Re: P3P and the privacy legislation in Germany: from Ruediger Grimm on 2000-08-08 (www-p3p-public-comments@w3.org from August 2000)

From: Ruediger Grimm <grimm@darmstadt.gmd.de>
Date: Tue, 08 Aug 2000 18:41:19 +0200
To: "Joseph M. Reagle Jr." <reagle@mit.edu>
CC: rosnagel@uni-kassel.de, www-p3p-public-comments@w3.org
Message-ID: <3990382F.B7C1E493@darmstadt.gmd.de>
Dear Joseph,
sorry for this late reply, I was out of office for several weeks
until yesterday.
Regards, Rüdiger

"Joseph M. Reagle Jr." wrote:

> ...
> o P3P doesn't not provide the authentication of the policy or the electronic
> consent.
> The appropriate English translated text of TDDSG states, "(7) Consent can
> also be declared electronically if the provider ensures that such consent
> can be given only through an unambiguous and deliberate act by the user,
> consent cannot be modified without detection, the creator can be identified"
> [1]. As the definition of personal data continues to be problematic (or
> inconsistent across domains), would not some data that is
> personal-though-not-identifiable then be required to be associated with an
> identity? (What is the definition of personal data used?) Also, is there an
> English text of the MDStV [2] as I assume that includes the authentication
> requirements?

The point is not to associate PERSONAL DATA with an electronic
signature (in order to make them authentic): there is no requirement
to sign personal data.
Our point is to associate a user CONSENT or a server POLICY
with an electronic signature in order to make it authentic. If the consent
is to be signed by a person who wants to remain unidentified, the
person would use a persona signature (a "pseudonym" as the related
acts on data protection and signature call it).

> - this bullet could use better pointers to the (present) TDDSG and
> (absent) MDStv references.

Right, our pointer is to the German version of the Telecommunication
Protection Act. Sorry for this. Here is the English translation:

http://www.iid.de/contents.html
http://www.iid.de/rahmen/iukdgebt.pdf

The MDStV is similar to the Telecommunication Act as far as
data protection is concerned. It contains no further definition

> o How is the "description material for an automatic interpretation ...
> insufficient"?

Just two examples: the purpose element should contain "billing" and
"delivery of hard goods" in order to satsify two other important
application areas. However, the problem of automatic interpretation
will remain, until experience has identified those purposes which
cover most real cases.


> o Can you cite text that requires the category to be associated with
> purpose? Would this not make the matrix of possible categories/purposes when
> enumerated overwhelming? The purpose of the P3P vocabulary design is to be
> as expressive as possible while limiting the variables and their range [3].

Does this question refer to our critique that recipients of data should be
associated with the PURPOSE of data procession, and not with the
type of privacy practice of the recipient?
If so: the German act does require this association because there should
never be an indirection with the reason for data procession (or storage)
of this type:
"we have stored your personal data because our privacy statement is
similar to the privacy statement of another organisation which has stored
the data with your explicit consent": this would open an endless route of
data transfer out of control of the user.

> o Your email addresses and the URL of the paper would be a useful thing to
> include in the PDF file.

Will be added.

> o The URL in the [IuK_97] reference is incorrect as their is a trailing
> slash after the *.html .

Thank you, we will correct this.

> [1] http://www.iid.de/rahmen/iukdgebt.html#a2
> [2] http://www.iid.de/contents.html
> [3] http://www.w3.org/People/Reagle/papers/tprc97/tprc-f2m3.html

Last but not least: the title of our article has an amusing typo
("woldwide"). Will be also corrected.

>
>
> At 12:12 2000-06-30 -0400, Y wrote:
>  >An interesting new paper that explores P3P in the context
>  >of European privacy legislation...
>  >
>  >P3P and the privacy legislation in Germany: can P3P help to protect privacy
>  >worldwide?
>  >by Rüdiger Grimm and Alexander Rossnagel
>  >http://sit.gmd.de/~grimm/texte/P3P-Germany-e.pdf
>
> _______________________
> Regards,          http://www.mit.edu/~reagle/
> Joseph Reagle     E0 D5 B2 05 B6 12 DA 65  BE 4D E3 C1 6A 66 25 4E
> MIT LCS Research Engineer at the World Wide Web Consortium.
>
> * This email is from an independent academic account and is
> not necessarily representative of my affiliations.
Received on Tuesday, 8 August 2000 12:42:28 UTC