Re: wording for the privacy section from Angel Machín on 2008-10-30 (public-geolocation@w3.org from October 2008)

From: Angel Machín <angel.machin@gmail.com>
Date: Thu, 30 Oct 2008 11:08:53 +0000
To: public-geolocation@w3.org
Message-ID: <5562f69c0810300408h48020f85uf50f79e3763c6abc@mail.gmail.com>

Very interesting discussions, privacy and security are always tough topics.
I think that regarding location data privacy we have an important aid: we
can lean on real laws and rules from regulators which establish how location
data must be managed by location-based services.

I am not an expert on that but, as an example, this is a link to an EU
document:
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp115_en.pdf
(this particular document is not actually a rule but it is influential and
could become a law).

This document from the EU considers (extracted from
http://www.out-law.com/page-6510):

   - The applicable *national law* – where the user and the data controller
   (such as Vodafone) are in separate Member States, the national applicable
   law will be that of the data controller. If the data controller is based
   outside the EU, location data can only be processed if the Data Protection
   Directive requirements on the transfer of data to third countries are fully
   met.


   - *Informing users* – the data subjects must be informed of matters such
   as the identity of the data controller, the reason for the data processing,
   the type of data processed, how it can be amended and the right to cancel
   the data. The information should be clear, complete and comprehensive.


   - *Consent* – this must be obtained freely and should not be given as
   part of an acceptance of the general conditions of the service. Operators
   should ensure that they can verify and authenticate requests for location
   data made by third parties offering a value-added service, and that they are
   sure that the person to whom the location data relates is the same person
   who has given consent.


   - The *right to withdraw* – consent can be withdrawn at any time and
   users must be able, easily and without charge, to temporarily refuse the
   processing of location data. If processing is ongoing, operators must
   regularly remind users that the device they are using can be located.


   - *Storage time* – storage of location data is only permitted for the
   length of time necessary for providing the service. It cannot be stored
   after that, except for billing and payment purposes. If it is, it must be
   rendered anonymous.


   - *Security measures* – the data must be held securely and only passed on
   to the person providing a service. All access should be logged.


As far as I know, similar directives or recommendations exist also in the US
and Japan.
My question is, could this legislation be enough to define a privacy
framework?

Received on Thursday, 30 October 2008 11:09:28 UTC