[WG-InfoSharing] Comments on Information Sharing Agreement

[Juan Avellan]

Hi Iain,

Thanks. No worries. I assumed you guys were busy with the last few weeks´
events in Europe and the USA. I´m sorry to have missed them and the
opportunity to have met some of you.

My only comment to yours Iain is on the contractual side. Although there
doesn´t seem to be much of a (legal) alternative regarding the use of
contracts, we need to make this is easy and practical as possible. It occurs
to me that we should consider compliance (and the capacity to practically
enforce by individuals) or the lack thereof by certain jurisdictions and its
participants (both private and public sectors) in some sort of
internationally visible blacklist (e.g. transparency international). This
will give the system some teeth beyond the rather small ones that an
individual with an unenforced contract will have, especially in a lax legal
system.

Privacy International
http://www.privacyinternational.org/issues/compliance/ has
something like this and helps individuals enforce their rights but it is
limited to companies and I don´t know how effective it is. I´m thinking
about something broader than this which constitutes a part of the overall
mechanism. Let´s imagine an individual that wants to disclose personal data
to a specific company or to a company in a specific country. The system
could provide the individual some sort of real-time review on the
compliance/enforceability of a specific company or of the country in which
the company is located, before the individual decides to disclose PD.

Finally, on the indivdual-individual contract, I´ve thought about this
further and ultimately I do think a contract is needed because of potential
leakage to second tier processors (e.g. Facebook) which may feel free to
decide how widely to disclose personal data disclosed to another individual
through means other than that third party service. For example, I send by
email some pics to a friend who in turn posts them on Facebook without my
approval. The pics are then subject to Facebooks privacy policy or other
T&Cs my friend may have with FB. The issue is usability in the context of
fluid interpersonal relations which are extremely dynamic and way more
complex than anything that can be written in a contract, much less a
template contract.

I´ll try to join later today, as I have another confcall at 4PM UK time
which may last for more than 1 hour. In any case, I´ll jump in whenever I´ve
finished.

Best regards,

Juan

On Mon, May 24, 2010 at 7:20 AM, Iain Henderson <iain.henderson at mydex.org>wrote:

