[WG-InfoSharing] Comments on Information Sharing Agreement

Iain Henderson iain.henderson at mydex.org
Mon May 24 01:20:00 EDT 2010 

Hi Juan,

Sorry for the long delay in responding - lots of travel and stuff now happening in this space.

Yes, your input below is helpful and makes sense. I've added some further comments inline with your questions; lot's still to discuss.

Cheers

Iain

On 12 May 2010, at 16:53, Juan Avellan wrote:

> Hi Everybody,
> 
> As promised, here it goes. I hope I’m not reinventing the wheel with these comments as I assume there are people who have thought deeply about these things. Having said that, here are my fairly unstructured thoughts, which I hope have not led me to stray in the wrong direction.
> 
> Look forward to your comments.
> 
> Cheers!
> 
> Juan
> 
> Multiple Jurisdictions Issue: Within the European Union, European compliant or similarly regulated jurisdictions the legal framework and data protection authorities are such that the individual would not *theoretically* have to make a big effort to make sure the individual’s General Terms and Conditions are complied with even by second tier data processors (i.e. a data processor that receives the individual’s personal data from another data processor). Data processors are also bound vis a vis second tier data processors, by law. Although in the end individuals do have to make a big effort if they want to truly control manage their personal data, there is a reasonable expectation it is not being tooooooo abused. The real problem arises when the individual interacts with a data processor that is not operating within the EU, EU compliant legal system, or other that provides a reliable data protection legal framework which covers issues such as second tier (or more) data processors. In those cases, the individual needs tools that will enable him/her to ensure the agreement by companies binds them to the T&Cs. Some questions that come to mind are:
> 
> ·         Will companies in the US or other countries that are not compliant be willing to agree to liability for second tier data processors?

As I see it, access to the individuals 'volunteered personal information' is a take it or leave it contract; so any organisation not willing to accept the terms of the standard agreement won't be able to partake.
> 
> ·         Even if they are, how can that be enforced? Under international law, typically consumer protection law (including data protection law) the law of the consumer’s jurisdiction is applicable. Can we expect the data protection authorities of each country to go out and enforce infringements by companies abroad? If so, what happens in countries that do not have such regulatory and enforcement frameworks.

As per above, our assumption to date is that we use contract law. That this will be underpinning by data protection/ privacy legislation in different geographies is helpful but not essential.
> 
> ·         Evidence would be needed. Will the system be tagging personal data to a specific disclosure opportunity so that each specific infringing disclosure can be traced back to the infringing entity or individual?

Yes, that is envisaged; though at what point that specific is deployed has still to be tested in anger.
> 
> Individual General Terms and Conditions for Personal Data Processing: As I understood from the call, the idea is that these would be a basic set of rules that any third party wishing to process an individual’s personal data adheres to before gaining access to the personal data. The process of gaining access should include a contract formation process (e.g. click-through agreement for human processing and other technical protocol procedure for machine processing).  It would apply to all third parties processing personal data who have agreed to such terms and conditions.
> 
> The idea from the WG is to create a few human & machine readable options within the T&Cs that allow the individual to customise how his personal data will be processed by a specific data processor.
> 
> Question: Will the individual have some sort of log that he/she can scroll through in order to determine to whom specific personal data was disclosed and under which version of the terms and conditions? See also evidence question above.

