-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/01/13 11:38 AM, Jan Engelmann wrote:
Hi James and Amgine,
nobody denies that Wikimedia already applies privacy by design and by default, as intended by the Commission. But we should read the draft through European lenses and that means: the intention to apply a new gold standard of privacy matters to all data controllers. For us as consumers this is very good news. Regarding the necessities of an open platform, we should accurately analyze if there are any requirements we can't comply with.
You will find the Art. 17.2 proposed by the EU commission on page 96 (left column)
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/92238...
It says:
"Where the controller ... has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication."
Many law experts (IANAL) went nuts when they read this particular paragraph. The new Art. 2a (same page, right column) proposed by the rapporteur brings freedom of expression into play. So this was the basic message I wanted to give: the proposal is getting better, but still has to go through several stages of the drafting process. The Parliament is bound to find a common position until end of february.
Regards, Jan
I believe the concern the law experts may have expressed is the somewhat deliberate removal of the so-called 'safe-harbour' phrasing which might otherwise protect WMF from infractions on specific projects.
However, if I understand the proposed article 6 paragraph 1a (new) correctly[1], it would potentially cover any legitimate business purpose which would, of course, allow the current datamining to continue unabated so long as the individuals were in some way informed that personal data was being collected for a legitimate business purpose (such as serving more relevant advertising.) So the new amendment at 17.2 and at 6.1a would, imo, severely weaken the privacy protections.
I am happy to learn more about this important effort, but also wondering if the Foundation is being asked to lobby as regards this proposal or the Rapporteur's suggestions. (by the way, amendment 104 is *awesome*, in my opinion.)
Amgine
[1] 1a. If none of the legal grounds for the processing of personal data referred to in paragraph 1 apply, processing of personal data shall be lawful if and to the extent that it is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The data controller shall in that case inform the data subject about the data processing explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject. This paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.