Align the definition of privacy to laws

[jwrosewell]

The charter needs to define privacy in relation to laws as discussed in part on issue #52.

PR #23 did not address the issue and leaves the charter open to wide interpretation and abuse.

At least @timcowen agrees.

‘“Privacy” needs to be defined. If not defined with relation to a Privacy Law or laws there is a risk of inconsistency with that law or laws.’ - patcg/meetings#52 (comment)

This issue relates to FRAND #30 but is not the same.

[AramZS]

We have discussed the definition of privacy at length on #6 and at #23 and on the call and in patcg/meetings#52.

I have previously stated: we have global membership, one state or country's laws may be in conflict with another. As such we require a degree of interpretation and should consider these laws the floor for our practice, not a limit.

The time to define privacy as it relates to this charter has come, been extensively discussed, went through a consensus process, and gone. While we can discuss this question further, I will not consider it to be a blocker to submitting the charter.

[npdoty]

I believe this was already discussed and resolved (between March and May): #6

A very brief summary of why citing a particular privacy law for a privacy definition is not a promising way forward: users may have privacy interests beyond what any particular regulation puts forward; the Web is worldwide and no particular law applies to all jurisdictions; the laws suggested (e.g. GDPR) do not define privacy or attempt to define privacy; in some countries privacy is primarily protected not through specific legislation; privacy-by-design principles included in some laws expect and encourage development of privacy technology beyond the legislative text; privacy is a complex and contested concept and we won't be able to determine ahead of time what privacy means in every context.

[timcowen]

W3C does have a global membership: it is also true that its standards are inapplicable worldwide as they affected by certain countries' state mandated firewalls and controls that override them - so references to laws in those countries or definitions from laws in countries where W3C standards are not routinely applied would likely be less than useful for engineering purposes. Rather than dismissing the prospect of a definition of privacy with reference to a neutral law of another place which can be impartially and externally defined, which might be used as a reference system that can also be adjudicated, what would engineering needs demand from the word "privacy" to make progress? The reference to GDPR is a neutral law that applies to world commerce and is applicable to over 500 million people living in countries to which it applies and countries such as the UK and USA who trade with the EU. Most if not all W3C members' businesses will have to comply with it won't they? (Please can you identify one that does not and why?) It would objectively appear to be a reasonable starting point for a definition that can be used for engineering for W3C members and the world that uses W3C standards wouldn't it?

To your point about "privacy" being defined nowhere. I agree. But that is then a problem when coming to work on internet standards and having a discussion about it for engineering purposes isn't it?

GDPR defines personal data and processing of personal data and is reasonably clearly set out - and it can be assessed measured, adjudicated and applied. To avoid confusion between data protection and privacy does that mean that you are proposing working group is to consider issues that are then unrelated to GDPR?

If so, compliance could better be assured by making that clear in the charter, So the charter would be amended to ensure that all discussions relate to matters that are unrelated to the processing of personal data as defined in GDPR. That would exclude from the charter's scope matters that could be addressed in GDPR. Would that be an improvement?

by your own admission this is not a matter that is addressed or dealt with if privacy is defined nowhere; it is an open issue and referring back to previous debates can't resolve the issue for the scope of the work to be done here can they?

[AramZS]

Without getting to the rest of your comment @timcowen I wanted to address this specifically:

by your own admission this is not a matter that is addressed or dealt with if privacy is defined nowhere; it is an open issue and referring back to previous debates can't resolve the issue for the scope of the work to be done here can they?

We have resolved the scope and can resolve the scope for work to be done. As I have noted, privacy is not defined nowhere. It is specifically defined in the charter's scope at https://github.com/patcg/patwg-charter/blob/main/charter.html#L155

I am unclear from your comments... is your position that the scope as described exceeds GDPR or that it does not cover the scale of privacy that GDPR would require?

[npdoty]

I'm not really sure how to understand your questions here, Tim. But to do my best to reply briefly:

Yes, I think W3C's standards really are in use every day by software running worldwide, including in countries that employ technical or legal restrictions in some cases. Many W3C member companies have to comply with the GDPR (even non-profits such as my employer) and many companies that make use of W3C standards (to operate web sites or services, say) also comply with the GDPR. But users of the Web have privacy interests, even if they're not located in the EU, even if they're using a service that isn't complying with the GDPR, and their privacy interests may extend beyond legal compliance with the GDPR even when they live in the EU. I live in the US and there are some laws and regulations that help to protect my privacy but I'm also very interested in using software that can better protect my privacy than what is legally mandated, here or anywhere else.

I believe this issue was already opened, addressed and closed in #6, and I'm fine with that resolution.

