[cooperation-wg] SMTP forwarding in the face of Data Protection Directive

Hi,
thank you all for your interest.  I am touched and happier.

I reply to comments by Patrik, Jim, and Staffen in this message.


On 18/May/11 22:25, Patrik Fältström wrote:
> Just a clarifying question...you talk about consent acquired
> regarding the fact the email address will be processed (i.e.
> personal data will be processed)?

Yes.


On 18/May/11 23:37, Jim Reid wrote:
> On 18 May 2011, at 19:56, Alessandro Vesely wrote:
> 
>> How is the data subject's consent acquired?
> 
> Consent for what? Joining the list? Receiving and posting messages?
> Being moderated or cross-posted to a newsgroup?

Consent for keeping the email address, any accompanying data, and any
related processing, such as receiving posts, moderation, archiving,
copyright, et cetera.

>> In response to the Data Protection Directive, operators should have
>> defined a protocol for obtaining and keeping proof of the consent. 
>> It never happened.  In facts, it is very difficult to introduce new
>> protocols for email.
> 
> I think we need to be careful to avoid confusing each other. For the
> purposes of this discussion, "protocol" should mean an IETF
> specification. Let's use "process" to mean "protocol for obtaining and
> keeping proof of the consent" ie not an IETF protocol. A dictionary
> definition of protocol would include this "process" definition, but
> let's not use the same word for different things. List managers may
> need a process to show they have user consent. This might but probably
> won't need a protocol such as yet another tweak to SMTP. At least I
> hope it won't need that.

It's ok for these terms, for the sake of this discussion.  In case we
want to expand it, we'll have to give it a name and a specification.
Further steps would be implementing it, testing, and find how to
publish it as an RFC.

The process core had probably better be separate from SMTP.  However,
mail filters may help.  For example, an SMTP extension may allow a
receiving server to tell to a sending Mailing List Manager (MLM) that
it supports the process, in case the MLM is interested.

> With that clarification out of the way, the consent you ask about is
> probably implicit: eg your employer puts you on company mailing lists
> as a condition of employment or it's your job to join certain (public)
> lists. In other cases, the act of joining a mailing list implies
> consent. If you don't want the list to process your Personal Data
> (email address), don't join it. In other cases, consent may be
> inherited from other terms and conditions: eg your ISP or registrar
> puts you on some mailing list for management of your account or
> whatever and you agree to that as a part of doing business together.

Yes, consent is implicit, but difficult to prove.  And we are talking
about MLMs, the most privacy-compliant example of mail forwarding.
Let me note that MLMs, by design, used to protect their subscribers
much before 1995.  IOW, the only change they made in response to
privacy laws was the wording in their footers and/or web sites.

For newsletters and dot-forward files, the improvements brought in by
the "process" are much more noticeable.  For example, dot-foward files
can be reworked in order to obtain an effect similar, in practice, to
email address portability.

> I am not a lawyer and don't play one on TV. However I have dealt with
> Data Protection issues and had too many non-trivial discussions with a
> DPA, the UK Information Commissioner's Office. [ICANN gTLD registry
> contracts and whois, if anyone cares... The scars have nearly healed
> in case any of you are asking.] The short answer to how your SMTP
> concern plays out will depend on the view of your DPA. So ask them. Or
> ask your lawyer first and then ask the national DPA.
> 
> I would be surprised if there was unanimity or even consensus amongst
> the EU DPAs on this topic, assuming they have considered this issue in
> WP29. And yes, I realise this is underpinned by a couple of EU
> Directives. But how these get enacted and enforced in national law
> differs from country to country. Then there's the question of how the
> national DPA sees its responsibilities and priorities. I would expect
> most will either not care about electronic mailing lists or take the
> pragmatic view that since list membership is under the user's control,
> that in itself provides the required consent. However I would not bet
> money on this.

Yes, you are perfectly right on this.  IANAL too, and have serious
difficulties following such kind of discussions.  I'm a programmer and
would rather implement something.  For such task, the wording on the
web page is about as important as its background color.  However, yes,
lawyers should talk about what the process would do, and check that
member states can agree uniformly.  I think they did an egregious
theoretical work with Directive 95/46/EC.  Further directives on he
same subject seem to me to be somewhat weaker (and they never mention
actual IETF protocols.)

Staffan also expresses some concerns on this point.  I reply to him below.

> Another rat-hole to explore is what the list manager does with the
> Personal Data and if consent is needed for adding list members to
> other lists. Or lists of lists. What constitutes proportionate and
> fair usage of Personal Data then? My head is now starting to hurt...
> 
> Perhaps we could invite someone from WP29 to speak about this at the
> next WG meeting?

MLMs conceptual model is fine as it is.  Software would only need
minor changes, possibly none.  There are still lists that have no web
interface, so one could just add the "process" on top of them.  Those
who implement a confirmation page, may want to change it.  For
example, user's confirmation (the consent) could even be done by the
user's server, and transmitted to the MLM thereafter.


On 19/May/11 09:10, Staffan Jonson wrote:
> Yes, agree with you. The idea is a shortcoming.

Yeah, possibly :-)

> My experience says me that law seldom originates from (the need of)
> individual users or a protocol, but by legal tradition in the
> legislation, i.e. eventually, interpretation by 27 member state
> (MS) legislations will go before directive intentions.

Apparently, this is indeed the best we (Europeans) have been able to
do.  IMHO, testing if it works for the Internet era is an interesting
exercise in its own respect.  EDI has undergone similar issues, and
more will come.

> This means -if understood correctly - that the data consent
> procedure is decided upon in each and every MS. In other words,
> rule may actually vary a bit, which from a protocol view just will
> make the situation worse.
>  
> Therefore, I agree with Jim Reid on this:
> "But how these get enacted and enforced in national law differs
> from country to country."

Fragmentation should be avoided.  On the opposite, if the process
works correctly and proves to be useful, then it will likely be
adopted beyond Europe.

>From my point of view, the fact that the process can save paperwork is
a side effect that helps its initial diffusion.  The main aim is
understanding mail streams so as to dominate spam.  OTOH, that
paperwork is a waste of resources and, personally, I won't do it
anyway.  I wonder for how long the people who does it will want to
continue doing so...

> When interpreting this directive into Swedish law, lawyers
> currently discuss the criterias for what make an 'active consent'
> just active. Can the automation of consents by protocols be a way
> to meet legislators demands on active consent? In the end, it's an
> interpretation if automation is enough, and we'll probably have a
> ruling in this by national court, eventually.

Yes, that is not much different from companies deciding to use a given
software tool, but on national scale.

>From a governmental point of view, I think they should also wonder how
long citizens will want to obey to laws that require obsolete manual
procedures.  Lawyers should understand the difference between
processes that work in practice versus paperwork that can be
considered "theoretical" inasmuch those papers are seldom read.
Given an opportunity to ease and enhance citizens' work, they should
take it --but who knows?