<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Exchange Server">  <style></style> </head> <body> <font face="Arial" size="2"> <div>-----BEGIN PGP SIGNED MESSAGE-----</div> <div>Hash: SHA256</div> <div> </div> <div>Hi</div> <div>Yes, agree with you. The idea is a shortcoming. </div> <div> </div> <div>My experience says me that law seldom originates from (the need of) individual users or a protocol, byt by legal tradition in the legislation, i.e. eventually, interpretation by 27 member state (MS) legislations will go before directive intentions.</div> <div> </div> <div>This means -if understood correctly - that the data consent procedure is decided upon in each and every MS. In other words, rule may actually vary a bit, which from a protocol view just will make the situation worse. </div> <div> </div> <div>Therefore, I agree with Jim Reid on this:</div> <div>" But how these get enacted and enforced in national law differs from country to country."</div> <div> </div> <div>When interpreting this directive into Swedish law, lawyers currently discuss the criterias for what make an 'active consent' just active. Can the automation of consents by protocols be a way to meet legislators demands on active consent? In the end, it's an interpretation if automation is enough, and we'll probably have a ruling in this by national court, eventually. </div> <div> </div> <div> </div> <div>/Staffan</div> <div> </div> <div>Cell phone: + 46/0 73 317 39 67</div> <div>Mail: staffan.jonson@iis.se</div> <div> </div> <div> </div> <div>- -----Ursprungligt meddelande-----</div> <div>Från: cooperation-wg-admin@ripe.net [<a href="mailto:cooperation-wg-admin@ripe.net">mailto:cooperation-wg-admin@ripe.net</a>] För Alessandro Vesely</div> <div>Skickat: den 18 maj 2011 20:56</div> <div>Till: cooperation-wg@ripe.net</div> <div>Ämne: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive</div> <div> </div> <div>Hi all,</div> <div>can a tool for lawfully acquiring a user's consent via the Internet</div> <div>motivate SMTP operators to modify their procedures in such a way that</div> <div>spam can be countered more effectively? Let me please expand slightly</div> <div>on this question, I'll try and be concise.</div> <div> </div> <div>It is well known that the Simple Mail Transfer Protocol provides for</div> <div>replacing the envelope recipient with one or more other email</div> <div>addresses. This server forwarding is not to be confused with manually</div> <div>forwarding a message from a client. Mailing lists and newsletters are</div> <div>operated that way, as well as redirection configured by means of "dot</div> <div>forward" static files. Since email addresses are personal data, their</div> <div>processing is covered by Directive 95/46/EC.</div> <div> </div> <div>How is the data subject's consent acquired? In response to the Data</div> <div>Protection Directive, operators should have defined a protocol for</div> <div>obtaining and keeping proof of the consent. It never happened. In</div> <div>facts, it is very difficult to introduce new protocols for email --new</div> <div>protocols for web operations come about much more frequently.</div> <div> </div> <div>Evidence that consent has been granted can be provided by the data</div> <div>subject's mail exchanger (MX, a.k.a. the user's incoming mail server).</div> <div> It can digitally sign a notification from the data processor. That</div> <div>way, the user's server becomes aware of a new wanted stream of</div> <div>messages, and can whitelist it. That is, it can skip anti-spam</div> <div>checking for those messages. As bulk messages account for a</div> <div>significant part of legitimate mail, anti-spam measures could then be</div> <div>significantly strengthened.</div> <div> </div> <div>The users' advantage is to have an automatically maintained list of</div> <div>subscriptions, and a uniform interface to manage them. Currently,</div> <div>users have to interact with what can be called a "time-distributed</div> <div>database", in the sense that monthly or yearly they may receive</div> <div>subscription reminders...</div> <div> </div> <div>The obvious shortcoming of this idea is that mail server operators</div> <div>simply won't install any new software if their systems can work</div> <div>acceptably well without it. However, acquiring written consent is</div> <div>such a pain to many businesses that, perhaps, they will install that</div> <div>software if it helps complying with privacy issues. What do you think?</div> <div> </div> <div>TIA for any comment</div> <div> </div> <div> </div> <div>-----BEGIN PGP SIGNATURE-----</div> <div>Version: 9.8.3 (Build 4028)</div> <div>Charset: utf-8</div> <div> </div> <div>wsBVAwUBTdTCazQ/UxhHDVilAQj/uQf/diTT50upnSEEzdZ1xwl+noBR8LT0nc04</div> <div>m/jZPZllSNO6TOCCpzMDt43Q5zxWbF/ur3f6q2w/tfvs6EFwRi+gZ3cUV1eX9HR6</div> <div>iaAMjfMHADhmOCWDwew9aMRLsXZTCfBpzAtpjXCIHYTpfX8Oi1R+igKq4+74jpyV</div> <div>V9Mpxm1V65KxpB6otxVJ4jDV4JlYVUP/zR8+h6FWuCf7m/851Fkg2BMqLUXGw1TF</div> <div>Wmjf21ykxzOgLaqyrPOtWw3MyUBJA9Mg7+8irZyzLDxXUTlxWy1CBKY8U/F4u0gO</div> <div>XP7vtsUtBfpmf8295amxYZ4UKfT7vC8sPWOupOxUFtDalnT3CCc2Iw==</div> <div>=BzQY</div> <div>-----END PGP SIGNATURE-----</div> <div> </div> <div> </div> </font> </body> </html>