This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/cooperation-wg@ripe.net/
[cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Previous message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Next message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alessandro Vesely
vesely at tana.it
Thu May 19 20:35:50 CEST 2011
Hi, thank you all for your interest. I am touched and happier. I reply to comments by Patrik, Jim, and Staffen in this message. On 18/May/11 22:25, Patrik Fältström wrote: > Just a clarifying question...you talk about consent acquired > regarding the fact the email address will be processed (i.e. > personal data will be processed)? Yes. On 18/May/11 23:37, Jim Reid wrote: > On 18 May 2011, at 19:56, Alessandro Vesely wrote: > >> How is the data subject's consent acquired? > > Consent for what? Joining the list? Receiving and posting messages? > Being moderated or cross-posted to a newsgroup? Consent for keeping the email address, any accompanying data, and any related processing, such as receiving posts, moderation, archiving, copyright, et cetera. >> In response to the Data Protection Directive, operators should have >> defined a protocol for obtaining and keeping proof of the consent. >> It never happened. In facts, it is very difficult to introduce new >> protocols for email. > > I think we need to be careful to avoid confusing each other. For the > purposes of this discussion, "protocol" should mean an IETF > specification. Let's use "process" to mean "protocol for obtaining and > keeping proof of the consent" ie not an IETF protocol. A dictionary > definition of protocol would include this "process" definition, but > let's not use the same word for different things. List managers may > need a process to show they have user consent. This might but probably > won't need a protocol such as yet another tweak to SMTP. At least I > hope it won't need that. It's ok for these terms, for the sake of this discussion. In case we want to expand it, we'll have to give it a name and a specification. Further steps would be implementing it, testing, and find how to publish it as an RFC. The process core had probably better be separate from SMTP. However, mail filters may help. For example, an SMTP extension may allow a receiving server to tell to a sending Mailing List Manager (MLM) that it supports the process, in case the MLM is interested. > With that clarification out of the way, the consent you ask about is > probably implicit: eg your employer puts you on company mailing lists > as a condition of employment or it's your job to join certain (public) > lists. In other cases, the act of joining a mailing list implies > consent. If you don't want the list to process your Personal Data > (email address), don't join it. In other cases, consent may be > inherited from other terms and conditions: eg your ISP or registrar > puts you on some mailing list for management of your account or > whatever and you agree to that as a part of doing business together. Yes, consent is implicit, but difficult to prove. And we are talking about MLMs, the most privacy-compliant example of mail forwarding. Let me note that MLMs, by design, used to protect their subscribers much before 1995. IOW, the only change they made in response to privacy laws was the wording in their footers and/or web sites. For newsletters and dot-forward files, the improvements brought in by the "process" are much more noticeable. For example, dot-foward files can be reworked in order to obtain an effect similar, in practice, to email address portability. > I am not a lawyer and don't play one on TV. However I have dealt with > Data Protection issues and had too many non-trivial discussions with a > DPA, the UK Information Commissioner's Office. [ICANN gTLD registry > contracts and whois, if anyone cares... The scars have nearly healed > in case any of you are asking.] The short answer to how your SMTP > concern plays out will depend on the view of your DPA. So ask them. Or > ask your lawyer first and then ask the national DPA. > > I would be surprised if there was unanimity or even consensus amongst > the EU DPAs on this topic, assuming they have considered this issue in > WP29. And yes, I realise this is underpinned by a couple of EU > Directives. But how these get enacted and enforced in national law > differs from country to country. Then there's the question of how the > national DPA sees its responsibilities and priorities. I would expect > most will either not care about electronic mailing lists or take the > pragmatic view that since list membership is under the user's control, > that in itself provides the required consent. However I would not bet > money on this. Yes, you are perfectly right on this. IANAL too, and have serious difficulties following such kind of discussions. I'm a programmer and would rather implement something. For such task, the wording on the web page is about as important as its background color. However, yes, lawyers should talk about what the process would do, and check that member states can agree uniformly. I think they did an egregious theoretical work with Directive 95/46/EC. Further directives on he same subject seem to me to be somewhat weaker (and they never mention actual IETF protocols.) Staffan also expresses some concerns on this point. I reply to him below. > Another rat-hole to explore is what the list manager does with the > Personal Data and if consent is needed for adding list members to > other lists. Or lists of lists. What constitutes proportionate and > fair usage of Personal Data then? My head is now starting to hurt... > > Perhaps we could invite someone from WP29 to speak about this at the > next WG meeting? MLMs conceptual model is fine as it is. Software would only need minor changes, possibly none. There are still lists that have no web interface, so one could just add the "process" on top of them. Those who implement a confirmation page, may want to change it. For example, user's confirmation (the consent) could even be done by the user's server, and transmitted to the MLM thereafter. On 19/May/11 09:10, Staffan Jonson wrote: > Yes, agree with you. The idea is a shortcoming. Yeah, possibly :-) > My experience says me that law seldom originates from (the need of) > individual users or a protocol, but by legal tradition in the > legislation, i.e. eventually, interpretation by 27 member state > (MS) legislations will go before directive intentions. Apparently, this is indeed the best we (Europeans) have been able to do. IMHO, testing if it works for the Internet era is an interesting exercise in its own respect. EDI has undergone similar issues, and more will come. > This means -if understood correctly - that the data consent > procedure is decided upon in each and every MS. In other words, > rule may actually vary a bit, which from a protocol view just will > make the situation worse. > > Therefore, I agree with Jim Reid on this: > "But how these get enacted and enforced in national law differs > from country to country." Fragmentation should be avoided. On the opposite, if the process works correctly and proves to be useful, then it will likely be adopted beyond Europe. >From my point of view, the fact that the process can save paperwork is a side effect that helps its initial diffusion. The main aim is understanding mail streams so as to dominate spam. OTOH, that paperwork is a waste of resources and, personally, I won't do it anyway. I wonder for how long the people who does it will want to continue doing so... > When interpreting this directive into Swedish law, lawyers > currently discuss the criterias for what make an 'active consent' > just active. Can the automation of consents by protocols be a way > to meet legislators demands on active consent? In the end, it's an > interpretation if automation is enough, and we'll probably have a > ruling in this by national court, eventually. Yes, that is not much different from companies deciding to use a given software tool, but on national scale. >From a governmental point of view, I think they should also wonder how long citizens will want to obey to laws that require obsolete manual procedures. Lawyers should understand the difference between processes that work in practice versus paperwork that can be considered "theoretical" inasmuch those papers are seldom read. Given an opportunity to ease and enhance citizens' work, they should take it --but who knows?
- Previous message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Next message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]