Re: P3P and Truste Organisation from Rigo Wenning on 2002-01-30 (www-p3p-public-comments@w3.org from January 2002)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 30 Jan 2002 16:34:46 +0100
To: Ulrich.Kauschke@T-Mobil.de
Cc: www-p3p-public-comments@w3.org, w3c@w3c.de, Arthur.Cyrankiewicz@T-Mobil.de
Message-ID: <20020130153446.GA6466@localhost>

Dear M. Kausch, 

The Platform for Privacy Preferences Project (P3P) enables Web sites to
express their privacy practices in a standard format that can be
retrieved automatically and interpreted easily by user agents. P3P user
agents will allow users to be informed of site practices (in both
machine- and human-readable formats) and to automate decision-making
based on these practices when appropriate. Thus users need not read the
privacy policies at every site they visit.

But P3P does not contain any enforcement mechanism. It can't make sure,
that the declaration of the site corresponds to their current practice. 

One possibility to remedy this situations are labels. Labels like
Trust-e have a certain policy and control the site using their label. If
they don't follow the label's practice anymore, the label is withdrawn
from the site. In that way, labels have a role compared to the role of
data commissioners.. 

In the EU, data commissioners have already started to think about
providing labels. The first label[1] was created by the Independent Centre
for Privacy Protection Schleswig-Holstein[2]. 

The assurance delivered with the privacy policy in the EU can also be
expressed with the <Disputes> - Element. As in the EU, there are laws
on data protection, there is another level of assurance, that can be 
expressed with P3P. Here an example I just made up
for a T-mobil-site that would be located in Itzehoe in
Schleswig-Holstein: 
<Disputes-Group>
	<Disputes
		resolution-type="service"
		service="http://www.t-mobile.de/kundenservice"
	</Disputes>
	<Disputes
		resolution-typ="independent"
		service="http://www.datenschutzzentrum.de/"
	</Disputes>
	<Disputes
		resolution-type="law"
		service="http://www.rewi.hu-berlin.de/Datenschutz/DSB/SH/material/recht/bdsg2001/bdsg2001.htm"
	</Disputes>
	<Disputes
		resolution-type="court"
		service="http://www.lg-itzehoe.de/"
	</Disputes>
</Disputes-Group>

This example means, that an end-user, that had a complaint about your
site's data protection practice could turn first to your customer-service, 
then to the competent data commissioner and finally to the court. The
court will apply the law, that is binding for that service..

Now on user's site, my preferences could say: Trust only sites with the
Trust-e label. But it could also say: Trust only sites, that have law as
their resolution-type...

If you have further questions, don't hesitate to contact me (also in
german)

  1. http://www.rewi.hu-berlin.de/Datenschutz/DSB/SH/g-siegel/index.htm
  2. http://www.datenschutzzentrum.de/

Best, 
-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

On Wed, Jan 30, 2002 at 10:00:17AM +0000, Ulrich.Kauschke@t-mobil.de wrote:
> Hello
> 
> reading your recent announcement about P3P I wonder what the
> relationship to
> +non-profit privacy protecting organisations like TRUSTe is like.
> 
> Does TRUSTe make use of P3P? Is there improvement in P3P compared to
> current
> +solutions like TRUSTe?
> 
> Kind regards
> Ulrich
> ulrich.kauschke@t-mobil.de
>

Received on Wednesday, 30 January 2002 10:36:54 UTC