W3C Workshop on the long term Future of P3P

1

• W3C Workshop on the long term Future of P3P
• and Enterprise Privacy Languages
• (Kiel, 19.-20.06.2003)
• Legal localization of P3P
• as a requirement for its privacy enhancing effect
  
• Jan MöllerIndependent Centre for Privacy
  Protection (ICPP)
• P3P Project

2
P3P and legal privacy standards
Provides
Website Provider
W3C
P3P Policy
Recommends
Bind
Reflects
Defines technicalrequirements
Legal privacystandards
Sets minimum privacy standard
P3PSpecification
Informs
Set
Controls/ Enforces
Laws orAgreements
Internet Surfer
Protect
3
Binding effect of legal privacy standard
included in the P3P Specification
WebsiteProvider
Internet Surfer
offers P3Pby referencinga P3P Policy
offering P3P promise to apply
Website providers P3P offer commits himself to
minimum privacy standard
Minimum legal privacy standard
P3P Specification
includes
4
What is legal localization?

• Legal localization of P3P
• adaption of P3P privacy policy (and the
  described data processing!) and privacy
  preferences of P3P agents to the legal privacy
  standards the parties are bound to or protected
  by.

5
Legal localization of P3P - why?

• Website Providers perspective
• Website Provider are bound to legal privacy
  standards.
• Incorporating these standards is an obligation by
  law.
• Showing non-compliance with the law may deter
  users and may attract supervising authorities.

6
Legal localization of P3P - why?

• Internet surfers perspective
• Internet surfers are used to their local legal
  privacy standard.
• Legally localized P3P preferences include this
  known standard as a reference.
• The websites data processing practices can be
  compared with this reference.
• P3P agents can signal illegal data processing
  practices if user and websites P3P Policy are
  configured according to the same legal privacy
  standard.

7
Legal localization of P3P - why?

• General reasons
• Combining P3P with higher legal privacy standards
  spreads and rises acceptance for these standards.
• Within member states of the European Union it is
  mandatory to legally localize P3P. If this does
  not happen de facto privacy standards are on risk
  to be lowered to the P3P minimum legal privacy
  standard.
• A legally localized P3P can help bridging the gap
  between de facto and legal privacy standard by
  incorporating laws into the surfing process.

8
Legal localization of P3P - how to?

• Legal localization of P3P policies
• Legal privacy standards can require that certain
  options and fields in P3P may not be used under
  certain circumstances or may not be used at all.
• Defining which options and fields are affected
  for a certain website requires in-depth knowledge
  of the legal privacy standard applicable to the
  website provider.
• To support legal localization policy generators
  should use legal configuration files which
  disallow certain fields and options or change the
  wizard for the building process.

9
Legal localization of P3P - how to?

• Legal localization of P3P agents
• P3P should be activated by default.
• Default P3P preferences should be legally
  localized (e.g. European languages versions of
  P3P agents should have EU Directive compliant P3P
  preferences).
• P3P agents should support an standardized
  preferences format with import and export
  capabilities (e.g. an improved APPEL format).
  Different formats complicate the development of
  legally localized P3P preferences by 3rd parties.
  No import function means offering many
  configuration options within the P3P agent or
  restricting the privacy protection functionality
  of P3P.
• A central download website for legally localized
  preference files should be referenced visibly
  within the P3P agent.

10
Legal localization of P3P - how to?

• Extensions to the P3P standard
• Legal localization requires the possibilities to
  express local laws in P3P format.
• Currently some requirements of law can only be
  accounted for in natural language fields (e.g.
  information that an acceptance of data use may be
  canceled every time, other see
  Alonso-Blas/Hogben last P3P workshop) which
  undermines core P3P functionality.
• P3P vocabulary should be extended to maintain at
  least the standard user rights of privacy
  protection laws
• Extended use of P3P in different fields (e.g.
  mobile devices) may require the extension of base
  data scheme (e.g. mobile IDs, device
  profiles/capabilities)

11
Legal localization of P3P - who should support it?

• Companies building P3P policy generators
• Building P3P policies requires more than stating
  data processing practises in a correct syntax
• Basic legal requirements could be taken into
  account in the building process
• Companies building P3P policy generators should
  offer configuration files or an option for
  legally localized policy generation

12
Legal localization of P3P - who should support it?

• Companies offering P3P agents
• P3P requires both parties internet surfer and
  website to adopt P3P
• P3P should be activated by default Default
  preferences of the P3P agent should be legally
  localized preferences (e.g. European languages
  versions of the P3P agent with EU Directive
  compliant P3P preferences)Upload possibility for
  standardized preferences files with link to
  website offering legally localized preference
  files

13
Legal localization of P3P - who should support it?

• Authorities supervising legal privacy standards
• Assistance for website provider
• Give instructions how to include legal standard
  into P3P
• Provide legally localized standard policies for
  typical web services
• Assistance for the user
• Offer legally localized preferences in
  standardized file format
• Give instructions for privacy friendly
  preferences

14
Legal localization support infrastructure
configuration files forlegally localized policy
generation
Companies offeringpolicy generators
includes legal privacy standard in P3P policy
P3P policy
Website provider
1. legally localized standard policies for
typical web services2. instructions how to
include legal standard into P3P policy.
1. transparency 2. reference to judge privacy
level of a website3. fulfilled legal obligations
Authorities
1. legallly localized preferences files2.
instructions for privacy friendly pref.
1. uses P3P2. loads legally localized pref. 3.
arranges own pref.
User
P3P agentpreferences
1. P3P activated by default 2. legally
localized default preferences3. Upload
possibility with link to legally localized
preferences files
Companies offeringP3P agents
15
The P3P projekt at the ICPP
Targets
Legal localization of P3P to encourage usage in
accordance with European and German privacy laws
Spreading knowledge on P3P and how to use it
Supporting further privacy friendly development
of the P3P standard and P3P applications
16
The P3P project of the ICPP
Offers

• Legally localized P3P preferences according to
  European and German privacy laws
• Analysis of and information on legal privacy
  requirements for websites
• Legal checks of P3P policies with ICPP tested
  seal for law compliant P3P policies (planned)

17
The P3P project of the ICPP
Offers

• Information on download, installation and privacy
  friendly configuration of P3P agents
• Privacy friendly APPEL files for download
  (planned)
• Information on writing a privacy policy according
  to existing data processing practices
• Adaptable standard P3P policies for typical web
  services for download (planned)

18
More information?
www.datenschutzzentrum.de/p3p/
moeller_at_datenschutzzentrum.de