[IRP] [Privacy-coalition] location of data in the cloud // new URL

Lisa Horner lisa
Mon Jan 11 12:56:38 EET 2010 

Thanks for these edits Cedric.  I've copied in the IRP mailing list so that discussion can continue there.   It's great to have this involvement from the Privacy coalition in the drafting of the Charter on Human Rights and Principles for the Internet.

 

All are welcome to join the IRP list at 

http://lists.internetrightsandprinciples.org/listinfo.cgi/irp-internetrightsandprinciples.org

 

The Charter draft is at https://docs.google.com/Doc?docid=0AeybA8_Lt-gwYWpjczg2cDlkeDJzXzMxYzQ5cXF3Yzc&hl

And is open for edits until 15th Jan, at which point it is going to an expert committee for consolidation and to ensure it is in line with international standards.

 

All the best,

Lisa

 

From: Cedric Laurant [mailto:cedric at laurant.org] 
Sent: 09 January 2010 19:46
To: Lisa Horner
Cc: Meryem.Marzouki at lip6.fr; Katitza Rodriguez
Subject: Fwd: [Privacy-coalition] location of data in the cloud // new URL

 

Hi Lisa,

 

My edits to Art. 12 of the "Internet Rights and Principles Coalition" should be displayed here: https://docs.google.com/Doc?id=ajcs86p9dx2s_488rpfcbcc#Article_12_Privacy__6397468594785073

 

If you cannot see them, here is the text I edited in that document:

 

Article 12 - Privacy

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.


The right to data protection Public or private organisations that require personal information from individuals must collect only the minimal data necessary and for the minimal period of time needed. They must only process data for the minimal stated purposes. Collection, use, disclosure and retention of this information must comply with a transparent privacy policy which allows people to find out what is collected about them and to correct inaccurate information. Data collected must be protected from unauthorised disclosure and security errors should be rectified without delay. Data must be deleted when it is no longer necessary for the purposes for which it was collected. The public must be warned about the potential for misuse of data supplied. Organisations have a responsibility to notify people when the information has been abused, lost, or stolen.

The right to freedom from surveillance People should be able to communicate free of the threat of surveillance and interception.

Personal data must be protected.  Fair Information Practices that place obligations on those companies and governments who collect and process personal data, and gives rights to those individuals whose personal data is collected, should be enacted into national law. [I propose to use only one term, "personal data", instead of several ("personal information", "information", "data") in order to avoid confusion and because it is the term used in the Convention 108, the OECD Guidelines and the EU Data Protection Directive. - C?dric Laurant]


National legislation should be based upon international privacy frameworks that comply with the rule of law, respect fundamental human rights, and support democratic institutions, such as the 1995 European Union Data Protection Directive, the 1980 OECD Privacy Guidelines, the Council of Europe Convention 108, together with the Protocol of 200.


Governments should ratify the Council of Europe Convention 108 together with the Protocol of 2001 as expeditiously as possible.


Companies should provide genuine privacy enhancing techniques that minimize or eliminate the collection of personal data.


An individual must be free to communicate anonymously on the Internet and use encryption technology.


Note: encryption does not equal anonymity and in some cases may even tie the message conclusively to the message originator - I would suggest "such as through the use of encryption" be removed - Mike Silber 11/15/09 1:16 PM.

Collection, use, disclosure and retention of personal data must comply with a transparent privacy policy, specifying the collector, the personal data collected and the specific purpose of the collection. People should hence be able to access and retrieve the personal data collected from them.  People must be free and able to exercise control and informed decision-making over the personal data collected about them and their usage.


Personal data collected must be protected from unauthorised disclosure and errors should be rectified without delay. Individuals must be informed when their personal data is forwarded for use to third parties, or for a purpose other other than that for which it was collected.


Individuals should be promptly notified when their personal data are improperly disclosed or used in a manner inconsistent with its collection.



Unless otherwise explicitly agreed, personal data should be deleted when it is no longer necessary for the purposes for which it was collected, or for legal reasons.


The public must be warned about the potential for misuse of data supplied. I question whether this principle has any real practical value?-Mike Silber 11/15/09 1:14 PMOrganisations have a responsibility to notify people when the personal data have been abused, lost, or stolen.


An individual must be free to communicate without arbitrary surveillance or interception, or the threat of surveillance or interception. This includes the use of technologies such as deep packet inspection, behavioural tracking and the exercise of control over individuals such as in instances of domestic violence and cyberstalking.


Public or private organisations or companies, including social networks and service providers, which require personal data from individuals should raise awareness and request the individual's informed consent regarding the content, purposes, storage location, duration and mechanisms for access, retrieval and correction of their personal data.  Social media networks must disclose when hidden mechanisms are being employed to harvest email personal data bases.


Service providers have a responsibility to make clear in which legal jurisdiction(s) the user's personal data is being hosted, so that the user can make informed decisions.


Service providers should communicate clearly with users the circumstances under which personal data will be shared with governments and/or with other private entities. Simultaneously provide options for unsubscribing from such networks.


An individual should have the possibility: a) to obtain from a behavioural tracker, or otherwise, confirmation of whether or not the behavioural tracker has data relating to him;  b) to have communicated to him data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended [Legislative Primer September 2009


            In the information society the right to privacy has to be supported by a guarantee (or principle) of confidentiality                   and integrity of IT-Systems, providing the protection against others accessing IT-Systems without consent.

 

Cedric

---

 

 

-- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.internetrightsandprinciples.org/pipermail/irp-internetrightsandprinciples.org/attachments/20100111/d6a7be81/attachment-0001.htm>

More information about the IRP mailing list