NationStates

Posted: **Sat Apr 20, 2019 2:02 pm**

Protecting Personal Privacy

Category: Regulation | Area of Effect: Customer Protection | Proposed by:Marxist Germany

The World Assembly,

Disgusted by the lack of legislation regarding the ability of organisations to collect data from their customers without consent;

Discerning every individual's right to privacy;

Deducing that collecting data without consent is violation of the right to privacy;

Describing that most minors are not fully mentally mature and are not capable of comprehending the risks of the decisions they're making on their own without the help of their guardian(s);

Hereby,

Defines the following for the purpose of this resolution:
An "organisation" as any entity that collects data from its members or users, and isn't directly run by a government;
A "minor" as any sapient being under the age of majority;
An "adolescent" as any minor going through a transitional period into adulthood as defined by a government of a member-state;
A "guardian" as any legal guardian of a minor, or if none exists, a biological parent;
"Personal Data" as any data that can be used to identify a sapient individual;
A "user" as any sapient being who uses or has used the services of, or is a member of, an organisation;
Denies:
Organisations from storing the personal data of any non adolescent minor without the explicit consent of their guardian except when the guardian cannot be contacted or it is not in the best interests of the minor to do so, as determined by national governments;
Organisations from collecting data from any user, or non-user, without their explicit consent except for crime prevention;
Organisations from using personal data collected from any individual to intentionally and maliciously cause harm or severe distress to the individual the data belongs to;
Governments of member states from viewing the data of a user without the explicit prior consent from both the organisation in possession of the data and the user to which the data belongs unless:
The data is subject to a subpoena for litigation discovery to which the user is not a party;
The data is subject to a valid warrant during criminal investigation, or;
The user places the data's contents or subject matter at issue as a party in a civil dispute;

Demands that:
Organisations provide information on how they will use a user's data to the user explicitly when they interact with the organisation for this first time or when a major change to the data collection policy has been made;
Organisations enable users, and non-users, to view the data that the organisation holds on them unless the release of data would compromise the well-being of the individual or others;
Personal data processed for any purpose is not kept for longer than is necessary for that purpose unless the user, or non-user, consents to that explicitly and clearly;
Organisations allow users, and non-users to request the removal of their personal data, and act upon these requests unless there is a clear and compelling safety or disciplinary reason to do otherwise such as loans or criminal records;
Declares that an organisation can prohibit a person from using the services of, or joining the organisation if the user does not consent to the data collection policy of the organisation;

Dictates that member states:
Make a private right of action against organisations that do not follow the provisions established in this resolution;
Establish statutory damages as remedies if the damages are enough to be dissuasive.

Co-authored with Kenmoria

Posted: **Sat Apr 20, 2019 2:13 pm**

Reserved for previous drafts

Protecting Personal Data

Category: Regulation | Area of Effect: Customer Protection | Proposed by:Marxist Germany

The World Assembly,

Appalled by the lack of a resolution regarding data protection;

Recognising every individual's right to privacy;

Believing that businesses should not be able to collect data from a customer without the explicit consent of that customer as this is clearly a violation of the right to privacy;

Noting that most minors are not fully mentally mature and are not capable of comprehending the risks of the decisions they're making on their own without the help of their guardians;

Seeking to protect customers from exploitation by businesses;

Hereby,

Defines the following for the purpose of this resolution:
A "Business" as any entity that trades goods or services and is aimed at achieving a profit;
A "Minor" as any sapient being under the age of majority;
A "Guardian" as any legal guardian of a minor, or if none exists, the biological parent;
"Personal Data" as any data that can be used to identify a sapient individual;
A "User" as any sapient being who uses or has used the services of a business;
Prohibits:
Businesses from storing the personal data of any non adolescent minor without the explicit consent of their guardian except when the guardian cannot be contacted or it will not be in the best interests of the minor to do so;
Businesses from collecting data from any user without their explicit consent;
Businesses from using personal data collected from any individual to cause harm or severe distress to the individual the data belongs to;
Businesses from receiving or viewing data obtained from secondary sources if the source hasn't met the boundaries established within this resolution;
Governments of member states from viewing the data of a user without the explicit prior consent from both the business holding the data and the user that the data belongs to, except when the information is needed for a criminal investigation, court case or a search warrant has been issued;
Mandates that:
Businesses provide information on how they will use a user's data to the user explicitly when they interact with the business for this first time or when a change has been made;
Businesses enable users to view the data that the business holds on them unless the release of data would compromise the well-being of the user or others;
Personal data processed for any purpose is not kept for longer than is necessary for that purpose unless the user consents to that explicitly and clearly;
Businesses allow users to request the removal of their personal data, and act upon these requests unless there is a clear and very compelling safety or disciplinary reason to do otherwise;
Clarifies that a business can prohibit a person from using the services of that business if the user does not consent to the collection of their data;

Requires that member states make a private right of action against businesses that don't follow the boundaries established in this resolution;

Encourages member states to enact stricter laws to protect their citizens' privacy from businesses.

Posted: **Sat Apr 20, 2019 7:23 pm**

So, first, all the issues identified in the repeal.

Posted: **Sun Apr 21, 2019 6:13 am**

Imperium Anglorum wrote:So, first, all the issues identified in the repeal.

OOC:Yes

Edit:Tweaked 2d, still looking for a workaround for the child issue

Posted: **Sun Apr 21, 2019 6:35 am**

Marxist Germany wrote:
Imperium Anglorum wrote:So, first, all the issues identified in the repeal.

OOC:Yes

Edit:Tweaked 2d, still looking for a workaround for the child issue

(OOC: There were two child issues mentioned in the repeal. Firstly, that children can have legitimate reasons to not have available the consent of their guardian, for example in cases of child abuse. This can be solved by adding in an exception for when the guardian is not available to contact or it would not be in the best interest of the child for them to be to contacted.

The other issue, about businesses now having an incentive not to collect ages, is more tricky to address. I think that is just a result of legislation protecting children generally, and can’t think of a way out of the situation.)

Posted: **Sun Apr 21, 2019 2:13 pm**

Kenmoria wrote:that children can have legitimate reasons to not have available the consent of their guardian, for example in cases of child abuse. This can be solved by adding in an exception for when the guardian is not available to contact or it would not be in the best interest of the child for them to be to contacted.

One might also want to consider the possibility that adolescents simply should not require the approval of their parents to be on Facebook. To require that sets a somewhat ridiculous standard for parental involvement in absolute trivia.

Posted: **Sun Apr 21, 2019 2:47 pm**

Imperium Anglorum wrote:
Kenmoria wrote:that children can have legitimate reasons to not have available the consent of their guardian, for example in cases of child abuse. This can be solved by adding in an exception for when the guardian is not available to contact or it would not be in the best interest of the child for them to be to contacted.

One might also want to consider the possibility that adolescents simply should not require the approval of their parents to be on Facebook. To require that sets a somewhat ridiculous standard for parental involvement in absolute trivia.

OOC:that's actually the law in EU countries, one can't use twitter until they're 16 because one needs parental consent.

Posted: **Sun Apr 21, 2019 3:01 pm**

Marxist Germany wrote:OOC:that's actually the law in EU countries, one can't use twitter until they're 16 because one needs parental consent.

Just because a law exists IRL doesn't mean it can't be stupid. Governments are famous for stupid laws - it's partly why libertarianism and this game exists.

Posted: **Sun Apr 21, 2019 3:04 pm**

Marxist Germany wrote:OOC:that's actually the law in EU countries, one can't use twitter until they're 16 because one needs parental consent.

OOC: 13, not 16. Source. WhatsApp has 16.

Posted: **Sun Apr 21, 2019 4:30 pm**

OOC:Changes have been made

Posted: **Sun Apr 21, 2019 6:48 pm**

Marxist Germany wrote:
Imperium Anglorum wrote:One might also want to consider the possibility that adolescents simply should not require the approval of their parents to be on Facebook. To require that sets a somewhat ridiculous standard for parental involvement in absolute trivia.

OOC:that's actually the law in EU countries, one can't use twitter until they're 16 because one needs parental consent.

Okay, I'll ignore what Ara said for the sake of this argument. What you said does not negate my point. I say that people should be permitted to go on social media without requiring parental authorisation. You tell me that people can do that when they are 16.

The age of majority in all EU countries, except Scotland, is 18. Thus, there are two years in which people are permitted to go on social media without requiring parental authorisation. So if we accept the implicit argument, that because it is done in real life, we ought to do it, this flows towards my side and not towards yours.

Posted: **Mon Apr 22, 2019 3:00 am**

“You should have ‘the minor’ rather than ‘a minor’ after ‘best interests of’ in clause 2a, so that the child involved must be the one to have harm done to them, not any uninvolved youth.”

Posted: **Tue Apr 23, 2019 6:38 am**

Marxist Germany wrote:Defines ... A "Business" as any entity that trades goods or services and is aimed at achieving a profit;

OK, so Data Trap Inc sets up a subsidiary organisation called Loophole & Co that doesn't trade goods or services and doesn't attempt to achieve a profit. Loophole & Co is not a business for purposes of this resolution, so it can collect and process any personal data it wants, free from any restrictions other than clause 3c (which is entirely toothless if the stated purpose of data processing is "so that we know everything about you.")

Assuming that Data Trap Inc can view Loophole & Co's data without storing it (a technical IT challenge, but doable) it can freely use data on minors (avoiding 2a) and data that was gathered without consent (avoiding 2b). Loophole & Co can share data with the government (avoiding 2d) and need not allow users to view the stored data (avoiding 3b) or acknowledge any requests to delete it (avoiding 3d).

2c and 3a still take effect, but while Data Trap Inc now has to tell you what it's doing with your data you can't do anything to stop them.

Also, without any consideration of subsidiaries, 2c appears to prevent businesses from trying to collect money owed to them, since being pursued for bills you can't pay is a well documented cause of harm and severe distress.

Posted: **Tue Apr 23, 2019 6:48 am**

Uan aa Boa wrote:
Marxist Germany wrote:Defines ... A "Business" as any entity that trades goods or services and is aimed at achieving a profit;

OK, so Data Trap Inc sets up a subsidiary organisation called Loophole & Co that doesn't trade goods or services and doesn't attempt to achieve a profit. Loophole & Co is not a business for purposes of this resolution, so it can collect and process any personal data it wants, free from any restrictions other than clause 3c (which is entirely toothless if the stated purpose of data processing is "so that we know everything about you.")

Assuming that Data Trap Inc can view Loophole & Co's data without storing it (a technical IT challenge, but doable) it can freely use data on minors (avoiding 2a) and data that was gathered without consent (avoiding 2b). Loophole & Co can share data with the government (avoiding 2d) and need not allow users to view the stored data (avoiding 3b) or acknowledge any requests to delete it (avoiding 3d).

2c and 3a still take effect, but while Data Trap Inc now has to tell you what it's doing with your data you can't do anything to stop them.

Also, without any consideration of subsidiaries, 2c appears to prevent businesses from trying to collect money owed to them, since being pursued for bills you can't pay is a well documented cause of harm and severe distress.

Bad faith AF.

Posted: **Tue Apr 23, 2019 7:23 am**

Aclion wrote:Bad faith AF.

Sorry, what do you mean?

Posted: **Tue Apr 23, 2019 7:57 am**

Uan aa Boa wrote:
Marxist Germany wrote:Defines ... A "Business" as any entity that trades goods or services and is aimed at achieving a profit;

OK, so Data Trap Inc sets up a subsidiary organisation called Loophole & Co that doesn't trade goods or services and doesn't attempt to achieve a profit. Loophole & Co is not a business for purposes of this resolution, so it can collect and process any personal data it wants, free from any restrictions other than clause 3c (which is entirely toothless if the stated purpose of data processing is "so that we know everything about you.")

Assuming that Data Trap Inc can view Loophole & Co's data without storing it (a technical IT challenge, but doable) it can freely use data on minors (avoiding 2a) and data that was gathered without consent (avoiding 2b). Loophole & Co can share data with the government (avoiding 2d) and need not allow users to view the stored data (avoiding 3b) or acknowledge any requests to delete it (avoiding 3d).

2c and 3a still take effect, but while Data Trap Inc now has to tell you what it's doing with your data you can't do anything to stop them.

Also, without any consideration of subsidiaries, 2c appears to prevent businesses from trying to collect money owed to them, since being pursued for bills you can't pay is a well documented cause of harm and severe distress.

