Fwd: Re: P3P and data protection in Europe

I forward the message with the agreement from Struan

Rigo

Am Wednesday 21 September 2005 20:12, sprach struan robertson:
> Hi Rigo,
> I wondered if you could help me or point me in the right direction:
>
> I'm the editor of a legal news and information website,
> www.out-law.com, based in the UK.
>
> I have some reservations about using P3P in this country because of
> our strict data protection regime - but it may be that I just don't
> know enough about P3P.

We had intensive talks with the UK Data Commissioner. He is still a
supporter of P3P I think.

> I can see the benefit of P3P, and I see no problem with a compact
> policy; but I'm worried that using a full P3P policy could present a
> risk. (I don't know enough about P3P to know if a compact policy can
> be used in isolation to help deliver cookies, without a full P3P
> policy; perhaps that makes no sense.)

Yes, that's the legal fun part of P3P. One can't hide behind
ambiguities. But ambiguities are often used in legal documents to hide
uncertainty. So I understand what you mean by risk.

On the other hand, let me re-assure you that so far, there was no issue
with P3P Policies and there are a lot of them all over the place in the
UK.

Note that it is not conformant to the P3P Specification to only use
compact policies to make IE happy. This can even increase your legal
risk considerably. There are a lot of pre-defined "make-IE-happy"
compact token strings floating around. If you use them, you make a
certain declaration of intent to the people using your site. But if you
do not intend to follow your declarations you expose yourself to the
risk of liability under a variety of aspects that you understand better
for UK law than I do.

> My concern with the full P3P policy is that it is forced to use a
> limited vocabulary, as set out in the P3P specification. This may
> work fine for US sites, but it may not allow a European site to
> convey all the information it needs to give visitors to comply with
> data protection principles.

I'm sitting in France and I've discussed this issue with the european
commission and a lot of data commissioners. The norther german data
commissioner in Schleswig-Holstein even offers a service for companies
wanting to do P3P to help them write the right policy:
http://www.datenschutzzentrum.de/p3p/index.htm

It might be that you can't get to a 100% of the semantics and that
 there are some spin of a legal document that can't be expressed. But
 this is on purpose to reduce complexity and it worked so far better
 than expected.

> For example, the vocabulary appears to have no provision for
> describing an overseas transfer of data (I must admit that it's been
> a while since I read the spec; this email has been prompted by a
> query from a user of our website).

You can indicate the transfer to jurisdictions that do not follow the
strict european standards. This was one of the first requirements of
the Art. 29 Working Party to us. The Art. 29 WP and european data
protection specialists where (and are) involved in P3P all along:

In the <Disputes> - Element you are able to indicate the applicable
 Law. Here you indicate the european directive on data protection. In
 the "service" - Attribute you might indicate the URI of the Law that
 applies to your service.

Now in the <Recipient> - Element, if you don't transfer oversea's, you
have to indicate <same>. If you transfer overseas, you should use
other-recipient (for contractual partners) and <unrelated> if you sell
the data off.

> So, if my understanding is right, a risk exists whenever a user
> relies on his browser software to tell him a company's privacy
> practices, rather than reading these practices in the data protection
> notice or privacy policy. Notice of an overseas transfer of data (or
> any other nuances not accommodated in the P3P vocabulary) will be
> missed by the user. Therefore, full P3P adoption could hinder a
> website's efforts at notification.

Do you read the privacy policy of every site you surf to? I mean really
_every_ privacy policy? A well implemented P3P does that and alerts you
if something clashes with your preferences.

If it is done in a correct way, the P3P Information is quite reliable
and often seen as more useful than 22 pages of legalese that nobody
reads or understands. But from a legal-technical point of you're right,
that relying on a single information source is always problematic. But
full P3P adoption is a complement to efforts of notification, it allows
to easily discover the notification (part of the P3P protocol), it
gives a tool to analyze the notification, it can express the
notification, it can automatically warn the user etc.. But P3P does
require a human readable privacy policy.

So it could be rather seen as an attack against notification and more
privacy to say that P3P could hinder website's efforts at
notification ;)

> As will be clear by now, I am not an expert on P3P. I could be
> talking nonsense. I just thought it worth sharing my thoughts in case
> someone can set me straight about P3P.

I'm the W3C Staff responsible for P3P, so I hope I gave you some
answers. If you have other questions on P3P or Web-Privacy, please
don't hesitate to ask. But sometimes the answer might take some time. A
better way is to subscribe to www-p3p-policy@w3.org -mailing list (I
could do that for you) and ask your questions there. This is a publicly
archived mailing-list so others will also benefit from our
conversation.

Do you mind if I send my answer to our public mailing?

Best,

--
Rigo Wenning            W3C/ERCIM
Staff Counsel           Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis