Associated subset - have Google considered validating the set via consented common policies?

[jwrosewell]

During the 17th August meeting last week Google presented the following slide when explaining Associated sets.

Associated sets enabled domains owned by different organizations to share data within the web browser. This is compatible with GDPR and PECR, the "Applicable Data Protection Legislation" that Google agreed to be bound by in Google's commitments to the CMA. See the definition from the commitments which follows.

GDPR and PECR, as confirmed by the ICO and CMA in their May 2021 joint statement, has no concept of first and third party. See Box B from the statement which follows.

Associated sets is a very welcome development in the field of lawful data sharing between joint controllers and processors. Complexity can be reduced by removing other aspects of FPS in favor of a single Associated Sets proposal. The name can change.

However the restriction to 3 domains is not required under Applicable Data Protection Legislation. The number in any specification seeking to align to Applicable Data Protection Legislation is infinity.

The use of Standard Contractual Clauses (SCC) - already used in Google's other services (see [1]) - would enable people to consent to common SCCs that apply to data shared between multiple controllers and processors. Controller's A and B could use the same SCC in their privacy policy for data sharing within the web browser. People would consent to this SCC, controller's A and B would signal their compliance with the SCC, and the browser would safely enable data sharing between A and B, confident that people's expectations have been met. This concept is explained in the March 2022 proposed modification to FPS titled "GDPR Validated Sets".

@krgovind and Google are well aware of GVS and the concept of SCCs. Can they explain why they would not consider using this approach to enable Associated Sets in the revised version of FPS? If not answered here in this forum please provide your answer in the September quarterly report to the CMA and market.

[1] Screen shot of general marketing email sent to 51Degrees by Google on 15th August 2022.

[dmarti]

The current draft of the W3C Privacy Principles states, In specific cases, people should be able to consent to more sensitive purposes, such as having their identity recognised across contexts or their reading history shared with a company. The burden of proof on ensuring that informed consent has been obtained needs to be very high in this case.

It does not look like actual consent is being obtained through the use of important updates to our data protection terms that are read by few, if any, web users. (Yes, it does look like a difference between approaches at the same company, where one part of the company develops a browser that plans to implement associated sets and another part of the same company sends out long documents full of confusing legal verbiage that they pretend are actually being read by users—but it might be better to resolve the intra-company inconsistency by changing the second approach than the first.)

[jwrosewell]

Re: Consent.

The EU provide a guide on consent requirements. GDPR (and other laws) are the requirements that at least Google, CMA, and 51Degrees are aligned to. Others are free to do other things themselves, but never to impose their ideology on others. If others are not happy with laws, work with law makers to change them. Where there is non compliance with GDPR that is a matter for the individual companies concerned and justice systems.

Re: Privacy Principles. Movement for an Open Web (MOW) provided comments on the draft Privacy Principles here which are yet to be responded to by the Privacy Taskforce. A summary is available here.

[jwrosewell]

Proposals which raise competition concerns must be assessed according to the stated Criteria. See position statement on Privacy Sandbox commitments.

FPS raises such a concern as it risks (1) denying data to others while retaining it for Google; (2) self-preference of related Google products, and (3) a departure from user-centric approaches, since the corporate boundaries involved do not accord with risks to consumers or reasonable expectations, as the CMA has noted in its latest reports.

It is very significant that the CMA raised concerns about FPS departing from consumer expectations in the first CMA Update Report. The latest CMA report notes that “the three-domain restriction for ‘associated domains’ to form a First Party Set could favour larger more established publisher brands and disproportionately affect organisations hosting large numbers of smaller or niche publishers.”

This reflects concerns that FPS has not been designed with the Criteria in mind. As there are risks to competition, as the CMA notes, these must be balanced against “privacy outcomes” and to the extent relevant, data protection law must be applied.

Google must now propose changes to FPS to implement the Criteria using reasonable evidence of risks and balance these against competition concerns. For mainstream low-risk use cases, this implies avoiding a centralised enforcement entity and instead allowing responsible operators who use safeguards and comply with the law to interoperate. The response provided in the third report under the First Party Sets heading and "Policy" is not compliant with the commitments as Google have asserted. See the position statement for details.