To the proposal of scoping directly to GDPR data protection compliance, I don't think that's a promising idea, for the list of reasons I included earlier (and the reasons I gave when the issue was discussed previously). To the proposal of scoping the WG charter to exclude anything related to personal data processing or the GDPR, that doesn't seem like a promising idea either, as there seems to be interest in working on standards that involve advertising and privacy, including the specific examples in the draft charter text regarding cross-context and same-context recognition, that may be relevant to personal data processing and the GDPR.

If you're interested in a group that just discusses technology for GDPR compliance, or some group that exclusively discusses privacy that isn't related to GDPR in any way (this latter one is curious, but possible), W3C has mechanisms to propose additional Community Groups. I personally would certainly take a look at either of those.

I understand life and some of our work would be simpler if privacy were not a complex topic, but fortunately or unfortunately we work in this interesting field.

[martinthomson]

@AramZS:

privacy is not defined nowhere. It is specifically defined in the charter's scope

I want to push back on this a little. #6 didn't resolve with a definition. As @npdoty says, privacy is more complex than that.

What the resolution to #6 does is what we often do in charters: sets some bounds on what we are doing. That resolution is what I see as being equivalent guard rails: something where we can easily identify as being unacceptable. Ideally, there is some distance between that and what we eventually produce. But the exact parameters of that are open for discussion.

What "privacy" means here is - at least to the extent to which it applies to what we are doing - open to discussion. It is entirely possible that we never completely agree, but we produce a specification that we can all get behind anyway. That might be because it is flexible enough to allow for some variation in how it is interpreted or implemented. It might just be that it only captures the stuff we can achieve consensus on and so it is limited in applicability or scope.

Asking that we have a precise definition for something that is so complex and subjective might make sense in a legal context (I'm not sure that it does). Here, we don't need that level of definition, especially as a constraint on the work we undertake. That is because our work is to build something out of the intersection of the competing definitions, concepts, and ideas that we each have. Not just about privacy, but security, accessibility, openness, fairness, and all the other things we each might value.

[timcowen]

Martin, You reference a previous discussion that appears to have been resolved with: “The purpose of these features is to support web advertising in private ways. Here "private" refers to appropriate processing of personal information.” Would that work here? Kind regards, Tim Tim Cowen | Chair Antitrust Practice ddl +44 20 7332 5645<tel:+44%2020%207332%205645> m +44 78 0224 1629<tel:+44%2078%200224%201629> ***@***.*** Preiskel & Co LLP, 4 King's Bench Walk, Temple, London EC4Y 7DL t +44 20 7332 5640<tel:+44%2020%207332%205640> f +44 20 7332 5641<tel:+44%2020%207332%205641> www.preiskel.com<http://www.preiskel.com/> personal profile<http://www.preiskel.com/people/tim-cowen/> Chambers & Partners Competition, IT & Telecoms Leading Firm 2018 Legal 500 Technology, Media and Telecoms Leading Firm 2017 WhosWhoLegal Telecoms Media & Tech Leading Lawyers 2017 Global Law Experts Communications Law Firm of the Year 2016 Preiskel & Co LLP is a law firm authorised and regulated by the Solicitors Regulation Authority and is incorporated in England & Wales with partnership number OC306371 and Registered Office at 4 King's Bench Walk, Temple, London EC4Y 7DL. A list of members is available for inspection at the office. The SRA rules can be found at http://www.sra.org.uk/solicitors/handbook/code/content.page. Preiskel & Co LLP takes the privacy and security of personal data and confidential information seriously. The content of this e-mail, including any attachments, is intended only for the recipient(s) named above, and may be confidential, privileged or otherwise legally protected against disclosure. If you have received this e-mail in error please notify us ***@***.******@***.***> and delete it from your system. On 30 Jun 2022, at 05:14, Martin Thomson ***@***.***> wrote:  @AramZS<https://github.com/AramZS>: privacy is not defined nowhere. It is specifically defined in the charter's scope I want to push back on this a little. #6<#6> didn't resolve with a definition. As @npdoty<https://github.com/npdoty> says, privacy is more complex than that. What the resolution to #6<#6> does is what we often do in charters: sets some bounds on what we are doing. That resolution is what I see as being equivalent guard rails: something where we can easily identify as being unacceptable. Ideally, there is some distance between that and what we eventually produce. But the exact parameters of that are open for discussion. What "privacy" means here is - at least to the extent to which it applies to what we are doing - open to discussion. It is entirely possible that we never completely agree, but we produce a specification that we can all get behind anyway. That might be because it is flexible enough to allow for some variation in how it is interpreted or implemented. It might just be that it only captures the stuff we can achieve consensus on and so it is limited in applicability or scope. Asking that we have a precise definition for something that is so complex and subjective might make sense in a legal context (I'm not sure that it does). Here, we don't need that level of definition, especially as a constraint on the work we undertake. That is because our work is to build something out of the intersection of the competing definitions, concepts, and ideas that we each have. Not just about privacy, but security, accessibility, openness, fairness, and all the other things we each might value. — Reply to this email directly, view it on GitHub<#31 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZYERR2OPH754RFNON66PI3VRUNL5ANCNFSM52GCPI4Q>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[martinthomson]

@timcowen, the definition was a little longer than that. Quoting the full text that was agreed to:

Here "privacy" minimally refers to appropriate processing of personal information. Ways in which new features might enable inappropriate processing include (but are not limited to) enabling of cross-site or cross context recognition of users or enabling same-site or same-context recognition of users across the clearing of state.

