- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 24 Aug 2000 20:28:05 +0200
- To: Ruediger Grimm <grimm@darmstadt.gmd.de>
- Cc: "Joseph M. Reagle Jr." <reagle@mit.edu>, rosnagel@uni-kassel.de, www-p3p-public-comments@w3.org, www-p3p-policy@w3.org
I want to redirect this discussion to the new mailing-list, established for that purpose. If you all are interested in that discussion, please subscribe to www-p3p-policy@w3.org: To subscribe, please send mail to www-p3p-policy-request@w3.org with 'subscribe' in the Subject: - Field. On Mon, Aug 21, 2000 at 11:19:22AM +0200, Ruediger Grimm wrote: > Hi Joseph, [...] > > > I still don't follow. Is your bad case the following: if a site A says they > > give the data to sites that have similar practices (such as those that don't > > use it for marketing) including site B. Site B has similar practices (no > > marketing, etc.) also gives it to site C? This could go on for a while. But > > the goal is to provide the use with the assurance that if they don't want > > marketing, they won't get marketing, and to give them a sense of the scope > > of distribution, not a complete audit trail (which I think is infeasible). > > What is the alternative and how does it prevent this scenario? > > The rules just prevent transitivity: a user would agree to transfer data > to a service A. The user can also allow service A to transfer the date > further to services B, C, D (but no others) for the puropse of > (B: outsourced billing, C: market research, D: making sales offers > to the user). Any other service who would like to get those user This should already be covered by <ours/>: <ours/> Ourselves and/or our agents: Ourselves and our agents. An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., The service provider and its printing bureau which prints address labels and does nothing further with the information.) What is not covered yet is, that A can ask, whether it would be also ok to share with B. We have discussed that. It can be expressed in a long-description field. But it won't be machine-readable, as the WG expressed the concern, that a declaration would be much to complex. If we would allow the use of (a special subset of) the base-data-set in the recipient-field, the WG was quite confident, that it won't be used. > data from A would have to ask the user first. > Of course, the user could also allow the service A to "transfer the > user data to anyone A wants to, under the restriction that..." But this > would be rather an exceptional case. Ths standard case is: explicit > recipients for excplicit purposes. > > This is one of the strict rules of the German (and European) > privacy protection laws. This rationale behind this is: the strong binding > between data and the puropse of their use as a basic principle of > privacy protection. >
Received on Thursday, 24 August 2000 15:04:28 UTC