- From: Daniel Weitzner <djweitzner@w3.org>
- Date: Mon, 17 Dec 2001 21:12:54 -0500
- To: <www-p3p-public-comments@w3.org>
-----Original Message----- From: Daniel Weitzner [mailto:djweitzner@w3.org] Sent: Monday, December 17, 2001 8:59 PM To: cathy@fsround.org Cc: W3c-P3p-Coordination@W3. Org; P3P Outreach Group Subject: 2nd Draft Legal status of P3P statement RESPONSE TO BITS COMMENTS ON P3P SPECIFICATION Dear Ms. Allen, We thank you for the comments you and your colleagues have provided on the 24 September 2001 Working Draft of the Platform for Privacy Preferences (P3P) Specification. As you know, P3P has been under development for several years and during that time we have offered many opportunities for public comment and have addressed every concern raised through this process. We will continue this important accountability mechanism as the specification moves forward. As most of your comments are technical in nature they have been addressed directly by the P3P Specification Working Group. As of this writing, the Specification Working Group has made a number of changes and clarifications to P3P based on you comments, so we are grateful for the time you have taken in your specific comments. The response from the Specification Working Group (the group that has actually written the P3P standard) will detail where changes were made following the BITS Comments. The P3P Policy Outreach Working Group has considered the two main public policy-related issued raised in your 15 October 2001 letter: 1. Legal status of P3P statements 2. The degree to which P3P is able to assist in compliance with various privacy-related laws and regulations Legal Status of P3P Statements ------------------------------ Your letter suggests that the P3P specification "state explicitly that P3P is neither a legal nor an audit standard and should not be treated as such in contracts, site monitoring, and for other legal and regulatory purposes." P3P is a protocol and machine-readable vocabulary through which services (Web sites) and user agents (users) can communicate about the service's privacy policy. The operation of this protocol will result in users receiving and using information about a site's privacy practices. However, W3C, as a technical standards setting body, is not competent to declare what the legal status of these statements should or should not be, especially given the fact that W3C develops technical standards with global reach. That determination must be up to legal and regulatory authorities in the proper jurisdiction. Users, however, can be expected to make decisions based on the content of P3P statements. Therefore, the proper functioning of P3P depends on organizations implementing P3P to make sure that all policies are consistent with both the practices of that organization and the human readable policy found on that Web site. For example, if for some reason a site's P3P statements contradicted the human readable privacy notice, users not be able to know what the sites policy actually is and be unable to make an informed choice about the privacy relationship into which they are entering. We would also like to note that compact policies give a user agent the ability to make a first, summary assessment of a full P3P statement. As is made clear in the specification (Section 4), an individuals or individual user agent would need to be able to have access to both the full P3P policy and a human readable policy in order to be able to rely on the compact policy. Therefore, consistency between the compact policy and full policy is also important. P3P and the Global Diversity of Privacy Regulations --------------------------------------------------- The introductory portion of your letter suggests that P3P "cannot handle the complex requirements of the European Union Directive, Gramm-Leach-Bliley, HIPPA, COPPA, or other specific laws and regulations." This statement is cause for concern as we believe that P3P must be able to express privacy practices arising out of a wide variety of data protection regimes. With the help of data protection experts from Europe, Canada, the United States, and Asia, the P3P working groups have taken into account all of the major privacy approach of which the WG participants are aware. As P3P implementation is beginning around the world, we have seen P3P-compliant sites and user agents that are tailored to many different jurisdictions. Thus far, no implementer has cited any case in which it is impossible to comply with relevant laws. If there are any privacy practices required by the laws you cite that cannot be expressed in P3P, we hope that you will bring them to our attention. Your letter, however, does not cite specific details of failure with respect to any particular law, so we are not able to respond with any specific action or change to the specification. Finally, the comments from BITS point to several features not included in P3P that would be of use to the financial services community. We expect that the P3P 1.0 specification -- already being implemented and hopefully soon to be finalized -- is only the first step in the process of building greater privacy awareness into the infrastructure of the World Wide Web. Many of your comments point to the need to increase the interaction between Web technology developers at W3C and those in the banking industry as represented by BITS. We look forward to talking with you about how to be sure that the evolving P3P specifications meet the needs of all those who provide and use financial services on the Web. In order to discuss options for closer cooperation in the future, we will contact you shortly to set up a time that we might meet to talk further. On behalf of the P3P Coordination Group: Lorrie Cranor, P3P Specification Working Group Chair, AT&T Research Josh Freed, P3P North American Outreach Task Force Chair, IEF Ari Schwartz, P3P Policy Outreach Working Group Co-Chair, CDT Daniel Weitzner, P3P Coordination Group Chair, W3C -- Daniel J. Weitzner +1.617.253.8036 (MIT) World Wide Web Consortium +1.202.364.4750 (DC) Technology & Society Domain Leader <djweitzner@w3.org> http://www.w3.org/People/Weitzner.html
Received on Monday, 17 December 2001 21:09:10 UTC