How This Document Fits In

[mnot]

Privacy is covered by legal frameworks and this document recognises that existing data protection laws take precedence for legal matters. However, because the Web is global, we benefit from having shared concepts to guide its evolution as a system built for the people using it ([RFC8890]). A clear and well-defined view of privacy on the Web, informed by research, can hopefully help all the Web's participants in different legal regimes. Our shared understanding is that the law is a floor, not a ceiling.

I'd say this in a slightly different way. Something like:

Privacy on the Web is primarily regulated by two forces: the architectural capabilities that the Web platform exposes (or does not), and laws in the various jurisdictions where it is used. These regulatory mechanisms are separate; a law in one country does not (and should not) change the whole Web's architecture, and likewise Web specifications cannot override any given law (although their implementation can make some laws difficult to enforce). The Web is not merely an implementation of a legal privacy regime; it has distinct features and guarantees driven by shared values that often exceed legal requirements.

However, the overall goal of privacy on the Web is served best when technology and law compliment each other. This document seeks to establish shared concepts as an aid to technical efforts to regulate privacy on the web, and may also be useful in pursuing alignment with an between legal regulatory regimes.

[darobin]

@mnot The group is broadly positive about where you want to take this, but we are concerned that it is hard to convey these ideas without providing more background about the legitimacy of architectural regulation. Without the kind of shared background that a few of us have, terms like "regulated" will likely trip people up, for instance. Happy to work with you to hash out a better text, maybe we could put it in a doc or try to hash it out next time we chat?

[mnot]

I think that criticism could already apply to much of the document, but sure.

[mnot]

can someone assign this to me so I don't forget it?

[hober]

I really like your proposed text, Mark. Some nits:

Privacy on the Web is primarily regulated by two forces: the architectural capabilities that the Web platform exposes (or does not), and laws in the various jurisdictions where it is used. These regulatory mechanisms are separate; a law in one country does not (and should not) change the whole Web's architecture, and likewise Web specifications cannot override any given law (although their implementation can make some laws difficult to enforce).

Their implementation can also make some laws easier to enforce. Perhaps "although their implementation can effect how easy it may be to enforce some laws" captures both?

The Web is not merely an implementation of a legal privacy regime;

How about "of some particular legal privacy regime"?

it has distinct features and guarantees driven by shared values that often exceed legal requirements.

Maybe add a parenthetical about how we sometimes say that the law is "a floor, not a ceiling"?

However, the overall goal of privacy on the Web is served best when technology and law compliment each other.

I think you mean 'complement?'

This document seeks to establish shared concepts as an aid to technical efforts to regulate privacy on the web, and may also be useful in pursuing alignment with an between legal regulatory regimes.

with and between

[mnot]

Thanks @hober. Those are all helpful suggestions. Regarding 'a floor, not a ceiling' -- although it's a snappy saying and I agree with the sentiment, I'm concerned that phrase is two simplistic. The law in toto prohibits and compels behaviour in different scenarios; while the protections provided by eg the GDPR and ePrivacy directive can be seen as a 'floor', other aspects of the law do put a 'ceiling' on behaviour (e.g., competition law).

That leaves us with (after some small tweaks):

Privacy on the Web is primarily regulated by two forces: the architectural capabilities that the Web platform exposes (or does not), and laws in the various jurisdictions where it is used. These regulatory mechanisms are separate; a law in one country does not (and should not) change the whole Web's architecture, and likewise Web specifications cannot override any given law (although they can affect how easy it is to create and enforce law). The Web is not merely an implementation of a particular legal privacy regime; it has distinct features and guarantees driven by shared values that often exceed legal requirements for privacy.

However, the overall goal of privacy on the Web is served best when technology and law complement each other. This document seeks to establish shared concepts as an aid to technical efforts to regulate privacy on the web, and may also be useful in pursuing alignment with and between legal regulatory regimes.