- From: Rob van Eijk <rob@blaeu.com>
- Date: Tue, 28 Mar 2017 21:30:55 +0200
- To: Shane M Wiley <wileys@yahoo-inc.com>
- Cc: public-tracking@w3.org
Hi Shane, Matthias has done an excellent job in capturing some of the underlying issues and attempting to move the discussion forward. It is clear that the group is not calling for (re)creating P3P. The discussion at the moment has come to the point of explorating how to acoomodate 'hooks' in the DNT protocol/spec to enable data controllers to become compliant with the EU requirement of explicit, informed consent. WP29 and DPA's have provided guidance on various occasions/opinions in the criteria of valid consent, e.g., specific, informed, free, and based on a user's action. This discussion sees to the criterium of specific. Moreover, the user's perspective is about granting exceptions and revoking their consent whenever they want. The DNT protocol has a small, but important role to play, but cannot solve the whole puzzle. Browsers need to play a part, and so do data controllers. I truly believe it is our task to explore the middle ground and try to make the best specification we can. We started the discussion on the TSR on the last weekly call (ISSUE 2, ISSUE 23, ISSUE 23). It is tabled again coming Monday and hopefully we can come to a consensus and move on to the other open issues. Regards, Rob Shane M Wiley schreef op 2017-03-28 20:11: > Mike, > > Appreciate your perspective on providing legal guidance to the working > group with respect to specific language in the GDPR but I'd suggest > those perspectives are opinion and not a specific legal determination > of how industry should interpret that language. > Other legal counsel does not read that language to mean industry must > provide machine readable information. Additionally the A29WP and/or > DPAs have NOT provided specific guidance that we must provide > information to users in "machine readable" format. > > I believe any attempt to create machine readable elements will require > much further discussion (similar to TCS level discussions) and we'll > need to be very careful to not make the same missteps made in P3P. > > - Shane > > Shane Wiley > VP, Privacy Policy > Yahoo > > ------------------------- > FROM: Mike O'Neill <michael.oneill@baycloud.com> > TO: 'Shane M Wiley' <wileys@yahoo-inc.com>; 'Matthias Schunter (Intel > Corporation)' <mts-std@schunter.org>; public-tracking@w3.org > SENT: Tuesday, March 28, 2017 11:04 AM > SUBJECT: RE: What additional optional information is ESSENTIAL in > Europe to document a informed that has been given? > > Shane, comments in-line. > > Mike > > FROM: Shane M Wiley [mailto:wileys@yahoo-inc.com] > SENT: 28 March 2017 17:42 > TO: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>; > public-tracking@w3.org (public-tracking@w3.org) > <public-tracking@w3.org> > SUBJECT: Re: What additional optional information is ESSENTIAL in > Europe to document a informed that has been given? > > Matthias, > > Mandatory fields should be judge purely on the technical cohesion of > the standard - nothing more. I believe we've appropriately set those > out already. > > Any additional fields needed to assist in legal compliance in any > given region should be added as optional only such that implementers > can judge for themselves what is necessary for the locale of their > user. > > Q: Do we need any further mandatory fields for technical cohesion of > the standard? > > A: No > > I don’t remember anyone asking for it to be mandatory. > > Q: Do we need any further data elements to meet known legal > obligations in any given country in the world? > > A: For GDPR and ePR(draft) I believe we have everything necessary to > be communicated to a user in a loosely-structured manner and those > tools can be further extended by implementers to provide additional > links to more information as they feel is necessary. > > Loosely-structured does not meet the requirement for “information to > the data subjects on the identity of the controller and the purposes > of the processing and further information to ensure fair and > transparent processing“. The clear intention of Recital 60 and > Article 12.7 is that such data should be machine-readable, so that in > can be presented to the user in the required “easily visible, > intelligible and clearly legible” manner. > > Why not provide a set of optional informational properties that can be > referred to by regulator guidance or compliance documents. We have an > opportunity to quickly create some