Re: P3P Question from Rigo Wenning on 2000-05-29 (www-p3p-public-comments@w3.org from May 2000)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 29 May 2000 02:20:09 +0200
To: Jim <jweidner@mosquitonet.com>
Cc: www-p3p-public-comments@w3.org
Message-ID: <20000529022009.D550@rigo>
On Wed, May 10, 2000 at 06:27:51PM -0800, Jim wrote:
> 
> May 10, 2000 Subject: P3P Questions
> 
> Dear Sirs,
> 
> 
> What happens when the net site owner changes their mind and
> sells the data?
>
Let me first say, that P3P is designed to be a tool, that has the
ability to work in a global environment. It is basically a
language to talk about privacy in a machine readable format. It
is no Privacy-Regulation in itself. So P3P has influence on the
framework, in which it is used, but the answer to your question
depends largely on the regulatory or self-regulatory framework,
in which P3P is used.

So it depends on the context of the site owner. It depends
largely on the legal environment he is in. In the US, it depends,
whether the site owner is adhering to a self-regulation body. If
this is the case, it depends on the reaction of the
self-regulation body.  When data is collected, a service using
P3P has to declare a purpose, which is than attached to the data.
This purpose may be very wide. If the purpose is changed from the
site owner without permission, he violates his own policy.

For this case, P3P can express the type of remedy, which is
offered by the site and / or the self-regulation body. It is also
not excluded, that a site owner in the US, who announces a policy
and than decide's not to follow his own policy, commit's fraud or
deception under the framework of the FTC. 

In Europe, the framework is different. Here the usage of the data
is limited to the purpose for which the data was collected. If a
site owner does not respect that, he could be sued for damages,
if he doesn't benefit from the high number of legal exceptions,
which allow processing of data without the user's consent.  
> 
> What is the penalty clause for failure to comply?

This question can not be answered by P3P itself, because it
depends on the self- regulation mechanism the site owner adhere's
to. As stated, the penalty clause can be expressed in P3P. A
possible answer depends also on the legal context. We expect
generally, that arbitration in the framework of a regulatory or
self-regulatory scheme's will play an increased role to respond
to the variety of legal frameworks in this world. A penalty
clause can be expressed in P3P, but P3P itself does not force
services to offer such penalty clauses.
> 
> How is the owner compensated to the commercial us of his data?

Neither is P3P in itself a compensation mechanism, nor is P3P
a regulation in itself. The compensation, if there is any, depends 
both on the context of the site owner and of the individual who's 
personal data is collected and processed, will say the
self-regulatory or regulatory environment.
>
> Re: cookies.. they need to be readable in
> plain English to me.
> Frankly, I have shut 'um all off.

Here, you address the issue of collecting data via cookies. Not
all cookies are evil per se. In the PHP-Lib, which is a
wide-spread tool to create web-login's, cookies are used for
authentication without grabbing personal data. But you're right,
the design of cookies is normally not visible directly. P3P
offers a tool for sites to make the use of cookies more
transparent. To be compliant to P3P, a service would have to
declare, what data is collected with the cookie and what the
intended use of that collected data is. This doesn't meet
directly your request to read cookies in plain english. But it
enable's also other people, who might not even be english native
speakers, to determine the purpose of that cookie.

> 
> If someone wants my data they must pay for
> it in advance. Other wise,  it is my
> personal
> intellectual property they are stealing for
> their commercial use.

Here you take the approach of personal data as a property, which
is very popular in the US actually, while the OECD-Guidelines or
the European Data Protection Directive have a different
viewpoint, which is more inspired by the conception of privacy as
a human right. The conception of a human right is different, but
does not offer necessarily more protection, than the
property-approach. But the property-approach has some flaws with
regards to the concerned individual, who has given away his data.
Did he lost the right to use this data, because he has given it
to somebody? P3P takes no position in this debate. With P3P, both
concepts can be expressed and P3P-tools are very useful in both
frameworks. That's why P3P can work globally.

Best, 


Rigo Wenning                      P3P Staff contact
Policy Analyst                    INRIA/France
Technology and Society            2004, Route des Lucioles
World Wide Web Consortium         F-06902 Sophia-Antipolis
Tel: +33 (0)4 92 38 75 74         Fax: +33 (0)4 92 38 78 22
Mail: rigo@w3.org                 http://www.w3.org/
Received on Monday, 29 May 2000 04:29:24 UTC