aNG-OPN-Accord

Repo for Stanford - Sorbonne class collaboration

• aNG- Interactive Summit on Personal Data Governance

** Automating PII Principal / Data Subject Rights and Data Controls with Computational Privacy Law **

Session Tues 6th, Oct Led By

• Mark Lizar Open Consent Group UK & Smart Species Canada - "Smart Person - Smart Planet" Mission to support Meaningful Consent with GitForLaw tools made for Decentralised Data Governance
• James Hazard - CommonAccord.org "Bringing the World to Agreement" - Mission to modularise law refine and reuse with linked records (for data processing)

This is an approach to enhance existing by combining standards (and iteratively better legal practice) with GitForLaw. In this session we aim to begin this project clause repository collaboratively together with an evolution of a very old human innovation commonly called a receipt.

Goals:

1. Get familiar with Git and GitHub for publishing texts and collaboration.

2. Get a notion of legal text "modules" as a way of defining and sharing legal rules.

3. Explore use in privacy specification.

Context

1. Git and Github are general purpose ways of long term collaboration. A key part of open source collaboration for software, and should be used for legal text, too.

2. Legal rules are mostly expressed in text. A nuanced approach to legal rules can be constructed from the top-down ideas of law and regulation, and the bottom-up ideas of contracts, licenses and consents. This can be both highly individualised and highly interoperable if we handle text as modules.

3. Applied to privacy, there can be broad engagements such as data sharing frameworks, specific agreements such as terms of use and individualised elements such as consent receipts. These can be instantiated in particular settings and automated using software code.

Agenda

1. You get on Github.

2. You draft a clause.

3. You contribute it to this repository.

Background

This is the first hack for aNG international policy infrastructure and is apart of a long term series of community projects that continue to drive the development of decentralised notice and consent standards and best practice for identity surveillance technology. The method of approach for this hack-a-legal-thing project, the objective is to provide lawyers a way to enhance Privacy Policies and Terms of Use with terms that leverage privacy to reduce contract necessity and liability.

This is part of a long term (20 year) multi-community international standards initiative begun by the OECD with Guidelines on the Protection of Privacy and the Transborder Flows of Personal Data, with a clear objective:

“to prevent what are considered to be violations of fundamental human rights, such as the unlawful storage of personal data, the storage of inaccurate personal data, or the abuse or unauthorised disclosure of such data” [OECD 2000:2013] and 20 years of OECD to ISO standardisation for cross border data governance.

After a decade of standards development for the next generation of privacy, the ISO/IEC 29184 standard for Online Notice has been published June 2006. In which the first example of next standard for Operational Notice & Consent Receipts is been published in the appendix.

Now, to put all the latest developments in regulations, standards and technology to good use

Consent Centric Privacy Rights Performance Clause using International Standard

Challenge 1:

Craft and Post Privacy Rights Contract Clauses for Advanced Consent(ed) Information Sharing (PR-AdvCIS):

1. To Write/Pick a standard contractual clause to enhance or supersede terms of use for online services through contracting the performance of privacy rights.

2. Review the Privacy rights, Consent Type and legal justification obligations and consideration outlined on the AdvCIS wiki. Consent Type Profile for Privacy Rights

3. Pick out a Consent Type from the table - then write a term or clause/comment for the performance of the privacy rights listed. For insight into what to craft consider some of the well know issues for data governance also found at the same link on the Consent Type Wiki

4. considerations

5. Consider some of the greatest privacy challenges of our time and how an international standard can be uniquely place to help address critical data gov transparency gaps we collectively face today.

