[KI-LC] Initial Comments on Privacy Policy for Consent Receipt Implementation

Ken Dagg kendaggtbs at gmail.com
Tue Jul 14 07:46:52 CDT 2015

My former colleague is on holidays. I will try another.

On Tuesday, July 14, 2015, Ken Dagg <kendaggtbs at gmail.com> wrote:

> Robin,
> As I am no longer with the Canadian Government I don't want to
> interpret their privacy legislation. I have included a colleague in the
> government for his interpretation.
> Ken
> On Tuesday, July 14, 2015, Robin Wilton <wilton at isoc.org
> <javascript:_e(%7B%7D,'cvml','wilton at isoc.org');>> wrote:
>> Ken, a quick question (the answer to which I will factor into my over-all
>> comments on the privacy policy statement later…)…
>> Is the Canadian position that an IP address is PII, plain and simple? Or
>> is it that an IP address is PII because, if combined with other data
>> reasonably expected to be in the possession of the data controller, it
>> could be related to an identifiable individual?
>> The latter is, I believe, the EU position as articulated by the Art.29
>> Working Group (at least, as I last understood it).
>> In Kantara’s case, I think what the privacy policy statement intends to
>> say is: “we use IP addresses as part of our site management statistics, but
>> we deliberately don’t correlate them with the other,
>> personally-identifiable data that you may provide in the course of
>> interacting with us”.
>> a) would that interpretation be acceptable under Canadian DP law?
>> b) do you think the current wording allows that interpretation? (If not,
>> we can invite Joni to consider a revision…)
>> R
>> Robin Wilton
>> Technical Outreach Director - Identity and Privacy
>> Internet Society
>> email: wilton at isoc.org
>> Phone: +44 705 005 2931
>> Twitter: @futureidentity
>> On 14 Jul 2015, at 12:38, Ken Dagg <kendaggtbs at gmail.com> wrote:
>> Hi all,
>> Some specific comments:
>> - Some jurisdictions (i.e., Canada) consider an IP address to be PII. As
>> such, the statement "... we keep track of the domains and IP numbers
>> from which people visit us. We also collect site usage statistics such as
>> web browser types and page requests and track users' movements. This data
>> is not personally identifiable ..." regardless of the follow on statement.
>> - I would suggest that a "How we will not use your information" section
>> be added. Entries there could include: "We will not provide your
>> information to anyone or any company for the purposes of advertising. We
>> will not sell your information."
>> - I would suggest that "... not disclose your personally identifiable
>> information to any company not a member of Kantara Initiative ..." become
>> "... not disclose your personally identifiable information to anyone or any
>> company not a member of Kantara Initiative ...". However, this statement
>> seems to imply that KI will disclose an individual's PII to other members
>> of KI with no restriction. Is that true?
>> - as IP address is PII, the section "How you can view or update your
>> personal information" will need to be updated to accommodate viewing IP
>> addresses or state that IP addresses cannot be viewed or modified.
>> See comments on Mark's and Colin's comments inline below.
>> Ken
>> On Monday, July 13, 2015, Colin Wallis <colin_wallis at hotmail.com> wrote:
>>> Thanks Mark
>>> I've (personally) commented <<inline>> below.
>>> Cheers
>>> Colin
>>> ------------------------------
>>> From: mark at smartspecies.com
>>> Date: Mon, 13 Jul 2015 13:51:23 -0400
>>> To: lc at kantarainitiative.org
>>> CC: wilton at isoc.org
>>> Subject: [KI-LC] Initial Comments on Privacy Policy for Consent Receipt
>>> Implementation
>>> Hi LC,
>>> I have updated the comments a little with a couple of policy notes and
>>> some edits. Robin do you have any thoughts about these comments? ( There
>>> are many ways to address notice and consent issues. )
>>> Kind Regards,
>>> Mark
>>> ***
>>> Upon a quick Review of the Privacy Policy there are a  couple of
>>> comments:
>>> http://kantarainitiative.org/confluence/display/GI/Privacy+Policy
>>>    1. Unable to find a Privacy policy  link of the main website, was
>>>    only able to find it on the join the WG form. (lack of usable transparency
>>>    over privacy practices)
>>> <<CW: We should link to it from the landing page of the main website as
>>> well as the WG GPA form, but..any word changes needed?>>
>>> “We may use your information to: To provide you with personalized
>>> content.”
>>>    1. - Is there personalised content or ads?  if not this should be
>>>       removed. If this is true, this should arguably be a listed purpose and
>>>       possibly reflected in a consent receipt.
>>> <<CW: I don't believe there is, or has ever been, but was probably
>>> considered as 'future proofing' Kantara's website activity.  I support
>>> removing this statement>>..
>> <<KD: I would suggest leaving the statement in the policy in order to
>> future proof the policy. However, I would suggest changing it to "To
>> personalize your visit to our website" to alleviate the issue with respect
>> to "advertising" that Mark raised. >>
>>> Consent for cross-border transfer of information:
>>> "Kantara Initiative is a business alliance of individuals,
>>> organizations, and companies operating globally. Please note that while the
>>> Website is located in the United States, data collected on the Website may
>>> be transferred to, and stored or processed in, other countries, including
>>> countries where Kantara Initiative members are located. Laws of these other
>>> countries may not be the same as the laws regulating the use and transfer
>>> of personal data in your country. By entering your personal information on
>>> this Web site, you are consenting to the transfer of that information to
>>> the United States or to other countries for the purposes described in this
>>> privacy policy."
>>> Comments
>>>    - its not clear why personal information would be transferred to
>>>    another country other than the US
>>>       - why this would be done without explicit consent - seem to
>>>       ambiguous and I suggest a review
>>>       - If this is necessary, then this will require something like
>>>       Safe Harbour or BCRS to make compliant, (or) adding more purposes and
>>>       consent options.
>>> <<CW: I don't know the background either, but I could imagine 2 possible
>>> intentions: 1) geographically distributed data centers for cloud based SaaS
>>> offerings like Confluence, 2) the opening of another (European?) office for
>>> Kantara which might require some transfer>>
>>> Possible Solutions
>>>    - Storing information in the US  could be added to the consent
>>>    receipt as a purpose and be explicitly agreed to in the join form.
>>>    - Remove/change ,” may be transferred to other countries … “  unless
>>>    Kantara is unaware, or does this without consent.  If this is the case,
>>>    then, Safe Harbour needs to be used.
>>> <<CW: So working on my assumptions above, and the notion of another
>>> office has not gone away, I think we need to do both of these
>>> suggestions above>>.
>> <<KD: I agree with Mark's first suggestion. However, for Colin's reasons,
>> I would suggest that the second suggestion not be followed. I would suggest
>> amending the statement to say something along the line of the following: KI
>> operates and transfers data to data centres in the following <list of
>> countries>.
>>> We are starting to work on best practices for an implementation of a
>>> consent receipt, these can be found here
>>> <https://kantarainitiative.org/confluence/display/infosharing/Draft:+Consent+Receipt+Documentation+Outlne?src=contextnavchildmode>
>>> _______________________________________________ LC mailing list
>>> LC at kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/lc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/lc/attachments/20150714/24a5173d/attachment.html>

More information about the LC mailing list