[PASSED] Data Protection Accord

[Maowi]

"2.f. seems redundant in light of 3.d.; asking for the data to be transferred to a different organisation is not necessarily a request to also remove the data from the initial organisation, and if that is also requested, 3.d. has that covered."

[Kenmoria]

“Given that 1e defines ‘users’ as including members, clause 1a should have just ‘users’ rather than ‘users and members’.”

[Marxist Germany]

"The changes requested by the Maowese and Kenmorian ambassadors have been made."

[Marxist Germany]

OOC: Submitted

[Araraukar]

OOC: It's in queue.

[Marxist Germany]

OOC: It's in queue.

OOC: And will be for another 11 days.

[Araraukar]

OOC: It's in queue.

OOC: And will be for another 11 days.

OOC: I know. Just thought it was worth updating the thread title.

[Marxist Germany]

OOC: And will be for another 11 days.

OOC: I know. Just thought it was worth updating the thread title.

OOC: Yeah, thanks for the reminder.

[Morover]

OOC: Copy-pasting my opinion from the TRR Forums. I'll transcribe any responses to the issues brought up here there so that they also can see your responses.

Against for a few reasons.

1. The definition of "organisation" allows foreign governments (including non-member-nation governments) to create organisations which do not have to follow the provisions laid out by the proposal. It would be fine if it said something along the lines of ", not run by the government of the nation from which the individual whom the entity collects information from;", but I cannot support it in its current state.
2. Under the definition of "minor", is not the entirety of childhood a transitional period into adulthood?
3. 2(a) has a few problems. One huge thing that may have been overlooked (or perhaps I'm misreading it) is that it says "and it is not in the best interests of the minor to do so", when it probably should be when it is in the best interest of the minor to do so. I'm going to proceed with these issues assuming that that section of the clause has its intended effect. Another issue I have with it is similar to the definition of "organisation" - it is a very broad statement to say "national governments", without specifying which national government. At the wording of the proposal, so long as any nation says it's in the best interest of the minor (which, frankly, is not reputable if the government itself does not have the best interest of the minor in mind), the business can go ahead and proceed with collecting and storing the minor's information. Additionally, it is an unreasonable burden to put on a government to have them be the approval factor of this, considering that what ould be in the best interest of the minor would have to be judged from a case-to-case basis, and for nations of a billion people or more, this is completely unreasonable. Finally, the last part of this clause, that a nation would need to be unable to verify the age of the user nullifies the rest of the clause - how would a nation be able to confirm that the storing or collecting of a minors data would benefit them, if its impossible to verify the status of the "minor," anyways? Would the nation itself not be able to confirm that for the business, thus making the exceptions provided by the clause useless (considering the use of "and" as opposed to "or" in the clause)?
4. 2(e) prevents the sharing of data from within the organisation itself, which is an unreasonable demand.
5. 2(f) doesn't cover non-member-states. It should be worded in a way that prevents corporations/organisations which harbor information about the residents/citizens of a member-state from sharing the information with the government of any nation, notwithstanding the provisions granted by the clause. I don't know how close this would be to legislating on non-member-states, but its unreasonable to allow non-member-states to have free reign over the information of residents of member-states, especially when said non-member-states have no restrictions as to how they use the information. At this rate, an ultra-authoritarian member-state may very well create a proxy state, not under the jurisdiction of the World Assembly, to buy the information off of Organisations, and then sell that information back to the member-state. It's just speculation, but I could definitely see that happening.
6. 3(a) leads to long-winded terms of use and privacy conditions being written, making users less likely to read said conditions. While they still consented for the purposes of the proposal (which also affects several subclauses of 2, but I figured I'd just sum it up here), they don't really know what they're getting into. I find it unreasonable to assume that the average citizen would read a long-winded explanation of privacy conditions that would inevitably result from this proposal.
7. 3(c) ("That collect or store personal data remove it from their database") makes no sense to me. Maybe I had a stroke, though. Who knows?
8. 3(e) makes it so that if an organisation is aware of a users death through some means, but is never explicitly told about it, they don't have to remove the data.
9. I dislike that 3(f) makes it so that users can directly edit the information, as that could definitely tamper with law enforcement, or even just census information. I would've made it so that users can request a change, though I don't know exactly how to enforce it reasonably. Still, how it is now needs improvement.
10. Under 3(g), who is authorized? The CEO? Anybody who the organisation decides is? It's too vague.
11. It's probably due to my lack of knowledge on the subject as a whole, but I have no idea what 3(h) means.
12. Clause 4 clarifying "or if the user provides falsified personal data" seems a bit odd to me. I'm not strictly opposed to it, but it just is a weird thing to clarify.

[Marxist Germany]

OOC: I have pulled the proposal from quorum, and will look over these issues before resubmitting. Thanks morover.

1. The definition of "organisation" allows foreign governments (including non-member-nation governments) to create organisations which do not have to follow the provisions laid out by the proposal. It would be fine if it said something along the lines of ", not run by the government of the nation from which the individual whom the entity collects information from;", but I cannot support it in its current state.

The current form says "a government", which means it cannot be controlled by any government, I will change it to "any" if you wish.

Under the definition of "minor", is not the entirety of childhood a transitional period into adulthood?

This one was tricky to tackle, which is why I will add "as defined by national governments", as is the case for the definition of "adolescent".

2(a) has a few problems. One huge thing that may have been overlooked (or perhaps I'm misreading it) is that it says "and it is not in the best interests of the minor to do so", when it probably should be when it is in the best interest of the minor to do so. I'm going to proceed with these issues assuming that that section of the clause has its intended effect.

Oh no, that means if it is not in the best interest of the minor to contact the guardian.

Another issue I have with it is similar to the definition of "organisation" - it is a very broad statement to say "national governments", without specifying which national government. At the wording of the proposal, so long as any nation says it's in the best interest of the minor (which, frankly, is not reputable if the government itself does not have the best interest of the minor in mind), the business can go ahead and proceed with collecting and storing the minor's information. Additionally, it is an unreasonable burden to put on a government to have them be the approval factor of this, considering that what ould be in the best interest of the minor would have to be judged from a case-to-case basis, and for nations of a billion people or more, this is completely unreasonable.

I will replace that with examples of situations that count as "not in the best interests" as a guideline.

Finally, the last part of this clause, that a nation would need to be unable to verify the age of the user nullifies the rest of the clause - how would a nation be able to confirm that the storing or collecting of a minors data would benefit them, if its impossible to verify the status of the "minor," anyways? Would the nation itself not be able to confirm that for the business, thus making the exceptions provided by the clause useless (considering the use of "and" as opposed to "or" in the clause)?

That was indeed an error I forgot to rectify that was brought up by Kenmoria previously. I was going to remove the proposal from queue for that reason and you just happened to post these helpful criticisms.

2(e) prevents the sharing of data from within the organisation itself, which is an unreasonable demand.

I am not sure how I can fix this issue, I will ask Kenmoria about this.

2(f) doesn't cover non-member-states. It should be worded in a way that prevents corporations/organisations which harbor information about the residents/citizens of a member-state from sharing the information with the government of any nation, notwithstanding the provisions granted by the clause. I don't know how close this would be to legislating on non-member-states, but its unreasonable to allow non-member-states to have free reign over the information of residents of member-states, especially when said non-member-states have no restrictions as to how they use the information. At this rate, an ultra-authoritarian member-state may very well create a proxy state, not under the jurisdiction of the World Assembly, to buy the information off of Organisations, and then sell that information back to the member-state. It's just speculation, but I could definitely see that happening.

This is a reasonable criticism, however, I think it would fall under metagaming due to legislating on non member states. I will ask for Gensec opinion.

3(a) leads to long-winded terms of use and privacy conditions being written, making users less likely to read said conditions. While they still consented for the purposes of the proposal (which also affects several subclauses of 2, but I figured I'd just sum it up here), they don't really know what they're getting into. I find it unreasonable to assume that the average citizen would read a long-winded explanation of privacy conditions that would inevitably result from this proposal.

This is the case IRL, its not the business' fault that users dont read ToS or the contract.

3(c) ("That collect or store personal data remove it from their database") makes no sense to me. Maybe I had a stroke, though. Who knows?

It's supposed to go "Mandates that organisations ... that collect or store personal data..."

3(e) makes it so that if an organisation is aware of a users death through some means, but is never explicitly told about it, they don't have to remove the data.

I will fix that.

I dislike that 3(f) makes it so that users can directly edit the information, as that could definitely tamper with law enforcement, or even just census information. I would've made it so that users can request a change, though I don't know exactly how to enforce it reasonably. Still, how it is now needs improvement.

Yeah, I will word it like clause 3d.

Under 3(g), who is authorized? The CEO? Anybody who the organisation decides is? It's too vague.

I will try to reword this.

It's probably due to my lack of knowledge on the subject as a whole, but I have no idea what 3(h) means.

It's missing a sentence clause, I will fix it.

Clause 4 clarifying "or if the user provides falsified personal data" seems a bit odd to me. I'm not strictly opposed to it, but it just is a weird thing to clarify.

Ehh, doesn't hurt, I might remove it if I overstep the character limit by a long shot.

[Morover]

OOC: Sorry for not getting to the critiques earlier, sucks that it had to happen once already in queue.

1. The definition of "organisation" allows foreign governments (including non-member-nation governments) to create organisations which do not have to follow the provisions laid out by the proposal. It would be fine if it said something along the lines of ", not run by the government of the nation from which the individual whom the entity collects information from;", but I cannot support it in its current state.

The current form says "a government", which means it cannot be controlled by any government, I will change it to "any" if you wish.

One of us is not understand the other. From my interpretation, by using the term "a government" would be equivalent in meaning to the term "any government," since it doesn't specify which government it is. My suggestion for the wording still stands, and you can feel free to use it without any credit, should you choose to do so.

Under the definition of "minor", is not the entirety of childhood a transitional period into adulthood?

This one was tricky to tackle, which is why I will ad "as defined by national governments", as is the case for the definition of "adolescent".

Might I suggest "at the discretion of the home government?"

2(a) has a few problems. One huge thing that may have been overlooked (or perhaps I'm misreading it) is that it says "and it is not in the best interests of the minor to do so", when it probably should be when it is in the best interest of the minor to do so. I'm going to proceed with these issues assuming that that section of the clause has its intended effect.

Oh no, that means if it is not in the best interest of the minor to contact the guardian.

Forgive my misunderstanding.

Finally, the last part of this clause, that a nation would need to be unable to verify the age of the user nullifies the rest of the clause - how would a nation be able to confirm that the storing or collecting of a minors data would benefit them, if its impossible to verify the status of the "minor," anyways? Would the nation itself not be able to confirm that for the business, thus making the exceptions provided by the clause useless (considering the use of "and" as opposed to "or" in the clause)?

That was indeed an error I forgot to rectify that was brought up by Kenmoria previously. I was going to remove the proposal from queue for that reason and you just happened to post these helpful criticisms.

Well, at least I wasn't the sole cause in your removal of it. Glad that this will be fixed.

2(e) prevents the sharing of data from within the organisation itself, which is an unreasonable demand.

I am not sure how I can fix this issue, I will ask Kenmoria about this.

In all fairness, I'm not exactly sure how to tackle it either. I just know that, as presently worded, it's not really feasible.

2(f) doesn't cover non-member-states. It should be worded in a way that prevents corporations/organisations which harbor information about the residents/citizens of a member-state from sharing the information with the government of any nation, notwithstanding the provisions granted by the clause. I don't know how close this would be to legislating on non-member-states, but its unreasonable to allow non-member-states to have free reign over the information of residents of member-states, especially when said non-member-states have no restrictions as to how they use the information. At this rate, an ultra-authoritarian member-state may very well create a proxy state, not under the jurisdiction of the World Assembly, to buy the information off of Organisations, and then sell that information back to the member-state. It's just speculation, but I could definitely see that happening.

This is a reasonable criticism, however, I think it would fall under metagaming due to legislating on non member states. I will ask for Gensec opinion.

There should be a way not to have it fall under metagaming, though it may be riding a very fine line. I'm working on a solution to the issue currently, anyways, but would like to see a solution in this proposal itself. But yeah, get a GenSec opinion on it.

3(a) leads to long-winded terms of use and privacy conditions being written, making users less likely to read said conditions. While they still consented for the purposes of the proposal (which also affects several subclauses of 2, but I figured I'd just sum it up here), they don't really know what they're getting into. I find it unreasonable to assume that the average citizen would read a long-winded explanation of privacy conditions that would inevitably result from this proposal.

This is the case IRL, its not the business' fault that users dont read ToS or the contract.

I know it's the case IRL - we don't have to strictly adhere to what happens in the real world. I would very much like to see a solution to it in this proposal.

3(c) ("That collect or store personal data remove it from their database") makes no sense to me. Maybe I had a stroke, though. Who knows?

It's supposed to go "Mandates that organisations ... that collect or store personal data..."

I see. While it does work, it doesn't flow super smoothly. It's up to you whether to change it or not, though.

Clause 4 clarifying "or if the user provides falsified personal data" seems a bit odd to me. I'm not strictly opposed to it, but it just is a weird thing to clarify.

Ehh, doesn't hurt, I might remove it if I overstep the character limit by a long shot.

All right. Hopefully you can manage to avoid the character limit.

Thanks for addressing my concerns. Best of luck once this reaches quorum again.

[Kenmoria]

[*]2(e) prevents the sharing of data from within the organisation itself, which is an unreasonable demand.

I am not sure how I can fix this issue, I will ask Kenmoria about this.

(OOC: Append ‘excluding internal transference of data inside the organisation’, or wording to that effect to the end of the clause.

[*]Clause 4 clarifying "or if the user provides falsified personal data" seems a bit odd to me. I'm not strictly opposed to it, but it just is a weird thing to clarify.[/list]

Ehh, doesn't hurt, I might remove it if I overstep the character limit by a long shot.

I recommend not removing it, but you could reduce the character count by using ‘untrue’ instead of ‘falsified’.)

[Marxist Germany]

I am not sure how I can fix this issue, I will ask Kenmoria about this.

(OOC: Append ‘excluding internal transference of data inside the organisation’, or wording to that effect to the end of the clause.

Ehh, doesn't hurt, I might remove it if I overstep the character limit by a long shot.

I recommend not removing it, but you could reduce the character count by using ‘untrue’ instead of ‘falsified’.)

OOC: I have made the changes as appropriate, about the character limit, I have removed an unnecessary preamble clause so we have 100 extra characters to work with.

[Marxist Germany]

OOC: Submission next update

[Maowi]

OOC: Sorry for not getting to this earlier - I'm also on my phone so double check if everything I said actually makes sense

Lauding the previous efforts of this assembly to protect privacy rights through previous legislation such as GA #213 Privacy Protection Act,

"The repetition of 'previous' is redundant here and a little awkward; I'd remove the first instance of the word.

[*]Defines the following for the purpose of this resolution:
[*]An "organisation" as an entity that collects data from its users, and is not run by the government of the nation from which the individual whom the entity collects data is from;

"The second half of that sentence is quite grammatically tangled - I recommend rewording it as 'and is not run by the government of the nation which the individual whose data the entity collects is from'. I'd also replace the word 'users' with 'individuals'.

[*]A "user" as an adult, or a person under the age of majority going through a transitional period into adulthood, as determined by the home member-state of the user; who uses or has used the services of, or is a member or has been a member of, an organisation;

"Surely you can replace the section from 'an adult' to 'the home member-state of the user' with 'a non-minor' or, if you want to be completely on the safe side, 'an individual who is not a minor and uses or has used' etc.?

[*]Organisations from collecting or storing personal data from any individual without their explicit consent except for crime prevention, such as CCTV cameras, unless the individual cannot consent and the personal data is required for an emergency, or unless the data is used exclusively for journalistic purposes;

"As written, 'any individual' includes minors, so you're requiring both the minor's personal consent and their guardian's consent for the organisation to collect or store their data. Is this intentional? If not, I'd specify 'from any individual who is not a minor,' or again 'from any non-minor.'

[*]Organisations from storing received personal data from other organisations without the prior explicit consent of the user the data belongs to;
[*]Organisations from sharing the personal data of a user without their prior explicit consent, excluding internal transference of data inside the organisation;

"I think you can safely eliminate these two clauses if you make a small change in wording in prior clauses whenever you mention organisations collecting or storing personal data from somebody and instead phrasing it as organisations collecting or storing the personal data of somebody. That should cover the situations described here, and would also prevent individuals giving organisations data on others without the latter's consent.

[*]Governments of member states from viewing the personal data of a user without explicit prior consent from both the organisation in possession of the personal data and the user to which the data belongs, unless the user has consented to their personal data being shared with authorities as necessary, as a condition to use the services of the organisation and the personal data collected was for crime prevention, or a judicial order has been issued;

"Having scanned through the rest of this draft, I fail to see a reason for having the defined term 'user' when you could just as easily use 'non-minor' - although could you clarify how this would affect minors? Are governments allowed to view minors' data without their or their guardian's consent? I think this could be made clearer, unless there is something obvious I'm missing (which is entirely possible).

[*]Mandates that organisatons:[list=a]
[*]Provide fully detailed information on how they will use or share a user's personal data to the user explicitly when they interact with the organisation for this first time and when a major change to the data collection or usage policy has been made;

"Again - I don't see the benefit of using 'user' here instead of 'individual' or something. If they're interacting with the organisation, that should be enough. Also, what happens if the organisation is unable to contact the individual/user to notify them of any such changes? Perhaps you could add an exception for cases in which organisations have no means of notifying the relevant individual? And again, what do you want to do here in terms of minors?

Which collect or store personal data remove it from their database if the data is no longer relevant to the services used by the user, or if the user ceases to use the services of or ceases to be a member of, the organisation; (replace that semicolon with a comma) unless the user, consents to that explicitly and clearly, or unless there is a clear and compelling safety or disciplinary reason to do otherwise such as loans, transactions, or disciplinary records;

"The 'which collect or store personal data' at the start seems redundant to me, seeing as your definition of 'organisations' includes that they collect personal data and it's impossible to store personal data without having collected it. I'd remove that (and then replace the subsequent 'it' with 'personal data'). Here again I don't think you lose anything by replacing 'user' with 'individual' or 'non-minor,' and you need to clarify what happens in the case of minors. You also have a couple of rogue commas; I've highlighted in red the ones you should remove.

[*]Allow individuals to request the removal of their personal data, and act upon these requests, unless it falls under an exception mentioned in clause 3c above;

"I'd also allow guardians to request the removal of the personal data of minors in their care. And I don't know what your intentions are for this, but if you want minors to be able to request their data's removal without input from their guardian that should be a conscious decision.

[*]Remove personal data of a user if the organisation is aware of the user's death, subject to exceptions in clause 3c;
[*]Allow users to request that data stored on them by the organisation be edited, and act upon these requests, if the data stored is incorrect;

"You don't lose anything from using 'individuals' here rather than 'users' - again, what happens for minors?

[*]Take reasonable measures to ensure the personal data being stored by the organisation is not accessed by unauthorised persons, such as persons not working in the organisation or persons inside the organisation but are unauthorised to access the data;

"Add 'who' before the final 'are'.

[*]Take reasonable measures to ensure the transfer of personal data to another organisation under a user's request is performed in a reasonable time frame, subject to national legislation;

[*]Declares that an organisation can prohibit a person from using the services of or joining the organisation if the individual does not consent to the personal data collection policy of the organisation, or if the user provides falsified personal data.

"And in these two again: user? Individual? What happens to minors?

"All in all I think you can get rid of the 'user' definition and use other terms instead."

[Quirinum]

Privacy is a very decadent opinion felt by "enlightenment" states. The descendants of the ancient world see no privacy. Society and the state are one. The public thing ought to have no limitation in evaluating the rights of its public figures. How can one determine the fitness of a politician but by looking to how they treat their neighbours? And there are no citizens who are not public figures: those who are not public figures are idiotes who refuse to do their duty. They forfeit any claim to privacy by clinging to selfishness.

[Marxist Germany]

"I have made the changes suggested by the Maowese Ambassador and intend on submitting on New Year's Day."

[Maowi]

OOC: 3.a. - "Provide fully detailed information on how they will use or share a user or minor's personal data to the user or their guardian explicitly when they interact with the organisation for this first time and when a major change to the data collection or usage policy has been made, except when the organisation has no means of communicating with the user or guardian", I think

[Marxist Germany]

OOC: 3.a. - "Provide fully detailed information on how they will use or share a user or minor's personal data to the user or their guardian explicitly when they interact with the organisation for this first time and when a major change to the data collection or usage policy has been made, except when the organisation has no means of communicating with the user or guardian", I think

OOC: Fixed

[Kenmoria]

(OOC: This has been re-submitted, hopefully for the last time.)

[Marxist Germany]

(OOC: This has been re-submitted, hopefully for the last time.)

OOC: Yeah I pulled it from queue and resubmitted because I didn't campaign adequately last time, looks like it should reach vote this time.

[Candlewhisper Archive]

I note that this legislation makes it illegal for a teacher to keep a class register without the explicit permission of the student's parents. Likewise, if a parent were to write down a Christmas card list formed of the names of each student in their kids' class, they'd be unable to do this without the explicit permission of each student's parents.

The ridiculousness here comes from sloppy language.

"personal data" as data that can be used to identify an individual;

...could include a child's names, or initials, or a verbal description of their appearance.

Prohibits:

Organisations from collecting or storing the personal data of any minor without the explicit consent of their guardian

...is a ridiculous level of bureaucracy to impose in situations where implied consent is more than adequate.

If you enrol a child in a school, there is implied consent that they will need to exist on various paper and electronic databases. If you book a theatre ticket in a child's name, there is implied consent that the theatre can track the ticket number as being associated with a child. If a child signs a book of condolences at a funeral, there is implied consent for that name to be in there.

What is not needed is explicit consent.

Sensible data protection is sensible. Reasonable use of information is reasonable. Information governance demands the exercise of common sense and reason, and measured use of documentation.

Blanket prohibitions with no sense of nuance or subtlety are bureaucratic nonsense.

I urge you all to vote against this resolution.

[Marxist Germany]

I note that this legislation makes it illegal for a teacher to keep a class register without the explicit permission of the student's parents. Likewise, if a parent were to write down a Christmas card list formed of the names of each student in their kids' class, they'd be unable to do this without the explicit permission of each student's parents.

OOC: People are not organisations.

The ridiculousness here comes from sloppy language.

"personal data" as data that can be used to identify an individual;

...could include a child's names, or initials, or a verbal description of their appearance.

Initials or verbal descriptions are insufficient to identify a person

Prohibits:

Organisations from collecting or storing the personal data of any minor without the explicit consent of their guardian

...is a ridiculous level of bureaucracy to impose in situations where implied consent is more than adequate.

If you enrol a child in a school, there is implied consent that they will need to exist on various paper and electronic databases. If you book a theatre ticket in a child's name, there is implied consent that the theatre can track the ticket number as being associated with a child. If a child signs a book of condolences at a funeral, there is implied consent for that name to be in there.

What is not needed is explicit consent.

Your first two examples can work if you have the guardian sign a paper or even just asking them. A book of condolences isn't an organisation.

Sensible data protection is sensible. Reasonable use of information is reasonable. Information governance demands the exercise of common sense and reason, and measured use of documentation.

Blanket prohibitions with no sense of nuance or subtlety are bureaucratic nonsense.

I urge you all to vote against this resolution.

You misunderstood the definition of organisation.

[Kenmoria]

Privacy is a very decadent opinion felt by "enlightenment" states. The descendants of the ancient world see no privacy. Society and the state are one. The public thing ought to have no limitation in evaluating the rights of its public figures. How can one determine the fitness of a politician but by looking to how they treat their neighbours? And there are no citizens who are not public figures: those who are not public figures are idiotes who refuse to do their duty. They forfeit any claim to privacy by clinging to selfishness.

“If it is the case that there is an expectation for politicians to open their lives to the public Quirinum, then this can be enforced through society. It is true that a politician who remains secretive may have secrets within their closets, in which case citizens should simply not vote for them. Besides, this proposal doesn’t cover people storing data, only organisations.”

[WayNeacTia]

"I've said it before and I will say it again, this is not an international issue. We have voted against as such."

Wayne