RE: Eprivacy Regulation EP Rapporteurs draft report

Roy, 

The amendments should be read in conjunction with the proposed ePD version. Page 8 [COM(2017) 10 final, 2017/0003 (COD)]: "The implementation of the ePrivacy Directive has not been effective to empower end-users. Therefore the implementation of the principle by centralising consent in software and prompting users with information about the privacy settings thereof, is necessary to achieve the aim." 

With that guidance in mind,I see two use cases, one without user interaction upon installation and one with user interaction. 

In the first use case, the default DNT-header value is DNT:1. 

In the second use case, the emphasis is on the the last part of the second requirement mentioned by the rapporteur, i.e., 'upon installation'. In my view, this means that a user shall be asked by a clear affirmative act what the DNT value will be upon installation. The DNT signal is the result from this user interaction and can be changed at any point by the user through configuration settings. 

Since the ePD is a lex specialis of the GDPR, the confirmation during the installation flow is in line with the consent requirements under the GDPR. Recital 32 of the GDPR is particularly helpful in this case, i.e., "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."

I hope this answers your question.

Regards,
Rob
-----Original message-----
From: Roy T. Fielding
Sent: Thursday, June 15 2017, 5:18 pm
To: Rob van Eijk
Cc: public-tracking@w3.org
Subject: Re: Eprivacy Regulation EP Rapporteurs draft report

On Jun 15, 2017, at 1:35 AM, Rob van Eijk <rob@blaeu.com <mailto:rob@blaeu.com> > wrote:

Moreover, please note the remarks of the EU lawmaker on DNT (p. 87 of the draft report). I believe that it shows that there is clear support and appreciation for our work.

Article 10 of the proposal refers to options for privacy settings of tools and software used to enable users to prevent other parties from storing information on terminal equipment, or processing information stored on the equipment (Do-Not-Track mechanisms -DNTs-). The rapporteur shares the objective of the proposal but she considers that, in order to reflect the essential core principles of Union data protection law (privacy by design and by default), it must be amended. Indeed, these basic principles are not efficiently integrated in the ePrivacy proposal of the Commission. Therefore it is proposed first, that DNTs are technologically neutral to cover different kinds of technical equipment and software and, second, that DNTs, by default must configure their settings in a manner that prevents other parties from storing information on the terminal equipment or processing information stored on the equipment without the consent of the user, at the same time users should be granted the possibility to change or confirm the default privacy settings options at any moment upon installation. The settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties.

Regards,
Rob

Rob, to me that reads as if the Rapporteur expects user agents to send DNT:1 by default even
when the user has taken no action to configure a signal be sent. This would be in spite of the fact
that the TPE default of no signal is defined by regional context, meaning that in the EU sending
no explicit signal is equivalent to DNT:1 (for the same reasons given above) without wasting
network traffic.

Is that the case?

....Roy

Received on Friday, 16 June 2017 09:02:33 UTC