaration which also concerns other matters, the request for consent shall
be presented in a manner which is clearly distinguishable from the other
matters, in an intelligible and easily accessible form, using clear and
plain language. Any part of such a declaration which constitutes an
infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at
any time. The withdrawal of consent shall not affect the lawfulness of
processing based on consent before its withdrawal. Prior to giving consent,
the data subject shall be informed thereof. It shall be as easy to withdraw
as to give consent.
4. When assessing whether consent is freely given, utmost account shall be
taken of whether, inter alia, the performance of a contract, including the
provision of a service, is conditional on consent to the processing of
personal data that is not necessary for the performance of that contract.
Transparency
Article 12
Transparent information, communication and modalities for the exercise of
the rights of the data subject
1. The controller shall take appropriate measures to provide any
information referred to in Articles 13 and 14 and any communication under
Articles 15 to 22 and 34 relating to processing to the data subject in a
concise, transparent, intelligible and easily accessible form, using clear
and plain language, in particular for any information addressed specifically
to a child. The information shall be provided in writing, or by other means,
including, where appropriate, by electronic means. When requested by the
data subject, the information may be provided orally, provided that the
identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights
under Articles 15 to 22. In the cases referred to in Article 11(2), the
controller shall not refuse to act on the request of the data subject for
exercising his or her rights under Articles 15 to 22, unless the controller
demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request
under Articles 15 to 22 to the data subject without undue delay and in any
event within one month of receipt of the request. That period may be
extended by two further months where necessary, taking into account the
complexity and number of the requests. The controller shall inform the data
subject of any such extension within one month of receipt of the request,
together with the reasons for the delay. Where the data subject makes the
request by electronic form means, the information shall be provided by
electronic means where possible, unless otherwise requested by the data
subject.
4. If the controller does not take action on the request of the data
subject, the controller shall inform the data subject without delay and at
the latest within one month of receipt of the request of the reasons for not
taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and
any actions taken under Articles 15 to 22 and 34 shall be provided free of
charge. Where requests from a data subject are manifestly unfounded or
excessive, in particular because of their repetitive character, the
controller may either:
(a) charge a reasonable fee taking into account the administrative costs
of providing the information or communication or taking the action
requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly
unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable
doubts concerning the identity of the natural person making the request
referred to in Articles 15 to 21, the controller may request the provision
of additional information necessary to confirm the identity of the data
subject.
7. The information to be provided to data subjects pursuant to Articles 13
and 14 may be provided in combination with standardised icons in order to
give in an easily visible, intelligible and clearly legible manner a
meaningful overview of the intended processing. Where the icons are
presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance
with Article 92 for the purpose of determining the information to be
presented by the icons and the procedures for providing standardised icons.
Section 2
Information to be provided, need to declare legit interest
Information and access to personal data
Article 13
Information to be provided where personal data are collected from the data
subject
1. Where personal data relating to a data subject are collected from the
data subject, the controller shall, at the time when personal data are
obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where
applicable, of the controller's representative;
(b) the contact details of the data protection officer, where
applicable;
(c) the purposes of the processing for which the personal data are
intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the
legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if
any;
(f) where applicable, the fact that the controller intends to transfer
personal data to a third country or international organisation and the
existence or absence of an adequacy decision by the Commission, or in the
case of transfers referred to in Article 46 or 47, or the second
subparagraph of Article 49(1), reference to the appropriate or suitable
safeguards and the means by which to obtain a copy of them or where they
have been made available.
2. In addition to the information referred to in paragraph 1, the
controller shall, at the time when personal data are obtained, provide the
data subject with the following further information necessary to ensure fair
and transparent processing:
(a) the period for which the personal data will be stored, or if that is
not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to
and rectification or erasure of personal data or restriction of processing
concerning the data subject or to object to processing as well as the right
to data portability;
(c) where the processing is based on point (a) of Article 6(1) or point
(a) of Article 9(2), the existence of the right to withdraw consent at any
time, without affecting the lawfulness of processing based on consent before
its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual
requirement, or a requirement necessary to enter into a contract, as well as
whether the data subject is obliged to provide the personal data and of the
possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) and, at least in those cases,
meaningful information about the logic involved, as well as the significance
and the envisaged consequences of such processing for the data subject.
also
Article 14
Information to be provided where personal data have not been obtained from
the data subject
1. Where personal data have not been obtained from the data subject, the
controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where
applicable, of the controller's representative;
(b) the contact details of the data protection officer, where
applicable;
(c) the purposes of the processing for which the personal data are
intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if
any;
(f) where applicable, that the controller intends to transfer personal
data to a recipient in a third country or international organisation and the
existence or absence of an adequacy decision by the Commission, or in the
case of transfers referred to in Article 46 or 47, or the second
subparagraph of Article 49(1), reference to the appropriate or suitable
safeguards and the means to obtain a copy of them or where they have been
made available.
