RE: Privacy protection principles from KWASNY Sophie on 2016-09-26 (public-privacy@w3.org from July to September 2016)

From: KWASNY Sophie <Sophie.KWASNY@coe.int>
Date: Mon, 26 Sep 2016 13:57:31 +0000
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
CC: John Moehrke <johnmoehrke@gmail.com>, José M. del Álamo <jmdela@dit.upm.es>, Nat Sakimura <sakimura@gmail.com>, Alan Chapell <achapell@chapellassociates.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>
Message-ID: <009140F0156579499DBFD29352345F1CC338ACAF@Asterix04.key.coe.int>
Dear Kepeng, Dear All,

Going down a little bit deeper into the privacy principles and providing a guidance which is more specific to the web sounds like a great initiative,

My two cents would only consist in recalling that any list of privacy principles which will serve as a basis for that work, to be exhaustive – from whichever region of the world it is being looked at - should include a reference to the sole international instrument in the field which is legally binding. Convention 108 has been the backbone of the development of the European Union’s legal framework and development in a number of countries outside Europe. It now gathers 50 countries, 47 from Europe, 1 from South America and 2 from Africa, (several other non-European countries, both from Africa and America, currently interested/being in the process of accession, no Asian one so far).

The proposed revised Convention is accessible at: http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Consolidated%20version%20of%20the%20modernised%20convention%20108%20July%202016.pdf


Kind regards,
Sophie
Sophie Kwasny
Data Protection Unit
COUNCIL OF EUROPE
www.coe.int/dataprotection<http://www.coe.int/dataprotection>

From: José M. del Álamo [mailto:jmdela@dit.upm.es]
Sent: lundi 26 septembre 2016 09:43
To: Kepeng Li
Cc: John Moehrke; Nat Sakimura; Alan Chapell; public-privacy (W3C mailing list); chaals@yandex-team.ru
Subject: Re: Privacy protection principles

Dear Kepeng, all, I'll try to summarize below our previous experience on this matter.

As far as I know there have been some approaches to try to go in more detail from high-level privacy/data protection principles (OECD, ISO, GDPR,  or other) to lower-detailed requirements closer to the technical domain.

For example, the EU-funded PRIPARE project [1] developed an early catalogue of requirements from ISO29100 and EU GDPR principles. The idea was to move from the set of high-level principles into more ellaborated privacy guidelines and from there into a set of detailed technical requirements, in a process named as requirements operationalization. You can see the actual catalogue in the PRIPARE handbook [2], Annex B. Some other researchers have followed a similar path, and you can find, for example, a taxonomy of requirements refining the privacy goal 'transparency'. [5].

As I said this was an early effort within a somehow small research project, and thus the catalogue requires further refinement, elaboration and consensus, but is an early step in our vision on how some of the privacy principles can be further detailed and how it is aligned with the risk-driven approaches [3], enabling a systematic approach to engineering privacy when developing information systems. Indeed, this vision was inspired by earlier works at W3C, for example, within the Accessibility domain [4].

These are my 2 cents.

Regards,

Jose M. del Alamo
Universidad Politecnica de Madrid

[1] http://pripareproject.eu/

[2] http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE-Methodology-Handbook-Final-Feb-24-2016.pdf

[3] Notario, N. et al., PRIPARE: Integrating Privacy Best Practices into a Privacy Engineering Methodology, IEEE Security and Privacy Workshops (SPW), . doi: 10.1109/SPW.2015.22
[4] Martin et al., Privacy Requirements Engineering: Valuable Lessons from Another Realm, 1st International Workshop on Evolving Security and Privacy Requirements Engineering - ESPRE2014, pp. 19-24. doi: 10.1109/ESPRE.2014.6890523
[5] Meis, R. et al. A Taxonomy of Requirements for the Privacy Goal Transparency. In International Conference on Trust and Privacy in Digital Business. Springer International Publishing.

2016-09-20 3:03 GMT+02:00 Kepeng Li <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>>:
I agree that from high level overview, my proposed privacy principles are quite similar to OECD privacy principles.

