Re: Privacy protection principles

Hi Sophie and Jose,

Thanks for your feedback.

In the TPAC meeting, the group tends not to define a privacy principles in
W3C, but to find some detailed technologies to achieve the privacy
principles, and provide enhancements to the current privacy questionnaires.

I will check your materials in the links, and provide further inputs to the
provacy questionnaires.

Kind Regards

‘件人:  KWASNY Sophie <>
—œŸ:  Monday, 26 September, 2016 2:57 pm
‡:  Li Kepeng <>
Š„€:  John Moehrke <>, "José M. del lamo"
<>, Nat Sakimura <>, Alan Chapell
<>, "public-privacy (W3C mailing list)"
<>, "" <>
主˜:  RE: Privacy protection principles

Dear Kepeng, Dear All,
Going down a little bit deeper into the privacy principles and providing a
guidance which is more specific to the web sounds like a great initiative,
My two cents would only consist in recalling that any list of privacy
principles which will serve as a basis for that work, to be exhaustive €“
from whichever region of the world it is being looked at - should include a
reference to the sole international instrument in the field which is legally
binding. Convention 108 has been the backbone of the development of the
European Union€™s legal framework and development in a number of countries
outside Europe. It now gathers 50 countries, 47 from Europe, 1 from South
America and 2 from Africa, (several other non-European countries, both from
Africa and America, currently interested/being in the process of accession,
no Asian one so far).
The proposed revised Convention is accessible at:
Kind regards, 
Sophie Kwasny
Data Protection Unit
From: José M. del Álamo []
Sent: lundi 26 septembre 2016 09:43
To: Kepeng Li
Cc: John Moehrke; Nat Sakimura; Alan Chapell; public-privacy (W3C mailing
Subject: Re: Privacy protection principles

Dear Kepeng, all, I'll try to summarize below our previous experience on
this matter.


As far as I know there have been some approaches to try to go in more detail
from high-level privacy/data protection principles (OECD, ISO, GDPR,  or
other) to lower-detailed requirements closer to the technical domain.


For example, the EU-funded PRIPARE project [1] developed an early catalogue
of requirements from ISO29100 and EU GDPR principles. The idea was to move
from the set of high-level principles into more ellaborated privacy
guidelines and from there into a set of detailed technical requirements, in
a process named as requirements operationalization. You can see the actual
catalogue in the PRIPARE handbook [2], Annex B. Some other researchers have
followed a similar path, and you can find, for example, a taxonomy of
requirements refining the privacy goal 'transparency'. [5].


As I said this was an early effort within a somehow small research project,
and thus the catalogue requires further refinement, elaboration and
consensus, but is an early step in our vision on how some of the privacy
principles can be further detailed and how it is aligned with the
risk-driven approaches [3], enabling a systematic approach to engineering
privacy when developing information systems. Indeed, this vision was
inspired by earlier works at W3C, for example, within the Accessibility
domain [4]. 


These are my 2 cents.




Jose M. del Alamo

Universidad Politecnica de Madrid




[3] Notario, N. et al., PRIPARE: Integrating Privacy Best Practices into a
Privacy Engineering Methodology, IEEE Security and Privacy Workshops (SPW),
. doi: 10.1109/SPW.2015.22

[4] Martin et al., Privacy Requirements Engineering: Valuable Lessons from
Another Realm, 1st International Workshop on Evolving Security and Privacy
Requirements Engineering - ESPRE2014, pp. 19-24. doi:

[5] Meis, R. et al. A Taxonomy of Requirements for the Privacy Goal
Transparency. In International Conference on Trust and Privacy in Digital
Business. Springer International Publishing.


2016-09-20 3:03 GMT+02:00 Kepeng Li <>:

I agree that from high level overview, my proposed privacy principles are
quite similar to OECD privacy principles.


I am wondering if we can go down a little bit deeper, and make each
principle in more detail, and also make it specific to web.


The goal is to make it as guidelines or best practices to achieve privacy
principles in the open web environment..


My document is still in the very early stage. I am just trying to find a way
to move forward, to make it useful in some way..




Kind Regards


Kepeng Li



‘件人: John Moehrke <>
—œŸ: Tuesday, 20 September, 2016 1:33 am
‡: Li Kepeng <>
Š„€: Nat Sakimura <>, Alan Chapell
<>, "public-privacy (W3C mailing list)"
<>, <>
主˜: Re: Privacy protection principles
‡‘‘件人: <>
‡‘—œŸ: Tue, 20 Sep 2016 07:18:07 +0000


I have a cross-reference between various standards on Privacy Principles.
With linkage to them (where I am allowed)



John Moehrke
Principal Engineering Architect: Standards - Interoperability, Privacy, and
CyberPrivacy €“ Enabling authorized communications while respecting Privacy
M +1 920-564-2067 <tel:%2B1%20920-564-2067>
"Quis custodiet ipsos custodes?" ("Who watches the watchers?")

On Mon, Sep 19, 2016 at 12:08 PM, Kepeng Li <>
Hi Nat,

> There are many well respected documents that have something very similar in

Can you send the links of the mentioned similar documents?


Kind Regards


发件人:Nat Sakimura<>
添Š”件人Alan Chapell<>
“…主˜Re: Privacy protection principles

Sorry, I have not been following the list lately so I am probably missing
something, but what is the context around this document?

There are many well respected documents that have something very similar in
them. What are we creating yet another one?


2016/09/19 ˆ‰3:15 "Alan Chapell" <>:
> Cheers,
> Alan Chapell
> Chapell & Associates
> 917 318 8440 <tel:917%20318%208440>

>> On 9/18/16, 12:49 PM, "Kepeng Li" <> wrote:
>> Hi Chaals,
>> Thanks for your edits. It is quite helpful.
>> I made some further edits based on your proposed changes.
>> About your embedded questions, we can discuss them during the PING meeting on
>> Tuesday.
>> Kind Regards
>> Kepeng
>>> ------------------------------------------------------------------
>>> ‘件人š<>
>>> — œŸš2016年09œˆ16— 01:38:52
>>> ”件人šKepeng Li<>;
>>> 主 ˜šRe: Privacy protection principles
>>> - runnegar@, tjwhalen@
>>> Hi Kepeng, all,
>>> I made a few minor edits, mostly shuffling things that seemed to belong in a
>>> different place, or trying to simplify the language.
>>> One of the things I did is change "privacy information" in some places to
>>> "private information", and in other places to "privacy-sensitive
>>> information".
>>> "privacy information" sounds wrong to me, but I am not sure what a better
>>> phrase would be.
>>> Feel free to over-write any of my edits....
>>> cheers
>>> Chaals
>>> 15.09.2016, 17:11, "Kepeng Li" <>:
>>>> > Hi Christine, Tara and all,
>>>> >
>>>> > I just submitted an initial proposal for privacy protection principles:
>>>> >
>>>> >
>>>> > I hope we can allocate some time in TPAC PING IG to discuss that, to see
>>>> > if it is valuable to continue to work on this subject.
>>>> >
>>>> > Thanks and see you in TPAC!
>>>> >
>>>> > Kind Regards
>>>> >
>>>> > Kepeng Li
>>>> > Alibaba
>>> -- 
>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>> - - - Find more at



Received on Monday, 26 September 2016 14:56:33 UTC