OOC:Loophole & Co doesn't sell a service ir trade so it won't receive any customers

Posted: **Tue Apr 23, 2019 8:02 am**

Marxist Germany wrote:
Uan aa Boa wrote:OK, so Data Trap Inc sets up a subsidiary organisation called Loophole & Co that doesn't trade goods or services and doesn't attempt to achieve a profit. Loophole & Co is not a business for purposes of this resolution, so it can collect and process any personal data it wants, free from any restrictions other than clause 3c (which is entirely toothless if the stated purpose of data processing is "so that we know everything about you.")

Assuming that Data Trap Inc can view Loophole & Co's data without storing it (a technical IT challenge, but doable) it can freely use data on minors (avoiding 2a) and data that was gathered without consent (avoiding 2b). Loophole & Co can share data with the government (avoiding 2d) and need not allow users to view the stored data (avoiding 3b) or acknowledge any requests to delete it (avoiding 3d).

2c and 3a still take effect, but while Data Trap Inc now has to tell you what it's doing with your data you can't do anything to stop them.

Also, without any consideration of subsidiaries, 2c appears to prevent businesses from trying to collect money owed to them, since being pursued for bills you can't pay is a well documented cause of harm and severe distress.

OOC:Loophole & Co doesn't sell a service ir trade so it won't receive any customers

(OOC: The point was that Loophole & Co. was set up as a subsidiary of Data Trap Inc.. This means that the customers of Data Trap Inc. will have their data monitored by Loophole & Co., who can store data without punishment since they are not a business. Data Trap Inc. can then use the data of Loophole & Co. however it wants, regardless of this proposal.)

Posted: **Tue Apr 23, 2019 10:57 am**

OOC:I can't seem to be able to fix that

Posted: **Tue Apr 23, 2019 11:01 am**

Marxist Germany wrote:OOC:I can't seem to be able to fix that

(OOC: Try prohibiting a business from viewing data obtained from a secondary source if there is cause to suspect that the secondary data did not meet the standards laid out by this proposal.)

Posted: **Tue Apr 23, 2019 11:17 am**

Kenmoria wrote:
Marxist Germany wrote:OOC:I can't seem to be able to fix that

(OOC: Try prohibiting a business from viewing data obtained from a secondary source if there is cause to suspect that the secondary data did not meet the standards laid out by this proposal.)

Better yet, make the rules apply to everyone who stores and processes personal data. This is certainly what the EU system does. Why should non-profits, fundraising appeals, churches, political parties or random members of the public get to make unregulated use of personal data anyway?

Posted: **Tue Apr 23, 2019 4:45 pm**

Uan aa Boa wrote:Better yet, make the rules apply to everyone who stores and processes personal data. This is certainly what the EU system does. Why should non-profits, fundraising appeals, churches, political parties or random members of the public get to make unregulated use of personal data anyway?

OOC: ^This.

Posted: **Wed Apr 24, 2019 1:34 pm**

Araraukar wrote:
Uan aa Boa wrote:Better yet, make the rules apply to everyone who stores and processes personal data. This is certainly what the EU system does. Why should non-profits, fundraising appeals, churches, political parties or random members of the public get to make unregulated use of personal data anyway?

OOC: ^This.

OOC:I'll see what I can do.

Posted: **Fri Apr 26, 2019 5:28 am**

"I have decided against adding other organisations as this would be too overreaching and micromanaging."

Posted: **Fri Apr 26, 2019 10:34 am**

“3a doesn’t make any qualifications on when this is to be offered nor for what is precisely meant by it. I interact with many businesses in one form of another every day, and don’t really want to be told every time one collects data on me. This especially applies online, where research may involve hundreds of commercial websites, and I have need to have each term and condition read to me.”

Posted: **Fri Apr 26, 2019 2:08 pm**

Kenmoria wrote:“3a doesn’t make any qualifications on when this is to be offered nor for what is precisely meant by it. I interact with many businesses in one form of another every day, and don’t really want to be told every time one collects data on me. This especially applies online, where research may involve hundreds of commercial websites, and I have need to have each term and condition read to me.”

"This has hopefully been addressed appropriately."

NationStates

[DEFEATED] Protecting Personal Privacy

[DEFEATED] Protecting Personal Privacy