Re: Topics for tomorrow from Jeff Jaffe on 2017-11-15 (public-tracking@w3.org from November 2017)

From: Jeff Jaffe <jeff@w3.org>
Date: Wed, 15 Nov 2017 11:48:45 -0500
To: Mike O'Neill <michael.oneill@baycloud.com>, 'Rob van Eijk' <rob@blaeu.com>, "'Matthias Schunter (Intel Corporation)'" <mts-std@schunter.org>, public-tracking@w3.org
Message-ID: <759fb92b-8964-dba8-aebb-d1ff7df49ce9@w3.org>
On 11/15/2017 11:14 AM, Mike O'Neill wrote:
> RE: Topics for tomorrow
>
> We said it was critical to EU privacy and data protection law, which 
> includes both the GDPR and the EPR (E-Privacy Regulation). The former 
> does refer to DNT in effect, for example, in in A21(5),
>

So now I am even more confused why WP29 is unlikely to show support for DNT.

Rob had indicated that there is support for DNT in ePR, but based on 
what you say there could be support in both ePR and GDPR.

> but the current European Parliament agreed draft of the EPR 
> [http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN] 
> is more specifically relevant to online and the web, and refers to 
> many aspects of DNT in much more detail, for example in Recital 22, 
> and parts of Article 9 and Article 10. Note that EPR A10 
> cross-references A21(5) of the GDPR, and that A10 is a requirement on 
> browser companies, to be complied with no later than 6 months after 
> the EPR comes into force..
>
> Recital 22:
>
> The methods used for providing information and obtaining end-user's 
> consent should be as user-friendly as possible. Given the ubiquitous 
> use of tracking cookies and other tracking techniques, users are 
> increasingly requested to provide consent to store such tracking 
> cookies in their terminal equipment. As a result, users are overloaded 
> with requests to provide consent. This Regulation should prevent the 
> use of so- called “cookie walls” and “cookie banners” that do not help 
> users to maintain control over their personal information and privacy 
> or become informed about their rights. The use of technical means to 
> provide consent, for example, through transparent and user-friendly 
> settings, may address this problem. Therefore, this Regulation should 
> provide for the possibility to express consent by technical 
> specifications, for instance by using the appropriate settings of a 
> browser or other application. Those settings should include choices 
> concerning the storage of information on the user's terminal equipment 
> as well as a signal sent by the browser or other application 
> indicating the user's preferences to other parties. The choices made 
> by users when establishing the general privacy settings of a browser 
> or other application should be binding on, and enforceable against, 
> any third parties. Web browsers are a type of software application 
> that permits the retrieval and presentation of information on the 
> internet. Other types of applications, such as the ones that permit 
> calling and messaging or provide route guidance, have also the same 
> capabilities. Web browsers mediate much of what occurs between the 
> user and the website. From this perspective, they are in a privileged 
> position to play an active role to help the end-user to control the 
> flow of information to and from the terminal equipment. More 
> particularly web browsers, or applications or operating systems may be 
> used as the executor of a user's choices, thus helping end-users to 
> prevent information from their terminal equipment (for example smart 
> phone, tablet or computer) from being accessed or stored.
>
> Article 9(2):
>
> Without prejudice to paragraph 1, where technically possible and 
> feasible, for the purposes of point (b) of Article 8(1), consent may 
> be expressed or withdrawn by using technical specifications for 
> electronic communications services or information society services 
> which allow for specific consent for specific purposes and with regard 
> to specific service providers actively selected by the user in each 
> case, pursuant to paragraph 1. When such technical specifications are 
> used by the user's terminal equipment or the software running on it, 
> they may signal the user's choice based on previous active selections 
> by him or her. These signals shall be binding on, and enforceable 
> against, any other party.
>
> Article 10:
>
> Software placed on the market permitting electronic communications, 
> including the retrieval and presentation of information on the 
> internet, shall:
>
>  1. by default, have privacy protective settings activated to prevent
>     other parties from transmitting to or storing information on the
>     terminal equipment of a user and from processing information
>     already stored on or collected from that equipment, except for the
>     purposes laid down by Article 8(1), points (a) and (c);
>  2. upon installation, inform and offer the user the possibility to