Git Instructions

1. Register an [account on Gitub]([https://github.com] if you dont have one already
2. From your browser - log into Github and navigate to the model clause template. At this link ??? Clone it by clicking on the "Edit" button which will "fork" this whole OPN-aNG-Accord repo into your account and set you up to edit.
3. Edit the page - add a title (Ti=) add section text (sec=) add your name (Author=) add a Comment if you like. Change the name of the file (in the box at the top of the page) to something meaningful. Save (box at the bottom), with a really short note.
4. Do a "Pull-request" - asking us to add your new file to the main repository.
5. International GitLaw Project

Hack Resources

• Operational Notice & Consent Receipt Specification [V 1.2](https://docs.google.com/document/d/1UjwYuu_-0_JnskDA29PfzRq5XXQYVZHu7QIeEduBS6w/edit?usp=sharing Notice & Consent Receipt : Standard Notice & Consent Controls https://openconsent.atlassian.net/l/c/XZBQURMn
• 1. What is "contractual necessity" under EU data protection law ?

Additional Background:

To address data governance challenges there has been a longitudinal effort to standardise guidelines for Transborder flows of personal data for online identification and digital identity/surveillance management. In this regard the international standard for Online Privacy and Consent Controls is recently published - with the use of receipt standard to capture privacy records from online privacy notice and consent.

Privacy policies and terms of use that people are suppose to read and learn have been called out as the Biggest Lie on The Internet, where services pretend to get consent (to policies no one can read or track). Without notice and consent standards there is very weak transparency online which is now a severe data breach of the most sensitive kinds in many societies. An industry now dogged by movies like "terms and conditions may apply", "the greatest hack", and the "social dilemma" these policies and terms are contracts of adhesion dressed up as consent. Dependent on the Terms of Use of the device manufacturer, the browser and the law. Policies Without transparent security, strong (or better legal transparency), meaningful notice and proportional use of rights are not trustworthy.

An operational notice is operational on the premise that Trustworthiness is decided and managed by the individual consenting to provision of data, and that this person is assigned a privacy rights key which indicates who the master data controller is to an identity surveillance system. Providing people with the means to see and know what kind of surveillance to expect. Trust in what to expect is a requirements for increasing the trustworthiness of systems.

Clause Consideration

Identifying Surveillance by Design

1. Cyber Security - Weak Transparency - consent is asked without presenting the legal entity / data controller identity first in relationship created only online. People may not able to see who the beneficial owner of the data processing services is. (if not the controller ) Strong transparency is a requirement for legal consent. This is missing due to in-consistent terms causing great harm and preventing great collaborative good that can be attained with standardised digital service transparency.

2. Audits of an online service often will show obvious surveillance dark (contract clause) patterns in privacy policies and terms of services. Dark patterns because they mimics a human consent and notice, while obscuring the risks people should be aware of when using service and systems. Making these systems un-fair and harmful data governance practices that put people at risk of harms in an increasing number of ways as the power of big data technology grows. These dark patterns, also known as surveillance by design makes explicit consent for special/sensitive data categories low quality. Especially if consent is 100% dependent on online privacy Notice.

Meta-Data

1. Identifier Management Transparency (IMT) this is critical component of any clause. (e.g. restricting identification or identifiers tracking, cross-site profiling, with cookies and beacons. Especially for data trusts like parental consent, or for medical research, etc which require consent by design, where metadata and big data is a human resource (not a capitalistic one)

Secondary Use

1. Surveillance before explicit consent to surveillance (when consent is lawfully required) is not meaningful consent and is un-trustworthy. In most contexts this is considered a breach of security as notice and consent is required for lawful data processing (with some exceptions) Secondary Use of Data - for example - context based advertising - without context based privacy safeguards - write a privacy agreement clause for restricting secondary use of data for advertising

2. Transparency over 3rd Party disclosures and beneficial owners of data processing (e.g. 2nd party Controller or 3rd party is explicit) are provided with a short linked notice receipt to the original Notice for a record of data processing.

Example Applications:

1. Consent By Design Environment for AdvCIS Experience with a proposed 'Expressed' Consent Type
2. master meta-data control management for the trusted fiduciary
3. The power of meta-data and big data trust benefits with shared belief systems and a powerful fiduciary trust.(children's education records)