[Openid-specs-ab] Fwd: New EU laws
hb at peercraft.com
Wed Mar 9 23:44:41 UTC 2011
Fortunately this updated directive does NOT target cookies that are
placed/read in order to provide the basic service requested by a user.
But it is causing great concern to people providing services such as
third party advertisement and analytics tracking users (or rather
devices) across the internet.
One problem is that the directive itself is (mildly stated) very unclear
and the national implementation efforts so far totally uncoordinated.
Thus it is likely that the directive will be interpreted and legally
implemented in about 30 different ways across Europe. This may imply
significant localization efforts for international content providers and
Another major problem is that a publisher (e.g. newspaper) currently
often does not know or control the individual media agencies or
advertisers who may place cookies on a users computer while the end user
is visiting the publishers site. According to legal people it is the
owner of the visited site who must manage the consent for all third
party cookies. This means that even if the third party service provider
gets a users global accept for tracking the user, such a consent would
not in itself be legally adequate for the publishing site.
Also this is not convenient for a user who might have allowed e.g. an
analytics service at 1000 sites before he decides to disallow its
tracking entirely. So maybe this can end up being a good business case
for Oauth / UMA, allowing the user centralized consent management for
the sites they visit as well as for the third party services relating
to these sites. At least I will try to influence the danish draft decree
(core part provided below in english translation, public hearing ends 1
April) in a way that makes this a viable option.
---------------- Core part of the proposed Danish decree of the
*§ 3* Natural or legal persons may not store information or gain access
to information already stored in an end users terminal equipment, or
enable third-parties to store information or gain access to information
if the end user does not give consent after receiving adequate
information about the storage of or access to data.
Paragraph. 2. By consent, cf. 1, means any freely given specific and
informed expression of will, by which the end user agrees to the storage
of data or access to already stored information in the end users
Paragraph. 3. Information, cf. 1, is appropriate when it as a minimum
1) appears in a clear, concise and understandable language, or
alternatively by means of pictures,
2) contains information about the purpose of storage of or access to
data in the end users terminal equipment
3) contains information about how long the information is intended to be
stored in the end users terminal equipment
4) contains information about the name of any natural or legal person
who stores or acesses the information
5) provides a readily available access for end users to refuse consent
or revoke consent to the storage of or access to data and a clear,
precise and understandable instructions on how the end user is using
such access and
6) is readily available by a full and clear disclosure to the end user.
Moreover, information about storage or access to information on the end
users terminal equipment through an information and content service must
be permanently, directly and easily accessible to the end user of the
information and content services.
*§ 4* Notwithstanding § 3, natural or legal persons may store
information or gain access to information already stored in an end-user
terminal equipment, if
1) the storage of or access to information has the sole purpose of
transmitting communications over an electronic communications network or
2) the storage of or access to data is required to enable the provider
of an information and content service, explicitly requested by the end
user, to deliver this service.
Paragraph. 2. Storage of or access to information in an end-user
terminal equipment is required, cf. 1, No. 2, if the storing of or
access to information is a technical requirement to provide a service
that works in accordance with the purpose of the service.
----------------------- End -------------------------------
By 09-03-2011 15:55, John Bradley wrote:
> Something to keep in mind with respect to session management.
> Without seeing the regulation it is hard to know what to make of it.
> I suppose every site in the EU might have to ask for permission to
> create a session cookie on the persons computer before letting them in.
> I can't think of any alternative other than mutual TLS to do it.
> Though now that I think about it, it could be a way to push e-id cards?
> John B.
> Begin forwarded message:
>> *Websites will have to gain ‘explicit consent' from visitors to store
>> or access information on their computers from 25th May.
>> A new European e-Privacy directive has been announced today and will
>> affect any business tracking users via their cookies online. Exact
>> details from the Department for Culture, Media and Sport (DCMS) are
>> currently being drawn up and will not be available until the end of
>> May, but enforcement and penalties are not expected in the short term
>> The new law is an amendment to the EU's Privacy and Electronic
>> Communications Directive and will require UK businesses and other
>> organisations to obtain consent from visitors to their websites in
>> order to store and retrieve usage information from users' computers.
>> Speaking today, the Information Commissioner Christopher Graham
>> warned UK businesses and other organisations running websites that
>> they must ‘wake up' to the EU legislation.
>> He said: “While the roll out of this new law will be a challenge, it
>> will have positive benefits as it will give people more choice and
>> control over what information businesses and other organisations can
>> store on and access from consumers' own computers.
>> “We are proactively working with the government, businesses and the
>> public sector to find a workable solution. We recognise that the
>> and there are of course legitimate business reasons for using them.
>> So we are clear that these changes must not have a detrimental impact
>> on consumers nor cause an unnecessary burden on UK businesses. One
>> be given via browser settings.
>> “Once the new regulations are published there will be a major job of
>> education and guidance to be undertaken. In the meantime, both the
>> business community and public sector organisations need to start
>> thinking clearly about how they will meet the requirements of the new
>> The Information Commissioner's Office will be responsible for
>> regulation, while the Department for Culture, Media and Sport will
>> lead on the implementation on the new measures in the UK.
>> Minister for culture, communications and the creative industries, Ed
>> Vaizey, said: “Revisions to the e-Privacy directive will provide
>> consumers with more choice and control over their internet
>> experience. But at the same time we need to make sure these changes
>> do not make using the internet more difficult.
>> We recognise that work will not be complete by the implementation
>> deadline. The government is clear that it will take time for
>> meaningful solutions to be developed, evaluated and rolled out.”
>> You receive
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab