Repo for Stanford - Sorbonne class collaboration
** Automating PII Principal / Data Subject Rights and Data Controls with Computational Privacy Law **
Session Tues 6th, Oct Led By
- Mark Lizar Open Consent Group UK & Smart Species Canada - Mission is to support International Decentralised Data Governance and Meaningful Consent
- James Hazard - CommonAccord.org "Bringing the World to Agreement" - Mission to modularise law refine and reuse the same law -
This is an approach to developing standard clauses using GitForLaw. We aim to begin a clause repository collaboratively together. It can combine with CommonAccord so that clauses can be iterated upon through application (reused rather than re-issued.) With international transborder security and privacy rights so that all stakeholders can use the same standards to be interoperable with humans. In essence the evolution of a very old human innovation called the receipt.
-
Get familiar with Git and GitHub for publishing texts and collaboration.
-
Get a notion of legal text "modules" as a way of defining and sharing legal rules.
-
Explore use in privacy specification.
-
Git and Github are general purpose ways of long term collaboration. A key part of open source collaboration for software, and should be used for legal text, too.
-
Legal rules are mostly expressed in text. A nuanced approach to legal rules can be constructed from the top-down ideas of law and regulation, and the bottom-up ideas of contracts, licenses and consents. This can be both highly individualized and highly interoperable if we handle text as modules.
-
Applied to privacy, there can be broad engagements such as data sharing frameworks, specific agreements such as terms of use and individualized elements such as consent receipts. These can be instantiated in particular settings and automated using software code.
-
You get on Github.
-
You draft a clause.
-
You contribute it to this repository.
This is the first hack for aNG international policy infrastructure and is apart of a long term series of community projects that continue to drive the development of decentralised notice and consent standards and best practice for identity surveillance technology. The method of apporach for this hackathing is to enhance Privacy Policies and Terms of Use in a way that they work together to reverse the #FakePrivacy burden of digital policy.
This is part of a long term (20 year) multi-community internatonal standards initiative begun by the OECD with Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data, with a clear objective:
“to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data” [OECD 2000:2013] and 20 years of OECD to ISO standardisation for cross border data governance.
After a decade of standards development for the next generation of privacy, the ISO/IEC 29184 standard for Online Notice has been published June 2006. In which the first example of next standard for Operational Notice & Consent Receipts is been published in the appendix.
Now, to put all the latest developments in regulations, standards and technology to good use
Craft and Post a Privacy Rights Contract Clause to a GitLaw Report:
- Review the Privacy rights, Consent Type and legal justification obligations and consideratione before drafting and posting a contractual clauses. Understand the aim is to contract ther performance of a Consent Types enhancement of a terms of use for online services as specified by GDPR privacy rights.
Consent Type Profile for Privacy Rights
- Pick out a Consent Type from the table - then write a conractual clause for the performance of the privacy rights listed. For insight into what to craft consider some of the well know issues for data governance when usin terms and conditions.
Note: Consider concepts such as the cosistent application of master data controls, what is expected in the performance of the contract and how the use of privacy rights can enhance terms of use for the better.
-
Optional: Consider how an international standard can be uniquely place to help address critical data gove transparency gaps we collectively face today.
-
Review/Add to the listed/known issues and ToS Vs Rights challenges and write a clause that addresses it
- Slect a Consent Types Profile and complete the mapping of a human centric Master Data Controls to a human centric master data control conrtract clause
- Register an [account on Gitub]([https://github.com] if you dont have one already
- From your browser - log into Github and navigate to the model clause template. At this link ??? Clone it by clicking on the "Edit" button which will "fork" this whole aNG-OPN-Accord repo into your account and set you up to edit.
- Edit the page - add a title (Ti=) add section text (sec=) add your name (Author=) add a Comment if you like. Change the name of the file (in the box at the top of the page) to something meaningful. Save (box at the bottom), with a really short note.
- Do a "Pull-request" - asking us to add your new file to the main repository.
- International GitLaw Project
- Operational Notice & Consent Receipt Specification [V 1.2](https://docs.google.com/document/d/1UjwYuu_-0_JnskDA29PfzRq5XXQYVZHu7QIeEduBS6w/edit?usp=sharing Notice & Consent Receipt : Standard Notice & Consent Controls https://openconsent.atlassian.net/l/c/XZBQURMn
To address data governance challenges there has been a longitudinal effort to standardise guidelines for transborder flows of personal data for online identification and digital identity/surviellance management. In this regard the international standard for Online Privacy and Consent Controls is recently published - with the use of receipt standard to capture privacy records from online privacy notice and consent.
Privacy policies and terms of use that people are suppose to read and learn have been callled out as the Biggest Lie on The Internet, where services pretend to get consent (to policies no one can read or track). Without notice and consent standards there is very weak transparency online which is now a severe data breach of the most sensitive kinds in many societies. An industry now dogged by movies like "terms and conditions may apply", "the greatest hack", and the "social dilemma" these policies and terms are contracts of adhesion dressed up as consent. Dependent on the Terms of Use of the device manufacturer, the browser and the law. Policies Without transparent security, strong (or better legal transparency), meaningful notice and proportional use of rights are just not trustworhty.
Trustwothiness in created by knowing what to expect.
Surveillance by Design - Online surveillance dark patterns in consent and notice put people at risk of harms in an increasing number of ways as the power of big data technology grows. These dark patterns, also known as surveillance by design makes explicit consent for special/sensitive data categories low quality. Especially if consent is 100% dependent on online privacy Notice.
Strong transparency is missing for digital services - little transparency over the legal entities and privacy risks and
Key Risks over the use of Digital Identity Management
Identifier Management Transparency (IMT) this is critical component of any clause. (e.g. restricting identification or identifiers tracking, cross-site profiling, with cookies and beacons. Especially for data trusts like parental consent, or for medical research, etc which require consent by design, where metadata and big data is a human resource (not a capitalistic one)
Surveillance before explicit consent to surveillance (when consent is lawfully required) is not meaningful consent and is un-trustworthy. In most contexts this is considered a breach of security as notice and consent is required for lawful data processing (with some exceptions) Secondary Use of Data - for example - context based advertising - without context based privacy safeguards - write a privacy agreement clause for restricting secondary use of data for advertising
Transparency over 3rd Party disclosures and beneficial owners of data processing (e.g. 2nd party Controller or 3rd party is explicit) are provided with a short linked notice receipt to the original Notice for a record of data processing.
Core example: For data trusts or self sovereign - master data control management the meta-data and big data benefits are under a fiduciary trust. (like children's education records), Privacy information should be automatically sourced, meta-data, secondary use of data, the source of the data and data inferred produced by the system.