[Openid-specs-ab] Fwd: New EU laws

Henrik Biering hb at peercraft.com
Wed Mar 9 23:44:41 UTC 2011

Fortunately this updated directive does NOT target cookies that are 
placed/read in order to provide the basic service requested by a user.

But it is causing great concern to people providing services such as 
third party advertisement and analytics tracking users (or rather 
devices) across the internet.

One problem is that the directive itself is (mildly stated) very unclear 
and the national implementation efforts so far totally uncoordinated. 
Thus it is likely that the directive will be interpreted and legally 
implemented in about 30 different ways across Europe. This may imply 
significant localization efforts for international content providers and 
e-commerce sites.

Another major problem is that a publisher (e.g. newspaper) currently 
often does not know or control the individual media agencies or 
advertisers who may place cookies on a users computer while the end user 
is visiting the publishers site. According to legal people it is the 
owner of the visited site who must manage the consent for all third 
party cookies. This means that even if the third party service provider 
gets a users global accept for tracking the user, such a consent would 
not in itself be legally adequate for the publishing site.

Also this is not convenient for a user who might have allowed e.g. an 
analytics service at 1000 sites before he decides to disallow its 
tracking entirely. So maybe this can end up being a good business case 
for Oauth / UMA, allowing the user centralized consent management for 
the  sites they visit as well as for the third party services relating 
to these sites. At least I will try to influence the danish draft decree 
(core part provided below in english translation, public hearing ends 1 
April) in a way that makes this a viable option.

---------------- Core part of the proposed Danish decree of the 
Directive ---------------
*§ 3* Natural or legal persons may not store information or gain access 
to information already stored in an end users terminal equipment, or 
enable third-parties to store information or gain access to information 
if the end user does not give consent after receiving adequate 
information about the storage of or access to data.

Paragraph. 2. By consent, cf. 1, means any freely given specific and 
informed expression of will, by which the end user agrees to the storage 
of data or access to already stored information in the end users 
terminal equipment.

Paragraph. 3. Information, cf. 1, is appropriate when it as a minimum

1) appears in a clear, concise and understandable language, or 
alternatively by means of pictures,

2) contains information about the purpose of storage of or access to 
data in the end users terminal equipment

3) contains information about how long the information is intended to be 
stored in the end users terminal equipment

4) contains information about the name of any natural or legal person 
who stores or acesses the information

5) provides a readily available access for end users to refuse consent 
or revoke consent to the storage of or access to data and a clear, 
precise and understandable instructions on how the end user is using 
such access and

6) is readily available by a full and clear disclosure to the end user. 
Moreover, information about storage or access to information on the end 
users terminal equipment through an information and content service must 
be permanently, directly and easily accessible to the end user of the 
information and content services.

*§ 4* Notwithstanding § 3, natural or legal persons may store 
information or gain access to information already stored in an end-user 
terminal equipment, if

1) the storage of or access to information has the sole purpose of 
transmitting communications over an electronic communications network or

2) the storage of or access to data is required to enable the provider 
of an information and content service, explicitly requested by the end 
user, to deliver this service.

Paragraph. 2. Storage of or access to information in an end-user 
terminal equipment is required, cf. 1, No. 2, if the storing of or 
access to information is a technical requirement to provide a service 
that works in accordance with the purpose of the service.
----------------------- End -------------------------------


By 09-03-2011 15:55, John Bradley wrote:
> Something to keep in mind with respect to session management.
> Without seeing the regulation it is hard to know what to make of it.
> I suppose every site in the EU might have to ask for permission to 
> create a session cookie on the persons computer before letting them in.
> I can't think of any alternative other than mutual TLS to do it.
> Though now that I think about it, it could be a way to push e-id cards?
> John B.
> Begin forwarded message:
>> http://www.scmagazineuk.com/new-laws-on-cookies-will-come-into-effect-from-25th-may/article/197821/?DCMP=EMC-SCUK_Newswire
>> *Websites will have to gain ‘explicit consent' from visitors to store 
>> or access information on their computers from 25th May.
>> *
>> A new European e-Privacy directive has been announced today and will 
>> affect any business tracking users via their cookies online. Exact 
>> details from the Department for Culture, Media and Sport (DCMS) are 
>> currently being drawn up and will not be available until the end of 
>> May, but enforcement and penalties are not expected in the short term 
>> as businesses are given a window to ‘address their use of cookies'.
>> The new law is an amendment to the EU's Privacy and Electronic 
>> Communications Directive and will require UK businesses and other 
>> organisations to obtain consent from visitors to their websites in 
>> order to store and retrieve usage information from users' computers.
>> Speaking today, the Information Commissioner Christopher Graham 
>> warned UK businesses and other organisations running websites that 
>> they must ‘wake up' to the EU legislation.
>> He said: “While the roll out of this new law will be a challenge, it 
>> will have positive benefits as it will give people more choice and 
>> control over what information businesses and other organisations can 
>> store on and access from consumers' own computers.
>> “We are proactively working with the government, businesses and the 
>> public sector to find a workable solution. We recognise that the 
>> internet as we know it today depends on the widespread use of cookies 
>> and there are of course legitimate business reasons for using them. 
>> So we are clear that these changes must not have a detrimental impact 
>> on consumers nor cause an unnecessary burden on UK businesses. One 
>> option being considered is to allow consent to the use of cookies to 
>> be given via browser settings.
>> “Once the new regulations are published there will be a major job of 
>> education and guidance to be undertaken. In the meantime, both the 
>> business community and public sector organisations need to start 
>> thinking clearly about how they will meet the requirements of the new 
>> directive.”
>> The Information Commissioner's Office will be responsible for 
>> regulation, while the Department for Culture, Media and Sport will 
>> lead on the implementation on the new measures in the UK.
>> Minister for culture, communications and the creative industries, Ed 
>> Vaizey, said: “Revisions to the e-Privacy directive will provide 
>> consumers with more choice and control over their internet 
>> experience. But at the same time we need to make sure these changes 
>> do not make using the internet more difficult.
>> “Businesses need to be working to address the way they use cookies. 
>> We recognise that work will not be complete by the implementation 
>> deadline. The government is clear that it will take time for 
>> meaningful solutions to be developed, evaluated and rolled out.”
>> ____________________________________________________________
>> You receive
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110310/01f46967/attachment-0001.html>

More information about the Openid-specs-ab mailing list