[DEFEATED] End Excessive Data Retention Act

[The New California Republic]

Looks as though this could actually hit quorum. For all of you who have approved the proposal, we offer our thanks and gratitude.

Your inability to answer our concerns has earned our opposition to this proposal.

OOC: And the opposition of a lot of others to this proposal I suspect...

[Avgrunden]

Currently 103/105 approvals.

[Cute Puppies]

Currently 103/105 approvals.

I honestly didn't believe it would make it that far. I'm sorry for suggesting it wouldn't make it in my previous comments. Honestly, good job.

[Imperium Anglorum]

He's done a great deal of tag:template campaigning. A great deal. I'm sitting on three of his telegrams.

[Arotania]

1. Defines, for the purposes of this resolution:
   
   1. "Communications Provider" as any business, such as an internet service provider, that engages in the service of transferring electronic data.
      
   2. "Data" as any electronic information derived from a customer's use of a communications provider's services.

Putting these two together:
So a "Communications Provider" is any business that engages in transferring of electronic electronic information derived from the customer's use of their services?
That reads weirdly circular and exploitable to us. Also what is electronic electronic information supposed to be?

"Data Retention Law" as any government mandate requiring communications providers to retain all customer data for a period of time.

So any government mandate requiring communications providers to retain only most but not all customer data for a period of time would not be a "Data Retention Law" according to this proposal? 2a. again doubles down on the 'all data' bit. Was this proposal written by the Department of Redundancy Department?

[Wallenburg]

How is this of international importance?

[Araraukar]

OOC: Given subclause 4.a. and the specifying "member nations" at each clause, I question the chosen strength.

Also, all this does is saying that member nations can't make national laws requiring data storage for longer than 90 days. It doesn't say the WA can't make such a law.

[Avgrunden]

How is this of international importance?

The internet is inherently cross-jurisdictional in nature. That is why the World Assembly must enact minimum standards to protect data privacy and security.

OOC:
I'll need to draw an example from the real world to illustrate my point.

Internet data is usually not stored in one singular location. Your data could be (and probably is) stored in multiple places around the globe.

Take Google for example. When you interact with a Google service (Google search, Google Drive, Google Maps, you name it), Google collects data on you. This data is then broken up into "shards" and stored in multiple data centers.

Here's some resources on Google data centers:
https://en.wikipedia.org/wiki/Google_Da ... #Locations
https://en.wikipedia.org/wiki/Shard_(da ... chitecture)

Now imagine for a second that this data is stored in two data servers. One server is located in a country that has reasonable standards for data privacy. The other server is located in a country where communications providers are forced, by law, to keep that data for long periods of time. It isn't sufficient for nations to individually enact laws protecting data privacy and security when that same data is located on another part of the globe.

[Avgrunden]

"Data Retention Law" as any government mandate requiring communications providers to retain all customer data for a period of time.

So any government mandate requiring communications providers to retain only most but not all customer data for a period of time would not be a "Data Retention Law" according to this proposal? 2a. again doubles down on the 'all data' bit. Was this proposal written by the Department of Redundancy Department?

We've been trying to cut the DRD budget for decades.

OOC:
Jokes aside, the redundancy is a feature, not a bug. The redundancy makes it crystal clear that we're referencing electronic data, as opposed to paper data in a file cabinet somewhere.

[The New California Republic]

How is this of international importance?

OOC: It isn't.

[Avgrunden]

OOC: Given subclause 4.a. and the specifying "member nations" at each clause, I question the chosen strength.

Also, all this does is saying that member nations can't make national laws requiring data storage for longer than 90 days. It doesn't say the WA can't make such a law.

You are correct. EEDRA would not prevent the WA from, in the future, creating a resolution that itself forced communications providers to retain data for a period longer than 90 days.

However, such a resolution would have to be entirely self-executing - the WA could not, for example, create a resolution forcing Member States to enact their own laws and procedures to effectuate the WA's resolution. EEDRA § 2a uses the phrasing "enacting or enforcing..." (emphasis added).

As to your point about the strength, we chose a "significant" as opposed to "mild" strength primarily because of the added effect of EEDRA § 2b, which places a limitation on Member States requiring a communications provider to retain a specific customer's data. Regardless of how long the government wants the provider to keep that customer's data, the government must still have a "reasonable need" for that data in a law enforcement or national security investigation. This is probably the single provision with the most teeth, and is the reason why we chose the "significant category".

However, it is important to keep in mind that this provision does not govern data seizure - i.e. the government telling the provider to hand over data. Assuming that either the government has forced the provider to retain the data within the bounds of EEDRA, or in the alternative that the provider has voluntarily retained their data (explicitly allowed by EEDRA § 4a), EEDRA would have nothing to say about the government forcing the company to hand over the data to the government (although I believe WAR # 213, "The Privacy Protection Act", § 2 and § 4b could have something to say about that).

[Avgrunden]

Currently 103/105 approvals.

I honestly didn't believe it would make it that far. I'm sorry for suggesting it wouldn't make it in my previous comments. Honestly, good job.

No need to apologize, you were simply making a well-reasoned point.

[Araraukar]

You are correct. EEDRA would not prevent the WA from, in the future, creating a resolution that itself forced communications providers to retain data for a period longer than 90 days.

However, such a resolution would have to be entirely self-executing

OOC: The committee rule was just changed to make it easy to do, just so you know...

[Arotania]

So any government mandate requiring communications providers to retain only most but not all customer data for a period of time would not be a "Data Retention Law" according to this proposal? 2a. again doubles down on the 'all data' bit. Was this proposal written by the Department of Redundancy Department?

We've been trying to cut the DRD budget for decades.

OOC:
Jokes aside, the redundancy is a feature, not a bug. The redundancy makes it crystal clear that we're referencing electronic data, as opposed to paper data in a file cabinet somewhere.

Our question was not answered. To repeat:
'So any government mandate requiring communications providers to retain only most but not all customer data for a period of time would not be a "Data Retention Law" according to this proposal?'

This as well as the circular nature of the definitions (leaving the door wide open for misapplications of this proposal) look like fatal flaws to us.

OOC:
Google is a pretty bad example. Noone has to force Google to store all data they can get their hands on, they already do this on their own. Also they comply with local laws. Just look into their China business. EU data protection laws and everything that comes with them (Safe Harbor, Privacy Shield etc.) also come to mind.

[Imperium Anglorum]

I’m not usually one to talk about whether something is an international issue anymore. But this one is for sure not an international issue. In fact, I don’t even think it’s all that important of a domestic one. I will vote Nay when this comes up.

[Wallenburg]

All OOC, I guess:

The internet is inherently cross-jurisdictional in nature.

1) Not quite. There are many closed networks operating within a single country or even a single building. The only thing that makes the Internet international is the ability to communicate with foreign devices, which not all internets support.
2) This proposal has nothing to do with the international flow of information. It deals instead with communications providers, and customer data they store. Sounds pretty domestic to me.
3) You cite the Internet, yet this proposal is written to include other means of electronic communication, such as CCTV, PANs and LANs, library and museum computer networks, and the GCCS, to name a few. It also includes broader forms of communication that definitely are not the Internet, such as telephone lines, AM and FM radio, and even telegraph systems.

That is why the World Assembly must enact minimum standards to protect data privacy and security.

No, it isn't.

OOC:
I'll need to draw an example from the real world to illustrate my point.

Internet data is usually not stored in one singular location. Your data could be (and probably is) stored in multiple places around the globe.

Yes, it might be. By my Internet service provider. Any other electronic communications network I use quite likely stores my data domestically, or even within my own home.

Take Google for example. When you interact with a Google service (Google search, Google Drive, Google Maps, you name it), Google collects data on you. This data is then broken up into "shards" and stored in multiple data centers.

Here's some resources on Google data centers:
https://en.wikipedia.org/wiki/Google_Da ... #Locations
https://en.wikipedia.org/wiki/Shard_(da ... chitecture)

More often, it's Google storing data you upload to their servers or their servers download while searching the Web, but yes.

Now imagine for a second that this data is stored in two data servers. One server is located in a country that has reasonable standards for data privacy. The other server is located in a country where communications providers are forced, by law, to keep that data for long periods of time. It isn't sufficient for nations to individually enact laws protecting data privacy and security when that same data is located on another part of the globe.

Then target international data transfers within the server networks of Internet service providers. Because what you are currently doing is building a football stadium when someone asked you to resod their lawn. Sure, both of those involve laying down grass, but one of them is on way too big a scale and doesn't really focus on what it should.

I have one more distinction to make. I asked you how this is of international importance, but you answered how this is an international issue. I use the phrase "international importance" because some domestic issues (such as free speech and protections against genocide) merit international legislation, and some international issues (such as the migration of monarch butterflies across the US-Mexico border or the circulation of air over national borders) do not merit international legislation. So, once more, how is this of international importance?

[Avgrunden]

We have received many great questions from the international community regarding EEDRA. We will try to answer as best as possible.