> Hi Juan,
>
> Sorry for the long delay in responding - lots of travel and stuff now
> happening in this space.
>
> Yes, your input below is helpful and makes sense. I've added some further
> comments inline with your questions; lot's still to discuss.
>
> Cheers
>
> Iain
>
> On 12 May 2010, at 16:53, Juan Avellan wrote:
>
> > Hi Everybody,
> >
> > As promised, here it goes. I hope I’m not reinventing the wheel with
> these comments as I assume there are people who have thought deeply about
> these things. Having said that, here are my fairly unstructured thoughts,
> which I hope have not led me to stray in the wrong direction.
> >
> > Look forward to your comments.
> >
> > Cheers!
> >
> > Juan
> >
> > Multiple Jurisdictions Issue: Within the European Union, European
> compliant or similarly regulated jurisdictions the legal framework and data
> protection authorities are such that the individual would not
> *theoretically* have to make a big effort to make sure the individual’s
> General Terms and Conditions are complied with even by second tier data
> processors (i.e. a data processor that receives the individual’s personal
> data from another data processor). Data processors are also bound vis a vis
> second tier data processors, by law. Although in the end individuals do have
> to make a big effort if they want to truly control manage their personal
> data, there is a reasonable expectation it is not being tooooooo abused. The
> real problem arises when the individual interacts with a data processor that
> is not operating within the EU, EU compliant legal system, or other that
> provides a reliable data protection legal framework which covers issues such
> as second tier (or more) data processors. In those cases, the individual
> needs tools that will enable him/her to ensure the agreement by companies
> binds them to the T&Cs. Some questions that come to mind are:
> >
> > ·         Will companies in the US or other countries that are not
> compliant be willing to agree to liability for second tier data processors?
>
> As I see it, access to the individuals 'volunteered personal information'
> is a take it or leave it contract; so any organisation not willing to accept
> the terms of the standard agreement won't be able to partake.
> >
> > ·         Even if they are, how can that be enforced? Under international
> law, typically consumer protection law (including data protection law) the
> law of the consumer’s jurisdiction is applicable. Can we expect the data
> protection authorities of each country to go out and enforce infringements
> by companies abroad? If so, what happens in countries that do not have such
> regulatory and enforcement frameworks.
>
> As per above, our assumption to date is that we use contract law. That this
> will be underpinning by data protection/ privacy legislation in different
> geographies is helpful but not essential.
> >
> > ·         Evidence would be needed. Will the system be tagging personal
> data to a specific disclosure opportunity so that each specific infringing
> disclosure can be traced back to the infringing entity or individual?
>
> Yes, that is envisaged; though at what point that specific is deployed has
> still to be tested in anger.
> >
> > Individual General Terms and Conditions for Personal Data Processing: As
> I understood from the call, the idea is that these would be a basic set of
> rules that any third party wishing to process an individual’s personal data
> adheres to before gaining access to the personal data. The process of
> gaining access should include a contract formation process (e.g.
> click-through agreement for human processing and other technical protocol
> procedure for machine processing).  It would apply to all third parties
> processing personal data who have agreed to such terms and conditions.
> >
> > The idea from the WG is to create a few human & machine readable options
> within the T&Cs that allow the individual to customise how his personal data
> will be processed by a specific data processor.
> >
> > Question: Will the individual have some sort of log that he/she can
> scroll through in order to determine to whom specific personal data was
> disclosed and under which version of the terms and conditions? See also
> evidence question above.
>
> Yes, they will have a dashboard/ audit of all sharing instances, and the
> support of compliance programmes to help the system stay in balance.
> >
> > Different Contract Instances:
> >
> > ·         Individual - Service Providing Organization: In the call this
> was referred to as contracting with self but I don’t see it that way. I see
> it more as an individual agreeing with the SPO for a service by which the
> SPO processes the personal data for use by the individual (e.g. because he
> wants to access it from time to time for any reason) or by third parties
> (e.g. to serve up credit card details or other data to third parties when
> needed). The SPO is bound to process it in both cases in accordance with the
> applicable T&Cs.
> >
> > ·         Individual to Individual: This is a straight-forward contract
> between two individuals. In my view this is more an issue of whether it can
> be reasonably expected that the recipient individual with the scant tech
> knowledge and data processing resources typically available to an individual
> to manage his/her obligations vis a vis other individuals’ T&Cs. Let’s say
> you share a picture of yourself in an embarrassing situation with a friend
> and your T&Cs indicate that no further distribution should occur. The person
> stores that pic in his picture database and a few months/years and many data
> exchanges later, the recipient sends a pic album out to some friends which
> includes that embarrassing pic. Sounds daunting for an individual to have to
> manage this, even if there was an agreement. Is it reasonable to manage that
> complexity? Are the tools there to make it reasonable? This reasonability
> criteria may apply in certain jurisdictions.
> >
> > ·         Product/Service Provide to Product/Service Provider: To me this
> instance continues to be under the first case: An individual disclosed
> personal data under specific T&Cs to a Product/Service Provider who in turn
> is bound to make sure that other Product/Service Providers to whom they send
> such personal data are also bound and comply to those specific T&Cs . See
> the Multiple Jurisdiction Issue text above regarding 2nd tier data
> processors. As explained, in EU-type jurisdictions this is not a big issue,
> provided compliance is enforced appropriately. The problem arises in
> jurisdictions in which 2nd tier data processors are not bound by law to
> comply with a certain processing standard which means that the 1st tier data
> processor would need to make sure that the 2nd tier is bound and be liable
> to the individual for 2nd tier infringements. Although this is basically how
> data protection law works, the issue that arises in non-EU type
> jurisdictions is that it would be up to the individual to enforce
> infringements, which is clearly unreasonable. Some options could be naming
> and shaming, but that means either a closed community, blacklists or some
> other high-impact reputational approach.
> >
> > ·         Individual – Public Sector Organisation: This is a different
> sort of beast in the sense that governments have certain rights and
> restrictions regarding personal data different to the private sector.
> Because the balance of data processing rights and restrictions is generally
> determined by the law, we probably need to be thinking about a version of
> the agreement for the public sector, which will need to be customised on a
> per-jurisdiction basis. Think about the agreement between the US and other
> countries on the traveller flight lists that are exchanged. Could we
> envisage a version of the agreement which is dynamic in the sense that it
> adapts to the different negotiations on a per-country basis? Or is this an
> exclusion that the individual has no right to determine because it is
> associated with a national security argument? Note, the definition of
> national security and how far it extends varies considerably from
> jurisdiction to jurisdiction and over time and circumstances!
> >
> > ·         Individual – Public Data Set Managing Organisation: To me this
> is the same agreement as the Individual-SPO Agreement (the first instance)
> because the individual is providing a third party organisation with specific
> data under specific terms and conditions, which can result in the 3rd party
> processing it for private use, public use or other uses. The article on
> “Amazon Spying on Your Ebook Highlighting”
> http://techdirt.com/articles/20100511/1018059377.shtml comes to mind here.
> >
> >
> >
> > Tentative Conclusions:
> >
> > ·         I see 2 perhaps 3 agreement types: (1) individual-Data
> Processor Agreement (covering all sorts of product/service providers and
> public/private data set managers. (2) individual-public sector: this would
> need to be adapted to the local law, which can be a bit difficult but not
> impossible. Issues would arise, for example, regarding individuals from one
> country interacting with the government of another country (e.g. visa
> request, tax declarations for stock trading abroad, etc.). (3) Individual –
> Individual: This is a difficult one because a very delicate balance needs to
> be stricken between human-readable agreement, machine-readable and the fact
> that people tend to respect the privacy of other people and use common sense
> for this (and there is a social enforcement mechanism) – in other words, you
> may not need a formal agreement for this!
> >
> > ·         I am a firm believer in balancing law, technology and social
> mechanisms to achieve certain regulatory goals. In this case, we are seeking
> to give power to the individual over his personal data. Some people care
> alot and others couldn’t care less. In this Information Sharing Agreement I
> believe that technology plays a VERY important role for the reasons I’ve
> expressed above. Although, as explained during the call (I believe it was
> Joe) if the rules are coded, that also means that they can be coded around.
> Yes, this is true but it seems a much more viable option than having to
> impose on individuals and organisations managing all of this. If it is
> coded, it is much more scalable as well. Although people/organisations will
> code around from time to time, they will also infringe legal contracts from
> time to time. The coding infringements will probably be much easier to
> identify and pursue than the legal infringements (opinion from the gut and
> nothing more).
> >
> > I’m sure some have this in mind but I’ll express my view anyway: we
> should take a building block approach that is reliable, predictable and
> cheap for it to be efficient and scalable, and for it to really take hold.
> >
> > _______________________________________________
> > WG-InfoSharing mailing list
> > WG-InfoSharing at kantarainitiative.org
> > http://kantarainitiative.org/mailman/listinfo/wg-infosharing
>
> Iain Henderson
> iain.henderson at mydex.org
>
> This email and any attachment contains information which is private and
> confidential and is intended for the addressee only. If you are not an
> addressee, you are not authorised to read, copy or use the e-mail or any
> attachment. If you have received this e-mail in error, please notify the
> sender by return e-mail and then destroy it.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20100524/3d0ddecb/attachment-0001.html