I am wondering if we can go down a little bit deeper, and make each principle in more detail, and also make it specific to web.

The goal is to make it as guidelines or best practices to achieve privacy principles in the open web environment..

My document is still in the very early stage. I am just trying to find a way to move forward, to make it useful in some way..

Thanks,

Kind Regards

Kepeng Li
Alibaba

发件人: John Moehrke <johnmoehrke@gmail.com<mailto:johnmoehrke@gmail.com>>
日期: Tuesday, 20 September, 2016 1:33 am
至: Li Kepeng <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>>
抄送: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>, Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>, "public-privacy (W3C mailing list)" <public-privacy@w3.org<mailto:public-privacy@w3.org>>, <chaals@yandex-team.ru<mailto:chaals@yandex-team.ru>>
主题: Re: Privacy protection principles
重发发件人: <public-privacy@w3.org<mailto:public-privacy@w3.org>>
重发日期: Tue, 20 Sep 2016 07:18:07 +0000

I have a cross-reference between various standards on Privacy Principles. With linkage to them (where I am allowed)
https://healthcaresecprivacy.blogspot.com/2015/04/privacy-principles.html


John

John Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and Security
CyberPrivacy – Enabling authorized communications while respecting Privacy
M +1 920-564-2067<tel:%2B1%20920-564-2067>
JohnMoehrke@gmail.com<mailto:JohnMoehrke@gmail.com>
https://www.linkedin.com/in/johnmoehrke

https://healthcaresecprivacy.blogspot.com

"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Mon, Sep 19, 2016 at 12:08 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>> wrote:

Hi Nat,

> There are many well respected documents that have something very similar in them.

Can you send the links of the mentioned similar documents?

Thanks,

Kind Regards
Kepeng

--------------------------

发件人:Nat Sakimura<sakimura@gmail.com<mailto:sakimura@gmail.com>>
日期：15:28
添加收件人Alan Chapell<achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>
输入主题Re: Privacy protection principles

Sorry, I have not been following the list lately so I am probably missing something, but what is the context around this document?

There are many well respected documents that have something very similar in them. What are we creating yet another one?

Nat

2016/09/19 午前3:15 "Alan Chapell" <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>>:





Cheers,



Alan Chapell

Chapell & Associates

917 318 8440<tel:917%20318%208440>





On 9/18/16, 12:49 PM, "Kepeng Li" <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>> wrote:





Hi Chaals,

Thanks for your edits. It is quite helpful.

I made some further edits based on your proposed changes.

About your embedded questions, we can discuss them during the PING meeting on Tuesday.

Kind Regards
Kepeng

------------------------------------------------------------------
发件人：<chaals@yandex-team.ru<mailto:chaals@yandex-team.ru>>
日　期：2016年09月16日 01:38:52
收件人：Kepeng Li<kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>>; public-privacy@w3.org<mailto:public-privacy@w3.org><public-privacy@w3.org<mailto:public-privacy@w3.org>>
主 题：Re: Privacy protection principles

- runnegar@, tjwhalen@

Hi Kepeng, all,

I made a few minor edits, mostly shuffling things that seemed to belong in a different place, or trying to simplify the language.

One of the things I did is change "privacy information" in some places to "private information", and in other places to "privacy-sensitive information".

"privacy information" sounds wrong to me, but I am not sure what a better phrase would be.

Feel free to over-write any of my edits....

cheers

Chaals

15.09.2016, 17:11, "Kepeng Li" <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>>:
> Hi Christine, Tara and all,
>
> I just submitted an initial proposal for privacy protection principles:
> https://www.w3.org/wiki/Privacy/Privacy_protection_principles

>
> I hope we can allocate some time in TPAC PING IG to discuss that, to see
> if it is valuable to continue to work on this subject.
>
> Thanks and see you in TPAC!
>
> Kind Regards
>
> Kepeng Li
> Alibaba

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru<mailto:chaals@yandex-team.ru> - - - Find more at http://yandex.com
Received on Monday, 26 September 2016 13:58:05 UTC