very useful optional elements so > sites can communicate information to user agents, what is the point > of not doing that. > > Shane Wiley > VP, Privacy Policy > Yahoo > > ------------------------- > > FROM: Matthias Schunter (Intel Corporation) <mts-std@schunter.org> > TO: Shane M Wiley <wileys@yahoo-inc.com>; "public-tracking@w3.org > (public-tracking@w3.org)" <public-tracking@w3.org> > SENT: Monday, March 27, 2017 11:52 PM > SUBJECT: Re: What additional optional information is ESSENTIAL in > Europe to document a informed that has been given? > > Hi Shane, > > thanks for the input. I agree that the bar for mandatory fields in the > TSR should be rather high. > > As agreed earlier, our focus should be on essential and minimal > changes > to help compliance in the EU. I.e. things that are "nice to have", > "could help some user agents sometimes", or "should be standardized > here > since we do not expect that EU best practices will evolve" are IMHO > out > of scope for this group. > > Mandatory requirements that I have collected so far: > - Tracking Status is already mandatory as part of the TCS. > - If user-granted exceptions are registered, then a TCS should exist > and include a compliance link. > - If a user-granted exception is granted, the user agent SHOULD store > the requesting URL and MAY retrieve and store metadata from the TCS. > - A user SHOULD be able to remove user-granted exceptions (either > individually or as a whole). A user-agent MAY allow users to > review user-granted exceptions. > > For further optional fields, I suggest the following criteria: > - They have a clear value globally > - Documenting this data is essential to satisfy the EU privacy > regulations. > - They cannot be defined as part of a specific EU compliance regime > > For further mandatory fields, I suggest the following criteria: > - [same as before] > + Regulation REQUIRES a user agent to read, understand, and act on > the field. > > For including additional metadata into the Javascript API ("consent > documentation"), we probably need a separate discussion. > > If we have a clear agreement on a set of fields that are essential and > sufficient to simplify compliance in the EU (but may not be useful > elsewhere), we may discuss how to best foster standardized use of > these > fields. > > Regards, > matthias > > On 27.03.2017 23:13, Shane M Wiley wrote: >> Matthias, >> >> I'm not here next week (regrets) but I'd like to ask that we > maintain a >> "loosely-structured" approach for the TSO as we had originally > agreed. >> There is no need for the user agent to interrogate the contents of > the >> TSO outside of mandatory elements as the information is there for > the >> user to consume (human readable vs. machine readable). I believe we >> have the correct mandatory fields at this point from an > accountability >> perspective - all others can be added optionally as desired by >> implementers (on their individual views of what is legally > necessary). >> Adding additional structure (P3P complexity) to our current > approach is >> not required by GDPR so let's not attempt to do that at this late > stage. >> >> - Shane >> >> Shane Wiley >> VP, Privacy >> Yahoo >> >> >> > ------------------------------------------------------------------------ >> *From:* Matthias Schunter (Intel Corporation) <mts-std@schunter.org> >> *To:* "public-tracking@w3.org (public-tracking@w3.org)" >> <public-tracking@w3.org> >> *Sent:* Monday, March 27, 2017 10:08 AM >> *Subject:* What additional optional information is ESSENTIAL in > Europe >> to document a informed that has been given? >> >> Hi Folks, >> >> today, we discussed what additional information may be required (in > the >> TSR or elsewhere) >> to provide context for a user-granted exception that has been > registered. >> >> Fields we have already: >> - Compliance URL: A pointer to a compliance regime >> - Same Party >> - Controller >> >> My questions is: >> - What additional fields would be required? >> - Why are they essential and cannot be defined elsewhere (e.g. in a > EU >> specific compliance document or a subsection of the > compliance-page)? >> - Why does the browser need to parse this information? What does the >> browser need to do with it? (if it just stores it, it could be part > of a >> larger JSON object that is left undefined). >> >> Next week we can then discuss whether any raises above our threshold > of >> "Essential for EU". >> >> >> Regards, >> matthias >> >> >> >> >>
Received on Tuesday, 28 March 2017 19:31:30 UTC