I request that @krgovind either respond to this issue in comments, or via the January 2023 quarterly report. I understand from the third quarterly report @krgovind has received the necessary training.

[miketaylr]

We are committed to achieving the purpose of the Privacy Sandbox commitments accepted by the CMA in February 2022. We encourage feedback on how to better achieve that purpose through our technical proposals, and we will report publicly on feedback we receive as set out in the commitments. We are in constant dialogue with the CMA on these issues, and members of the web ecosystem are also welcome to discuss these issues with the CMA. In fact, as previously mentioned by the CMA in public and in its communications to Mr Rosewell, the CMA is the sole public body responsible for monitoring Google’s compliance with the commitments accepted on 11 February 2022 in relation to Google’s Privacy Sandbox proposals. We therefore hope that everyone will understand when we decline to participate in public discussions on legal or internal aspects of compliance with the commitments, or to detail our direct exchanges with the CMA.

[jwrosewell]

The commitments Google entered with the CMA in February 2022 prevent Google from implementing Privacy Sandbox changes until the CMA are satisfied or February 2028.[1] The commitments define a role for third parties such as myself to express reasonable views and suggestions.[2] The commitments require Google to provide quarterly reports providing substantive responses.[3] The next report is due in January 2023.[4]

The commitments, Privacy Sandbox website, and chrome developers web site, direct third parties to forums such as this one. [5][6]

The views and suggestions raised are not related to internal aspects of compliance. They relate to the substance of the proposal and are clearly within scope of the commitments in relation to third parties.

Please reopen this issue and retract your misleading statement posted on Friday 9th December 2022.

It would be helpful to provide your substantive response in this forum as well as the January 2023 quarterly report so that all third parties can easily understand the response. Once any follow-on observations and viewpoints are addressed then the issue can be closed.

[1] https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf

[2] “Google will publish on a dedicated microsite a process for stakeholder engagement in relation to the details of the design, development and implementation of the Privacy Sandbox proposals and report on that process publicly, as well as to the CMA through the quarterly reports described in paragraph 32(a) below. As part of that process, Google will take into consideration reasonable views and suggestions expressed to it by publishers, advertisers and ad tech providers, including (but not limited to) those expressed in the W3C or any other fora, in relation to the Privacy Sandbox proposals, including testing, in order to better apply the Development and Implementation Criteria in the design, development and implementation of the Privacy Sandbox proposals.” – Commitments clause 12 – emphasis added

[3] “Google will provide the CMA with quarterly reports within three Working Days of the end of each three-calendar-month period following the Effective Date about: progress on the Privacy Sandbox proposals; updated timing expectations; substantive explanations of how Google has taken into account observations made by the CMA and by third parties pursuant to paragraphs 12 and 17(c)(ii) of these Commitments; and a summary of the interactions between the CMA and Google pursuant to paragraphs 17 and 21 of these Commitments, including in particular a record of any concerns raised or comments made by the CMA and the approach retained for addressing such concerns or comments pursuant to paragraphs 17(a)(ii) and 21.” – Commitments clause 32(a) – emphasis added

[4] https://www.gov.uk/cma-cases/investigation-into-googles-privacy-sandbox-browser-changes#third-quarterly-reports-2022

[5] “For the open web, you can contribute to the public discussions in forums such as the W3C….” https://privacysandbox.com/#home-frequently-asked-questions

[6] “To participate in conversations with industry representatives, browser vendors and others—for example, to advocate for a particular use case or solution—you can join one or more of the W3C forums where privacy-preserving proposals are being shared and refined. Today most community discussion is happening in the Improving Web Advertising Business Group, the Privacy Community Group and the Web Platform Incubator Community Group.” https://developer.chrome.com/blog/privacy-sandbox-participate

[jwrosewell]

This issue also relates to Data protection regulation and Google’s Privacy Sandbox commitments.