Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given? from Shane M Wiley on 2017-03-28 (public-tracking@w3.org from March 2017)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Tue, 28 Mar 2017 18:11:02 +0000 (UTC)
To: Mike O'Neill <michael.oneill@baycloud.com>, "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <1882087158.5783266.1490724662087@mail.yahoo.com>
Mike,
Appreciate your perspective on providing legal guidance to the working group with respect to specific language in the GDPR but I'd suggest those perspectives are opinion and not a specific legal determination of how industry should interpret that language.  
Other legal counsel does not read that language to mean industry must provide machine readable information.  Additionally the A29WP and/or DPAs have NOT provided specific guidance that we must provide information to users in "machine readable" format.
I believe any attempt to create machine readable elements will require much further discussion (similar to TCS level discussions) and we'll need to be very careful to not make the same missteps made in P3P.  
- Shane Shane Wiley
VP, Privacy Policy
Yahoo

      From: Mike O'Neill <michael.oneill@baycloud.com>
 To: 'Shane M Wiley' <wileys@yahoo-inc.com>; 'Matthias Schunter (Intel Corporation)' <mts-std@schunter.org>; public-tracking@w3.org 
 Sent: Tuesday, March 28, 2017 11:04 AM
 Subject: RE: What additional optional information is ESSENTIAL in Europe to document a informed that has been given?
   
#yiv3725693912 #yiv3725693912 -- _filtered #yiv3725693912 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv3725693912 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv3725693912 {panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv3725693912 #yiv3725693912 p.yiv3725693912MsoNormal, #yiv3725693912 li.yiv3725693912MsoNormal, #yiv3725693912 div.yiv3725693912MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv3725693912 a:link, #yiv3725693912 span.yiv3725693912MsoHyperlink {color:blue;text-decoration:underline;}#yiv3725693912 a:visited, #yiv3725693912 span.yiv3725693912MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv3725693912 p.yiv3725693912msonormal0, #yiv3725693912 li.yiv3725693912msonormal0, #yiv3725693912 div.yiv3725693912msonormal0 {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv3725693912 span.yiv3725693912EmailStyle19 {color:windowtext;}#yiv3725693912 .yiv3725693912MsoChpDefault {font-size:10.0pt;} _filtered #yiv3725693912 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv3725693912 div.yiv3725693912WordSection1 {}#yiv3725693912 Shane, comments in-line.  Mike  From: Shane M Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 28 March 2017 17:42
To: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>; public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given?  Matthias,  Mandatory fields should be judge purely on the technical cohesion of the standard - nothing more.  I believe we've appropriately set those out already.  Any additional fields needed to assist in legal compliance in any given region should be added as optional only such that implementers can judge for themselves what is necessary for the locale of their user.  Q:  Do we need any further mandatory fields for technical cohesion of the standard?A:  No  I don’t remember anyone asking for it to be mandatory.  Q:  Do we need any further data elements to meet known legal obligations in any given country in the world?A:  For GDPR and ePR(draft) I believe we have everything necessary to be communicated to a user in a loosely-structured manner and those tools can be further extended by implementers to provide additional links to more information as they feel is necessary.  Loosely-structured does not meet the requirement for “information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing“.  The clear intention of Recital 60 and Article 12.7 is that such data should be machine-readable, so that in can be presented to the user in the required “easily visible, intelligible and clearly legible” manner.  Why not provide a set of optional informational properties that can be referred to by regulator guidance or compliance documents. We have an opportunity to quickly create some very useful optional elements so sites can communicate information to user agents,  what is the point of not doing that.      Shane Wiley
VP, Privacy Policy
Yahoo  From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
To: Shane M Wiley <wileys@yahoo-inc.com>; "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org> 
Sent: Monday, March 27, 2017 11:52 PM
Subject: Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given?  Hi Shane,


thanks for the input. I agree that the bar for mandatory fields in the
TSR should be rather high.

As agreed earlier, our focus should be on essential and minimal changes
to help compliance in the EU. I.e. things that are "nice to have",
"could help some user agents sometimes", or "should be standardized here
since we do not expect that EU best practices will evolve" are IMHO out
of scope for this group.

Mandatory requirements that I have collected so far:
- Tracking Status is already mandatory as part of the TCS.
- If user-granted exceptions are registered, then a TCS should exist
  and include a compliance link.
- If a user-granted exception is granted, the user agent SHOULD store
  the requesting URL and MAY retrieve and store metadata from the TCS.
- A user SHOULD be able to remove user-granted exceptions (either
  individually or as a whole). A user-agent MAY allow users to
  review user-granted exceptions.

For further optional fields, I suggest the following criteria:
- They have a clear value globally
- Documenting this data is essential to satisfy the EU privacy
  regulations.
- They cannot be defined as part of a specific EU compliance regime

For further mandatory fields, I suggest the following criteria:
- [same as before]
+ Regulation REQUIRES a user agent to read, understand, and act on
  the field.

For including additional metadata into the Javascript API ("consent
documentation"), we probably need a separate discussion.

If we have a clear agreement on a set of fields that are essential and
sufficient to simplify compliance in the EU (but may not be useful
elsewhere), we may discuss how to best foster standardized use of these
fields.


Regards,
matthias
On 27.03.2017 23:13, Shane M Wiley wrote:
> Matthias,
> 
> I'm not here next week (regrets) but I'd like to ask that we maintain a
> "loosely-structured" approach for the TSO as we had originally agreed.
>  There is no need for the user agent to interrogate the contents of the
> TSO outside of mandatory elements as the information is there for the
> user to consume (human readable vs. machine readable).  I believe we
> have the correct mandatory fields at this point from an accountability
> perspective - all others can be added optionally as desired by
> implementers (on their individual views of what is legally necessary).
>  Adding additional structure (P3P complexity) to our current approach is
> not required by GDPR so let's not attempt to do that at this late stage.  
> 
> - Shane
>  
> Shane Wiley
> VP, Privacy
> Yahoo
> 
> 
> ------------------------------------------------------------------------
> *From:* Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
> *To:* "public-tracking@w3.org (public-tracking@w3.org)"
> <public-tracking@w3.org>
> *Sent:* Monday, March 27, 2017 10:08 AM
> *Subject:* What additional optional information is ESSENTIAL in Europe
> to document a informed that has been given?
> 
> Hi Folks,
> 
> today, we discussed what additional information may be required (in the
> TSR or elsewhere)
> to provide context for a user-granted exception that has been registered.
> 
> Fields we have already:
> - Compliance URL: A pointer to a compliance regime
> - Same Party
> - Controller
> 
> My questions is:
> - What additional fields would be required?
> - Why are they essential and cannot be defined elsewhere (e.g. in a EU
> specific compliance document or a subsection of the compliance-page)?
> - Why does the browser need to parse this information? What does the
> browser need to do with it? (if it just stores it, it could be part of a
> larger JSON object that is left undefined).
> 
> Next week we can then discuss whether any raises above our threshold of
> "Essential for EU".
> 
> 
> Regards,
> matthias
> 
> 
> 
> 
>
Received on Tuesday, 28 March 2017 18:11:34 UTC