WP29 Welcomes DoNotTrack, But Says Consent Still Required If DNT Unset.

The Article 29 Data Protection Working Party (WP29), an independent advisory body set up in 1995 under the auspices of the EU Data Protection Directive and composed of representatives of all European Data Protection supervisory authorities, has sent a public comment to the W3C about the Tracking Preference Expression (TPE), the technical document describing the DNT signal and associated protocols.

The TPE draft reflects consensus within the W3C working group responsible for the standard and has entered the Last Call stage, when it is available for public review and comment, on 24th April 2014.

The WP29 stated its belief that an effective DNT standard that is implemented well can empower citizens and businesses, and has potential to act as a granular consent mechanism in line with Recital 66[2] and Article 5(3)[1] of the Data Privacy Directive (Directive 2009/136/EC amending 2002/22/EC), but cautions that, without addressing certain issues, there is a real risk the it could simply become a placebo letting sections of industry off the hook, and not evolve into a “valid and robust” solution.

It identifies 6 issues that stakeholders should take into account before the standard is finally published

1. Compliance with the standard does not necessarily mean compliance with other regulations. A statement pointing this out should be added to the standard.

2. Automatic expiration of the DNT consent signal. The TPE does not at this time have a mechanism to ensure automatic expiration of the consent (aka DNT:0 ) signal. It is important that once consent has been obtained it cannot be relied upon in perpetuity and so there should be a mechanism where it lapses after a period so that the user will be asked again. This has already been suggested to the group and is currently postponed to a possible follow up standard (DNT2.0), but may perhaps now be revisited.

3. The meaning of the DNT consent signal. The WP29 points out that if the DNT signal is absent, i.e. is unset, then a server must assume that a user is not aware of tracking and therefore must ask for consent before doing so. Here they are pointing out that, unless there is another legal basis for processing, a server complying with EU law will need to ask for prior consent before tracking. They agree that a DNT header value set to “0” can act as a consent signal but that it can only apply to tracking activity that has been previously clearly explained to the user. They recommend that site-specific consent should also be configurable within the browser. implying that there needs to be a mechanism whereby the server's tracking purpose explanation can be delivered to it.

4. The Working group calls for more rigor in the definition of de-identified data. Simply removing UIDs does not of make data anonymous because individuals can still be identified by a combination of non-specific data points. They refer the TPWG members to extensive guidance on anonymisation techniques.

5. The WP29 does not approve of some of the responses a server can make to a DNT header. These responses, “D” which says that the server is disregarding the signal or “P” meaning the server cannot gauge in real time that the user has given “out-of-band” consent to tracking, would have no legal standing in Europe.

6. There should be consideration given to users with special needs, and WP29 suggests text on this for the “User Interface guidelines” section.

This is a significant statement from a highly influential body in EU Data Protection and an important step towards a universally accepted standard for giving people control over tracking.

[1] Article 5(3): “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

[2] Recital 66: “Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”