Big Data Means Big Problems

Information is power. Those who wield the most information, at the end of the day, win. With more and more of our lives being lived electronically, communications providers have that power of information. And through the use of data retention laws, that power is given to the government, often with no limitations or oversight.

With great power comes great responsibility. The optimists among us may believe that the power of information will always be used responsibly by member states. But the realists among us know better. We know that power always has the potential for abuse.

The Internet Makes Domestic Solutions Impossible

With the advent of the internet and the constant flow of data worldwide, purely domestic solutions to data retention are impossible. Even if some networks remain entirely local, the world is becoming increasingly globalized.

Communications providers are selling your data. That data is travelling across the world to who-knows-where.

The Free Lands of Avgrunden have laws on our books protecting our citizens private data. But we also want our tech companies to be able to compete in a global marketplace. When our companies engage in commerce overseas, our companies have to follow the laws of those other countries, which can include forced data retention. In this global marketplace, our own national laws are insufficient to ensure that our own tech companies can protect customer data.

But this problem is not specific to Avgrunden. As technology companies move and compete around the globe, they have to comply with a myriad of local laws, many of which are ill-suited for the modern world.

This is Not a Final Solution - It's Just the Beginning

EEDRA is not a fix-all for the issue of data privacy, nor would we claim it to be. Of course, private actors can still create these same problems by voluntarily storing massive amounts of data for excessive periods of time.

But EEDRA removes a significant roadblock on the road to data privacy and security: government coercion. Without EEDRA, consumers have no choice. Communications providers have no choice.

With EEDRA, communications providers are not forced to retain data for lengthy periods of time. This leaves a wide door open for a new generation of tech companies who care about their consumers' data privacy.

Respectfully,

Ingmar Viklund,
Executor,
The Free Lands of Avgrunden

[Hessere]

Reiterating points some have made thus far in this thread, but:

The fact that you seem to be completely deflecting any criticisms directed at your proposal and the nonexistent drafting time, plus the nature of said issue (more a minor domestic one), garners me (and many others) an against. I (and, again, as well as many others) strongly suggest you pull it and look it over.

[Araraukar]

*snip*

OOC: All you're doing is to make it impossible to create a national law that demands data be stored forever. You do nothing to limit the companies like Google or Facebook or whatnot from keeping the data forever, and I think that's the real problem with data retention.

[The Holy Cee]

"The Holy Cee will vote against this resolution in it's current form. While the Holy Cee understands that the intentions of this resolution are good in nature, we believe that the resolution is need of a few more tweaks."

[Kenmoria]

Reiterating points some have made thus far in this thread, but:

The fact that you seem to be completely deflecting any criticisms directed at your proposal and the nonexistent drafting time, plus the nature of said issue (more a minor domestic one), garners me (and many others) an against. I (and, again, as well as many others) strongly suggest you pull it and look it over.

(OOC: This. There is no reason for the proposal to have submitted so early nor for it not be withdrawn once several changes that should have been made became apparent.)

[Nasod]

Prohibits:
World Assembly Member States from enacting or enforcing data retention laws that require communications providers to retain all customer data for a period greater than 90 days.

...

Does Not:
Prevent communications providers from voluntarily storing customer data for periods greater than 90 days.

If the government must give up their ability to access citizens data after 90 days for fear they are abusing that ability, why should companies who frequently operate in only the interest of money, get to keep that ability?
Also, how would this be effective in stopping data abuse if a company could voluntarily hold data for more than 90 days? Part of the act seems to focus on the risks of data hacks and breeches, but if companies voluntarily kept data than they would be just as susceptible to hacks, correct?

[Arotania]

*snip*

OOC: All you're doing is to make it impossible to create a national law that demands data be stored forever. You do nothing to limit the companies like Google or Facebook or whatnot from keeping the data forever, and I think that's the real problem with data retention.

OOC:
Government-imposed data retention, especially on the ISP level, is a real enough problem. But this proposal limits itself to laws that demand all data be stored for a period of time. The 'all' is twice in there (1c + 2a) for emphasis, in case we missed it the first time. Storing all customer data is extremely impractial for ISPs. I am not sure there is even one real world data retention law that would be covered by this proposal.
OPs insistance on pushing through a severely flawed version of this proposal is really off-putting.

[Imperial Polk County]

"I don't understand the benefit of this legislation. What's wrong with making companies retain data for a year or more? I don't think such data retention is excessive at all."

[The New California Republic]

OOC: Thankfully it is getting annihilated in the vote. There are just too many problems with it, the biggest being the fact that this is not an international issue. I have tried to look for ways that this could be an international issue, but there simply aren't any.