>     change or confirm the privacy settings options defined in point
>     (a) by requiring the user's consent to a setting and offer the
>     option to prevent other parties from processing information
>     transmitted to, already stored on or collected from the terminal
>     equipment for the purposes laid down by Article 8(1) points (a),
>     (c), (d) and (da);
>  3. offer the user the possibility to express specific consent through
>     the settings after the installation of the software.
>
> Before the first use of the software, the software shall inform the 
> user about the privacy settings and the available granular setting 
> options according to the information society service accessed. These 
> settings shall be easily accessible during the use of the software and 
> presented in a manner that gives the user the possibility for making 
> an informed decision.
>
> 1a.  For the purpose of.:
>
>  1. points (a) and (b) of paragraph 1,
>  2. giving or withdrawing consent pursuant to Article 9(2) of this
>     Regulation, and
>  3. objecting to the processing of personal data pursuant to Article
>     21(5) of Regulation (EU) 2017/679,
>
> the settings shall lead to a signal based on technical specifications 
> which is sent to the other parties to inform them about the user's 
> intentions with regard to consent or objection. This signal shall be 
> legally valid and be binding on, and enforceable against, any other party.
>
> 1b.  In accordance with Article 9 paragraph 2, such software shall 
> ensure that a specific information society service may allow the user 
> to express specific consent. A specific consent given by a user 
> pursuant to point (b) of Article 8(1) shall prevail over the existing 
> privacy settings for that particular information society service. 
> Without prejudice to paragraph 1, where a specified technology has 
> been authorised by the data protection board for the purposes of point 
> (b) of Article 8(1), consent may be expressed or withdrawn at any time 
> both from within the terminal equipment and by using procedures 
> provided by the specific information society service.
>
> 3.  In the case of software which has already been installed on 
> [xx.xx.xxxx], the requirements under paragraphs 1, 1a and 1b shall be 
> complied with at the time of the first update of the software, but no 
> later than six months after [the date of entry into force of this 
> Regulation].
>
> *From:*Jeff Jaffe [mailto:jeff@w3.org]
> *Sent:* 15 November 2017 14:51
> *To:* Rob van Eijk <rob@blaeu.com>; Matthias Schunter (Intel 
> Corporation) <mts-std@schunter.org>; public-tracking@w3.org 
> (public-tracking@w3.org) <public-tracking@w3.org>
> *Subject:* Re: Topics for tomorrow
>
> On 11/15/2017 6:29 AM, Rob van Eijk wrote:
>
>     Hi Matthias,
>
>     Just read the minutes.
>
>     >> schunter: If the WP29 opinion shows support for automated means
>     such as DNT, that will help get interest.
>
>     The Working Party is working on Consent Guidelines in article
>     4(11) of the GDPR. This is mentioned in the public agenda of the
>     working party [1].
>
>     The notion of consent in the draft ePR is linked to the notion of
>     consent in the GDPR. Because DNT is linked to ePR-consent, and
>     given the guidance by the working group on the ePR, it is unlikely
>     that the opinion will show support for DNT.
>
>
> I can't claim to understand the politics of what shows support for 
> what, but I don't understand why the opinion is unlikely to show 
> support for DNT.
>
> W3M was on a path to close TPWG 18 months ago.  We reversed that path 
> because we were told that DNT was critical for GDPR.  I infer that it 
> is not the case that DNT is critical for GDPR and we were mistaken 
> when we reversed path 18 months ago.  Am I understanding this correctly?
>
>
>     Rob
>
>     [1] http://ec.europa.eu/newsroom/document.cfm?doc_id=47530
>
>     —
>     PGP fingerprint: 704F 4955 F7E3 044E 4084 19E2 2844 CDDC A655 DB3C
>     [public_key
>     <https://www.natuurlijkehaarkleuring.nl/.well-known/pgp/0xA655DB3C.asc>]
>
>     PGP verification ispublished in DNS which is secured by DNSSEC
>     [rob._pka.blaeu.com
>     <https://toolbox.googleapps.com/apps/dig/#TXT/rob._pka.blaeu.com>]
>
>         -----Original message-----
>         *From:* Matthias Schunter (Intel Corporation)
>         *Sent:* Sunday, November 12 2017, 9:18 am
>         *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>         (public-tracking@w3.org <mailto:public-tracking@w3.org>)
>         *Subject:* Topics for tomorrow
>
>         Hi Folks,
>
>         I suggest to discuss three topics:
>
>         1. How to get text proposals for issue 60 (purposes)
>
>         2. Actions to kick-off 2018 charter and to get new members joining
>
>         3. Status of implementations (needed for REC).
>
>         Regards,
>
>         matthias
>
Received on Wednesday, 15 November 2017 16:49:06 UTC