2. In addition to the information referred to in paragraph 1, the
controller shall provide the data subject with the following information
necessary to ensure fair and transparent processing in respect of the data
subject:
(a) the period for which the personal data will be stored, or if that is
not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the
legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to
and rectification or erasure of personal data or restriction of processing
concerning the data subject and to object to processing as well as the right
to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a)
of Article 9(2), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of processing based on consent before its
withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable,
whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) and, at least in those cases,
meaningful information about the logic involved, as well as the significance
and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs
1 and 2:
(a) within a reasonable period after obtaining the personal data, but at
the latest within one month, having regard to the specific circumstances in
which the personal data are processed;
(b) if the personal data are to be used for communication with the data
subject, at the latest at the time of the first communication to that data
subject; or
(c) if a disclosure to another recipient is envisaged, at the latest
when the personal data are first disclosed.
4. Where the controller intends to further process the personal data for a
purpose other than that for which the personal data were obtained, the
controller shall provide the data subject prior to that further processing
with information on that other purpose and with any relevant further
information as referred to in paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve
a disproportionate effort, in particular for processing for archiving
purposes in the public interest, scientific or historical research purposes
or statistical purposes, subject to the conditions and safeguards referred
to in Article 89(1) or in so far as the obligation referred to in paragraph
1 of this Article is likely to render impossible or seriously impair the
achievement of the objectives of that processing. In such cases the
controller shall take appropriate measures to protect the data subject's
rights and freedoms and legitimate interests, including making the
information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member
State law to which the controller is subject and which provides appropriate
measures to protect the data subject's legitimate interests; or
(d) where the personal data must remain confidential subject to an
obligation of professional secrecy regulated by Union or Member State law,
including a statutory obligation of secrecy.
Right to Access
Article 15
Right of access by the data subject
1. The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning him or her are
being processed, and, where that is the case, access to the personal data
and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data
have been or will be disclosed, in particular recipients in third countries
or international organisations;
(d) where possible, the envisaged period for which the personal data
will be stored, or, if not possible, the criteria used to determine that
period;
(e) the existence of the right to request from the controller
rectification or erasure of personal data or restriction of processing of
personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any
available information as to their source;
(h) the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) and, at least in those cases,
meaningful information about the logic involved, as well as the significance
and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an
international organisation, the data subject shall have the right to be
informed of the appropriate safeguards pursuant to Article 46 relating to
the transfer.
3. The controller shall provide a copy of the personal data undergoing
processing. For any further copies requested by the data subject, the
controller may charge a reasonable fee based on administrative costs. Where
the data subject makes the request by electronic means, and unless otherwise
requested by the data subject, the information shall be provided in a
commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not
adversely affect the rights and freedoms of others.
Right to Erasure
Right to erasure ('right to be forgotten')
1. The data subject shall have the right to obtain from the controller the
erasure of personal data concerning him or her without undue delay and the
controller shall have the obligation to erase personal data without undue
delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based
according to point (a) of Article 6(1), or point (a) of Article 9(2), and
where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1)
and there are no overriding legitimate grounds for the processing, or the
data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal
obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of
information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged
pursuant to paragraph 1 to erase the personal data, the controller, taking
account of available technology and the cost of implementation, shall take
reasonable steps, including technical measures, to inform controllers which
are processing the personal data that the data subject has requested the
erasure by such controllers of any links to, or copy or replication of,
those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is
necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by
Union or Member State law to which the controller is subject or for the
performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in
accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes in accordance with
Article 89(1) in so far as the right referred to in paragraph 1 is likely to
render impossible or seriously impair the achievement of the objectives of
that processing; or
(e) for the establishment, exercise or defence of legal claims.
Right to object
Article 21
Right to object
1. The data subject shall have the right to object, on grounds relating to
his or her particular situation, at any time to processing of personal data
concerning him or her which is based on point (e) or (f) of Article 6(1),
including profiling based on those provisions. The controller shall no
longer process the personal data unless the controller demonstrates
compelling legitimate grounds for the processing which override the
interests, rights and freedoms of the data subject or for the establishment,
exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the
data subject shall have the right to object at any time to processing of
personal data concerning him or her for such marketing, which includes
profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing
purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data
subject, the right referred to in paragraphs 1 and 2 shall be explicitly
brought to the attention of the data subject and shall be presented clearly
and separately from any other information.
5. In the context of the use of information society services, and
notwithstanding Directive 2002/58/EC, the data subject may exercise his or
her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research
purposes or statistical purposes pursuant to Article 89(1), the data
subject, on grounds relating to his or her particular situation, shall have
the right to object to processing of personal data concerning him or her,
unless the processing is necessary for the performance of a task carried out
for reasons of public interest.
Mike
Received on Monday, 3 October 2016 12:55:20 UTC