Yes, they will have a dashboard/ audit of all sharing instances, and the support of compliance programmes to help the system stay in balance.
> 
> Different Contract Instances:
> 
> ·         Individual - Service Providing Organization: In the call this was referred to as contracting with self but I don’t see it that way. I see it more as an individual agreeing with the SPO for a service by which the SPO processes the personal data for use by the individual (e.g. because he wants to access it from time to time for any reason) or by third parties (e.g. to serve up credit card details or other data to third parties when needed). The SPO is bound to process it in both cases in accordance with the applicable T&Cs.
> 
> ·         Individual to Individual: This is a straight-forward contract between two individuals. In my view this is more an issue of whether it can be reasonably expected that the recipient individual with the scant tech knowledge and data processing resources typically available to an individual to manage his/her obligations vis a vis other individuals’ T&Cs. Let’s say you share a picture of yourself in an embarrassing situation with a friend and your T&Cs indicate that no further distribution should occur. The person stores that pic in his picture database and a few months/years and many data exchanges later, the recipient sends a pic album out to some friends which includes that embarrassing pic. Sounds daunting for an individual to have to manage this, even if there was an agreement. Is it reasonable to manage that complexity? Are the tools there to make it reasonable? This reasonability criteria may apply in certain jurisdictions.
> 
> ·         Product/Service Provide to Product/Service Provider: To me this instance continues to be under the first case: An individual disclosed personal data under specific T&Cs to a Product/Service Provider who in turn is bound to make sure that other Product/Service Providers to whom they send such personal data are also bound and comply to those specific T&Cs . See the Multiple Jurisdiction Issue text above regarding 2nd tier data processors. As explained, in EU-type jurisdictions this is not a big issue, provided compliance is enforced appropriately. The problem arises in jurisdictions in which 2nd tier data processors are not bound by law to comply with a certain processing standard which means that the 1st tier data processor would need to make sure that the 2nd tier is bound and be liable to the individual for 2nd tier infringements. Although this is basically how data protection law works, the issue that arises in non-EU type jurisdictions is that it would be up to the individual to enforce infringements, which is clearly unreasonable. Some options could be naming and shaming, but that means either a closed community, blacklists or some other high-impact reputational approach.
> 
> ·         Individual – Public Sector Organisation: This is a different sort of beast in the sense that governments have certain rights and restrictions regarding personal data different to the private sector. Because the balance of data processing rights and restrictions is generally determined by the law, we probably need to be thinking about a version of the agreement for the public sector, which will need to be customised on a per-jurisdiction basis. Think about the agreement between the US and other countries on the traveller flight lists that are exchanged. Could we envisage a version of the agreement which is dynamic in the sense that it adapts to the different negotiations on a per-country basis? Or is this an exclusion that the individual has no right to determine because it is associated with a national security argument? Note, the definition of national security and how far it extends varies considerably from jurisdiction to jurisdiction and over time and circumstances!
> 
> ·         Individual – Public Data Set Managing Organisation: To me this is the same agreement as the Individual-SPO Agreement (the first instance) because the individual is providing a third party organisation with specific data under specific terms and conditions, which can result in the 3rd party processing it for private use, public use or other uses. The article on “Amazon Spying on Your Ebook Highlighting” http://techdirt.com/articles/20100511/1018059377.shtml comes to mind here.  
> 
> 
> 
> Tentative Conclusions:
> 
> ·         I see 2 perhaps 3 agreement types: (1) individual-Data Processor Agreement (covering all sorts of product/service providers and public/private data set managers. (2) individual-public sector: this would need to be adapted to the local law, which can be a bit difficult but not impossible. Issues would arise, for example, regarding individuals from one country interacting with the government of another country (e.g. visa request, tax declarations for stock trading abroad, etc.). (3) Individual – Individual: This is a difficult one because a very delicate balance needs to be stricken between human-readable agreement, machine-readable and the fact that people tend to respect the privacy of other people and use common sense for this (and there is a social enforcement mechanism) – in other words, you may not need a formal agreement for this!
> 
> ·         I am a firm believer in balancing law, technology and social mechanisms to achieve certain regulatory goals. In this case, we are seeking to give power to the individual over his personal data. Some people care alot and others couldn’t care less. In this Information Sharing Agreement I believe that technology plays a VERY important role for the reasons I’ve expressed above. Although, as explained during the call (I believe it was Joe) if the rules are coded, that also means that they can be coded around. Yes, this is true but it seems a much more viable option than having to impose on individuals and organisations managing all of this. If it is coded, it is much more scalable as well. Although people/organisations will code around from time to time, they will also infringe legal contracts from time to time. The coding infringements will probably be much easier to identify and pursue than the legal infringements (opinion from the gut and nothing more).
> 
> I’m sure some have this in mind but I’ll express my view anyway: we should take a building block approach that is reliable, predictable and cheap for it to be efficient and scalable, and for it to really take hold.
> 
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-infosharing

Iain Henderson
iain.henderson at mydex.org

This email and any attachment contains information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorised to read, copy or use the e-mail or any attachment. If you have received this e-mail in error, please notify the sender by return e-mail and then destroy it.

More information about the WG-InfoSharing mailing list