180 likes | 192 Views
This workshop discusses the legal localization of P3P as a requirement for its privacy-enhancing effects. It examines the importance of incorporating legal privacy standards for website providers and Internet surfers. The workshop also explores the methods and extensions needed for effective legal localization of P3P.
E N D
W3C Workshop on the long term Future of P3P and Enterprise Privacy Languages (Kiel, 19.-20.06.2003) Legal localization of P3P as a requirement for its privacy enhancing effect Jan MöllerIndependent Centre for Privacy Protection (ICPP) P3P Project Legal localization of P3P as a requirement for its privacy enhancing effect
P3P and legal privacy standards Provides Website Provider W3C P3P Policy Recommends Bind Reflects Defines technicalrequirements Legal privacystandards Sets minimum privacy standard P3PSpecification Informs Set Controls/ Enforces Laws orAgreements Internet Surfer Protect Legal localization of P3P as a requirement for its privacy enhancing effect
Binding effect of legal privacy standard included in the P3P Specification WebsiteProvider Internet Surfer offers P3Pby referencinga P3P Policy offering P3P= promise to apply Website provider‘s P3P offer commits himself to minimum privacy standard Minimum legal privacy standard P3P Specification includes Legal localization of P3P as a requirement for its privacy enhancing effect
What is legal localization? Legal localization of P3P = adaption of P3P privacy policy (and the described data processing!) and privacy preferences of P3P agents to the legal privacy standards the parties are bound to or protected by. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - why? Website Provider’s perspective • Website Provider are bound to legal privacy standards. • Incorporating these standards is an obligation by law. • Showing non-compliance with the law may deter users and may attract supervising authorities. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - why? Internet surfer’s perspective • Internet surfers are used to their local legal privacy standard. • Legally localized P3P preferences include this known standard as a reference. • The website’s data processing practices can be compared with this reference. • P3P agents can signal illegal data processing practices if user and website’s P3P Policy are configured according to the same legal privacy standard. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - why? General reasons • Combining P3P with higher legal privacy standards spreads and rises acceptance for these standards. • Within member states of the European Union it is mandatory to legally localize P3P. If this does not happen de facto privacy standards are on risk to be lowered to the P3P minimum legal privacy standard. • A legally localized P3P can help bridging the gap between de facto and legal privacy standard by incorporating laws into the surfing process. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - how to? Legal localization of P3P policies • Legal privacy standards can require that certain options and fields in P3P may not be used under certain circumstances or may not be used at all. • Defining which options and fields are affected for a certain website requires in-depth knowledge of the legal privacy standard applicable to the website provider. To support legal localization policy generators should use legal configuration files which disallow certain fields and options or change the wizard for the building process. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - how to? Legal localization of P3P agents • P3P should be activated by default. • Default P3P preferences should be legally localized (e.g. European languages versions of P3P agents should have EU Directive compliant P3P preferences). • P3P agents should support an standardized preferences format with import and export capabilities (e.g. an improved APPEL format). Different formats complicate the development of legally localized P3P preferences by 3rd parties. No import function means offering many configuration options within the P3P agent or restricting the privacy protection functionality of P3P. • A central download website for legally localized preference files should be referenced visibly within the P3P agent. Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - how to? Extensions to the P3P standard • Legal localization requires the possibilities to express local laws in P3P format. • Currently some requirements of law can only be accounted for in natural language fields (e.g. information that an acceptance of data use may be canceled every time, other: see Alonso-Blas/Hogben last P3P workshop) which undermines core P3P functionality. P3P vocabulary should be extended to maintain at least the standard user rights of privacy protection laws Extended use of P3P in different fields (e.g. mobile devices) may require the extension of base data scheme (e.g. mobile IDs, device profiles/capabilities) Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - who should support it? Companies building P3P policy generators • Building P3P policies requires more than stating data processing practises in a correct syntax • Basic legal requirements could be taken into account in the building process Companies building P3P policy generators should offer configuration files or an option for legally localized policy generation Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - who should support it? Companies offering P3P agents • P3P requires both parties internet surfer and website to adopt P3P P3P should be activated by default Default preferences of the P3P agent should be legally localized preferences (e.g. European languages versions of the P3P agent with EU Directive compliant P3P preferences)Upload possibility for standardized preferences files with link to website offering legally localized preference files Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization of P3P - who should support it? Authorities supervising legal privacy standards • Assistance for website provider Give instructions how to include legal standard into P3P Provide legally localized standard policies for typical web services • Assistance for the user Offer legally localized preferences in standardized file format Give instructions for privacy friendly preferences Legal localization of P3P as a requirement for its privacy enhancing effect
Legal localization support infrastructure configuration files forlegally localized policy generation Companies offeringpolicy generators includes legal privacy standard in P3P policy P3P policy Website provider 1. legally localized standard policies for typical web services2. instructions how to include legal standard into P3P policy. 1. transparency 2. reference to judge privacy level of a website3. fulfilled legal obligations Authorities 1. legallly localized preferences files2. instructions for privacy friendly pref. 1. uses P3P2. loads legally localized pref. 3. arranges own pref. User P3P agentpreferences 1. P3P activated by default 2. legally localized default preferences3. Upload possibility with link to legally localized preferences files Companies offeringP3P agents Legal localization of P3P as a requirement for its privacy enhancing effect
The P3P projekt at the ICPP Targets Legal localization of P3P to encourage usage in accordance with European and German privacy laws Spreading knowledge on P3P and how to use it Supporting further privacy friendly development of the P3P standard and P3P applications Legal localization of P3P as a requirement for its privacy enhancing effect
The P3P project of the ICPP Offers • Legally localized P3P preferences according to European and German privacy laws • Analysis of and information on legal privacy requirements for websites • Legal checks of P3P policies with “ICPP tested“ seal for law compliant P3P policies (planned) Legal localization of P3P as a requirement for its privacy enhancing effect
The P3P project of the ICPP Offers • Information on download, installation and privacy friendly configuration of P3P agents • Privacy friendly APPEL files for download (planned) • Information on writing a privacy policy according to existing data processing practices • Adaptable standard P3P policies for typical web services for download (planned) Legal localization of P3P as a requirement for its privacy enhancing effect
More information? www.datenschutzzentrum.de/p3p/ moeller@datenschutzzentrum.de Legal localization of P3P as a requirement for its privacy enhancing effect