ietf
[Top] [All Lists]

Re: WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)

2014-07-20 16:19:15
Murray S. Kucherawy wrote:
Martin Rex <mrex(_at_)sap(_dot_)com> wrote:

Article 2 "Definitions" of this EU directive (page 7 of above PDF)

  The following definitions shall also apply:
   (a) "user" means any natural person using a publicly available
       electronic communications service, for private or business
       purposes, without necessarily having subscribed to this
       service;


                                                     I would claim that
such an employer's email servers do not comprise "a publicly available
electronic communications service", so I don't think employees using a
protected domain are "users" under this definition.

An employee only has to meet the "a natural person" criteria to fall
under the under the "user" defintion of the EU directive.

The term "publicly available electronic communications service" in the
directive sounds vague and appears to provide wiggle room for national
legislators.  But even if some EU member states would try to "exploit"
this, chances are that the European Court of Justice (ECJ), who is
the authority on the interpretation of EU directives and has a duty to
make laws of EU member state converge, may not allow loopholes and
argue based on the stated pupose of the directive and the necessity
of the protection.  Exceptions are limited to those listed in Article 15
and must be narrowly defined within statue law.

In german national law (TKG) the wording is better and clearer.
There, it covers any "electronic communication service" that is connected
to public communication services, i.e. when it allows sending to or
receiving from public communication service.



And even if that doesn't wash, an employment contract (here, at least)
typically grants the Article 5 consent that makes this point moot,
and is not typically a "Click OK and forget" situation.

The Article 5 consent wasn't about "american style consent",
which is why I quoted it under the definitions:


  (f) "consent" by a user or subscriber corresponds to the data
      subject's consent in Directive 95/46/EC;

I imagine email service providers could secure the same sort of consent
through a privacy policy, though "I had no idea" might be a more successful
counter-argument there because nobody really reads those.


Your expression "secure consent" gives a hint where your misunderstanding
might come from.

For many centuries, lots of contries had the notion that a certificate
of marriage would "secure consent" to sex between the couple, and
marital/spousal rape wasn't called rape and tolerated.
Over the last two or three decades a number of countries cleaned up
this part of their medieval heritage and started to protect
"the fundamental right to sexual self-determination" in their legislation.

In Germany, we fixed the laws in a similar fashion about the
fundamental right to informational self-determination, and this
concept was adopted by the EU data protection directive 95/46/EC,
which is refered to in the definition of "consent" quoted above.


"Terms of use" or contract clauses that try to "secure consent",
rather than making consent a seperate, purely voluntary opt-in,
will regularly be illegal and legally void in EU member states.
They definitely are legally void in Germany (that is even spelled
out in the German TKG).


-Martin

<Prev in Thread] Current Thread [Next in Thread>