• There is a risk that P3P, once implemented in the next generation of browsing software, could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data) if the individual user consents to this as part of the on-line negotiation. In fact those businesses, organisations and individuals established within the EU and providing services over the Internet will in any case be required to follow the rules established in the data protection directive 95/46/EC (as implemented in national law) as regards any personal data that they collect and process. P3P might thus cause confusion not only among operators as to their obligations, but also among Internet users as to the nature of their data protection rights. Browsing software that is sold or distributed within the EU must therefore be designed and configured so as to ensure that on-line agreements which are in contradiction with prevailing data protection laws are not possible.

• For users based in the EU entering into contact with websites established in non-EU countries the prime concern is that the organisation to whom they are providing personal data might not be subject to the EU directive or any adequate set of effectively implemented data protection rules . Crucial to the decision of whether or not to provide data to such sites will be to know not only the approximate content of any applicable rules, but also whether there are any sanctions for non-compliance and, most importantly of all, a simple and effective means of obtaining a remedy if the rules are broken. An on-line platform for privacy preferences should in theory be capable of providing such information to users. However, the P3P vocabulary as presently constituted does not require or even allow for the provision of information about sanctions or remedies to users. For P3P to be a useful tool in the obtaining of informed on-line consent for transfers of personal data from EU users (as required by Article 26(1)(a) of the directive), it is therefore necessary to revisit the standard vocabulary.

• Given that most Internet users are unlikely to alter any pre-configured settings on their browser, the 'default' position regarding a user's privacy preferences will have a major impact on the overall level of on-line privacy protection. P3P and OPS must be implemented into browser technology with default positions which reflect the user's interest to enjoy a high level of privacy protection (including the ability to browse websites anonymously) without finding himself blocked or inconvenienced in his attempts to gain access to sites. Where an operator requests, as a condition for access to his site, the provision of a profile of identifiable data, the user should be asked each time for his consent for the provision of this information to the particular site in question. Where a site does not require such information, access could be seamless. The major browsing software manufacturers have a responsibility to implement P3P and OPS in a manner that enhances rather than reduces levels of privacy protection.

Given the importance of the implementation process of P3P and OPS, and the separate issues currently under consideration by the Working Party in relation to the functionality of web protocols (HTTP), the Working Party encourages the development of Internet software consistent with the data protection rules applicable in the European Union and considers that it would be appropriate to develop mechanisms to verify the conformity of Internet software in this regard. Done at Brussels, 16 June 1998

For the Working Party

The Chairman
P.J. HUSTINX