[w3c/payment-request] Regulatory Compliance Support (#632) from Mark Richards on 2017-09-23 (public-webpayments-specs@w3.org from September 2017)

From: Mark Richards <notifications@github.com>
Date: Sat, 23 Sep 2017 10:46:27 +0000 (UTC)
To: w3c/payment-request <payment-request@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/payment-request/issues/632@github.com>

I had hoped this was already done, but I get the impression from https://github.com/w3c/payment-request/pull/628 that there hasn't been a clear decision on privacy protections, suggesting the specification hasn't followed a  Privacy By Design process or included appropriate risk assessments.

Please can the w3c provide material of a Privacy By Design approach, supported by Privacy Impact Assessments that businesses can then confidently re-use in their own compliance processes, instead of each business have to do their own Privacy By Design and Privacy Impact Assessment considerations for implementing or adopting this spec.

If implementations, perhaps from Google, are already in use then perhaps Google can volunteer the privacy impact assessment and designs they've already completed to be added as drafts to the appendices to the spec and the w3c process can then review them.

## Further Context
Like most country regulators, the UK's ICO has some guidance on this which might be a good starting point, but should be checked against other regulatory environments, I'd recommend checking other countries too; I've always heard Germany has stricter rules about privacy and privacy protections for minors may differ in Canada:
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/

It would be awesome, to also have compliance tests and test sample data to help with compliance too as lack of tests can now result in fines for businesses using this specification https://www.theregister.co.uk/2017/08/17/london_council_fined_over_leaky_parking_ticket_app/

Please consideration should also be made for regulated industries, like Medicines/Healthcare, Finance, etc which may have their stricter privacy concerns. Most countries have additional laws, including in the USA, about protecting the privacy of buyers for these products and regulatory help is more likely to be found from the Healthcare and financial regulators: I doubt all industries need to be covered (like raditioactive materials), but the common consumer facing ones would be great.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/632

Received on Saturday, 23 September 2017 10:46:50 UTC