Emphasis mine.

Omitting the last sentence here loses what I believe to be an important limitation of scope. My understanding is that this piece enjoys consensus support.

[timcowen]

Martin, As a matter of interest what is meant by a “personal information” in this discussion? Are you for example inferring that any information that is owned or controlled by an individual is that individual’s personal information - in the sense that might apply to information in papers or documents that might be in my home? Might you be thinking that would then fall within what might be thought of as “the right to shield information from disclosure”? Or is the expression “personal information” intended to be limited to personal data? I worry that your guard rails won’t provide much of a boundary unless these concepts are clear. Kind regards, Tim Tim Cowen | Chair Antitrust Practice ddl +44 20 7332 5645<tel:+44%2020%207332%205645> m +44 78 0224 1629<tel:+44%2078%200224%201629> ***@***.*** Preiskel & Co LLP, 4 King's Bench Walk, Temple, London EC4Y 7DL t +44 20 7332 5640<tel:+44%2020%207332%205640> f +44 20 7332 5641<tel:+44%2020%207332%205641> www.preiskel.com<http://www.preiskel.com/> personal profile<http://www.preiskel.com/people/tim-cowen/> Chambers & Partners Competition, IT & Telecoms Leading Firm 2018 Legal 500 Technology, Media and Telecoms Leading Firm 2017 WhosWhoLegal Telecoms Media & Tech Leading Lawyers 2017 Global Law Experts Communications Law Firm of the Year 2016 Preiskel & Co LLP is a law firm authorised and regulated by the Solicitors Regulation Authority and is incorporated in England & Wales with partnership number OC306371 and Registered Office at 4 King's Bench Walk, Temple, London EC4Y 7DL. A list of members is available for inspection at the office. The SRA rules can be found at http://www.sra.org.uk/solicitors/handbook/code/content.page. Preiskel & Co LLP takes the privacy and security of personal data and confidential information seriously. The content of this e-mail, including any attachments, is intended only for the recipient(s) named above, and may be confidential, privileged or otherwise legally protected against disclosure. If you have received this e-mail in error please notify us ***@***.******@***.***> and delete it from your system. On 30 Jun 2022, at 07:38, Martin Thomson ***@***.***> wrote:  @timcowen<https://github.com/timcowen>, the definition was a little longer than that. Quoting the full text that was agreed to: Here "privacy" minimally refers to appropriate processing of personal information. Ways in which new features might enable inappropriate processing include (but are not limited to) enabling of cross-site or cross context recognition<https://w3ctag.github.io/privacy-principles/#hl-recognition-cross-site> of users or enabling same-site or same-context recognition<https://w3ctag.github.io/privacy-principles/#hl-recognition-same-site> of users across the clearing of state. Emphasis mine. Omitting the last sentence here loses what I believe to be an important limitation of scope. My understanding is that this piece enjoys consensus support. — Reply to this email directly, view it on GitHub<#31 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZYERR327L3I5NYENBIDSD3VRU6FNANCNFSM52GCPI4Q>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[martinthomson]

@timcowen, I understand the desire to be precise here, but I don't think that we need to be too careful here. Any decision we make about whether something is in-charter or out is going to be made on the basis of consensus.

If you want to equate "personal information" to the GDPR "personal data" (i.e., data about a person), that is entirely reasonable; that's approximately what I do. We each come to this work with a different understanding of the constraints on the problem and that is part of what makes the process valuable. A little ambiguity on the edges is fine. That gives us a tiny bit of flexibility to discuss things within that ambiguity.

My experience with charters is that while there is sometimes an issue that leads to a lengthy discussion over the meaning of words and the intent of those who drafted and agreed to the text, those are rare. More often, the text in a charter is pointed to and that curtails discussion on a topic because there is no disagreement that the topic is out of scope.

Those cases where disagreements over scope occur are rough, I can't pretend otherwise. I will observe that this is frequently because our understanding of the problem space evolves and the assumptions made at chartering time are no longer a good fit for everyone. Often the group has not yet developed a solid understanding of the subject matter and that can mean that the charter is not always perfect. However, we cannot insist on perfection or we'd never get anything done. No doubt, over time, we'll come to understand our scope better and we might be able to refine the charter using what we learn. Those disagreements might be difficult if they arise, but if they are, that might be for a good reason.