Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given? from Frank.Wagner@telekom.de on 2017-04-03 (public-tracking@w3.org from April 2017)

From: <Frank.Wagner@telekom.de>
Date: Mon, 3 Apr 2017 12:00:12 +0000
To: <mts-std@schunter.org>
CC: <public-tracking@w3.org>
Message-ID: <E583272C-0DFA-4C5B-8C4D-39754628F8A8@telekom.de>

Dear Matthias,
Dear all,

To ensure that DNT will become a sufficient technical mechanism to provide consent, it have to provide the necessary information to the user - main points:
- identity of the legal entity consent is given to
- purpose of the data which is processed, including storage period

>From my perspective there is a need to provide in general those informations to ensure that consent can be given on the basis of the GDPR. My assumption is that the ePrivacy Directive will not define different requirements for consent.

Best,
Frank

Deutsche Telekom AG
Group Headquarters, Group Privacy

Frank Wagner
VP Business, Services & Infrastructure

Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany<x-apple-data-detectors://3/0>
+49 6151 58-33 514<tel:+49%206151%2058-33%20514> (Phone)
+49 175 181-9770<tel:+49%20175%20181-9770> (Mobile)
E-Mail: frank.wagner@telekom.de<mailto:frank.wagner@telekom.de>
www.telekom.com<http://www.telekom.com/>

Life is for sharing.

www.telekom.com/compulsory-statement<http://www.telekom.com/compulsory-statement>

Am 29.03.2017 um 14:09 schrieb Matthias Schunter (Intel Corporation) <mts-std@schunter.org<mailto:mts-std@schunter.org>>:

Hi Folks,

thanks a lot for the interesting discussion. It is nice to see that we
do not want to create a "next generation P3P" where policies are
expressed in a machine readable way.

While this general discussion is interesting, I believe it would be
easier for me to discuss specific fields and whether to add them as
optional, add them as mandatory, or leave it to future evolving de-facto
standards (such as GDPR best practices).

To focus our discussion, please propose specific information fields and
answer those questions:
1. What is the field about?
2. Why is it essential / what is its benefit?
3. How does it help compliance?
4. What does the user-agent need to do with the field?
- When is it stored?
- How is it processed?
- How does it change the user behavior?

Discussing Pro/Cons for specific fields will be easier than in general.

My suggested default position is still to avoid more fields and data
unless necessary (the suggested bar for mandatory is "very high"; the
suggested bar for optional is "high"). So far, I have not seen any
convincing cases for specific fields to be added.

Please keep the discussion going - I would be curious what essential
fields will evolve as input to our discussion next week.

Regards,
matthias

On 28.03.2017 22:48, Shane M Wiley wrote:
Walter,

Having lived through P3P there is no "simple way out" as the simpler the
model the more rigid it becomes and harms industry that much more when
attempting to squeeze into a very tiny box of options. The more complex
the metadata standard becomes the more it can approach real-world
scenarios but then it becomes more difficult to develop and less of a
utility to machine reading.

User Agents have the ability to offer data subjects that option to
remove previously provided consent under the current standard. There is
nothing in the GDPR or ePR that suggests that User Agents need machine
readable elements to provide some greater level of automated processing.

- Shane

Shane Wiley
VP, Privacy Policy
Yahoo

------------------------------------------------------------------------
*From:* Walter van Holst <walter@vanholst.com<mailto:walter@vanholst.com>>
*To:* public-tracking@w3.org<mailto:public-tracking@w3.org>
*Sent:* Tuesday, March 28, 2017 1:43 PM
*Subject:* Re: What additional optional information is ESSENTIAL in
Europe to document a informed that has been given?

On 2017-03-28 22:06, Shane M Wiley wrote:
Rob,

Thank you for that perspective but again nothing here mandates that
the browser play a role outside of recording the consent as determined
by the controller and allowing users a "equally easy" manner in which
to remove that consent. I'm still not convinced that there is a need
for machine readable elements in the TSO to enable user agent
capabilities beyond those needs.

I would agree with your legal counsel that a grammatical reading of the
GDPR does not provide for such an positive obligation regarding
providing consent.

However, the GDPR has in article 21(5) a positive obligation regarding
the ease of withdrawal of consent, which is a special case on top of the
general provision on withdrawal of consent in article 7(3) GDPR.

I have been told by Jan-Philippe Albrecht's staff that the amendment
that gave rise to article 21(5) GDPR was specifically proposed with the
W3C DNT WG in mind. This alone should give your legal counsel pause. And
once he or she is at it, this alone is a strong basis for a
non-grammatical interpretation of the GDPR that there is a similar
obligation for giving consent, but that the legislator assumed that data
controller's would feel an sufficiently enlightened self-interest that
they would create such easy avenues for doing so anyway.

In light of the consent requirements of art 7 GDPR, it would make no
sense whatsoever to not allow for meta-data that would allow for
machine-readability. I would strongly support Rob's suggestion for an
optional array for this purpose.

And no, I definitely don't want this to become another P3P. Let's keep
things as simple as possible, but not simpler than that.

Regards,

Walter

Received on Monday, 3 April 2017 12:00:51 UTC