Re: IETF privacy policy - update

[Martin Rex <mrex@sap.com>]

John Morris wrote:
> 
> 1.  As a general matter, many organizations that interact with lots of  
> people (especially collecting financial information from them) use a  
> broad range of written policies to reduce risk, by plainly stating a  
> position on an issue so that employees have clear guidance about how  
> to act or respond in a given situation.

I think you misrepresent the purpose of these policies.
The issues are
 1. a blame-shifting tool for PR if something goes wrong
 2. limit liabilities by disclaiming as much as legally possible,
 3. have yet another means to fire an employee/clerk.

How often have you seen it happening that an employee or clerk
(or federal agent for that matter) pulls out a big binder of policies
when being faced with a new situation and study them carefully while
you (and others) wait paitently?


> 
> 2.  We have many examples of leading banks, stores, and others  
> mishandling credit card and other records

Yeah -- and that happens although all of these have big binders
full of policies.  

>
>                                            so unless the IETF has come  
> up with some secret security sauce to eliminate all possibility of a  
> human or technical screwup with personal info, there is clear risk  
> that the IETF could mishandle data and be at the wrong end of a  
> litigation.  The IETF would likely face liability risk with or without  
> a privacy policy, but the fact that it could not even be bothered to  
> have such a policy would certainly be used by the plaintiffs to argue  
> for an increase in the damages that the IETF might have to pay.   
> Having a written privacy policy would avoid this particular risk, and  
> might even reduce the risk of a screwup in the first place.

This is ridiculous.  I have not seen a single privacy policy
that is in the interest of the data subject.  They're all in the
interest of the data collector for 1+2+3 above.


> 
> 3.  And, although my legal expertise is limited to U.S. law

it shows.

>                                                              I think  
> is very likely (if not certain) that right now the IETF is operating  
> in violation of the European Union's Data Protection Directive,

nope, never while they're in the U.S.  National data protection laws do
not apply for someone operating entirely in a different country.

>
> which requires that any entity that collects personal information must  
> provide clear prior notice to affected individuals about the data  
> collection.


While this is true in principle, there are some exemptions in that law.
You can collect data that you need for billing an order placed by
a data subject for the purpose of billing and for as long as you
legally need it _without_ having to get a consent agreement from
the data subject.

btw. the EU data protection directive is a framework for which each
national EU legislator has to create a national law.


>             The EU is particularly sensitive when European citizens'  
> data is collected by U.S. entities, which happens all of the time when  
> European citizens register with the IETF's California-based  
> administrative secretariat.

The EU is particularly sensitive about passing on data that was collected
_within_ the EU, potentially with a clear usage restriction, outside of
the EU jurisdiction without consent of the data subject and without
control whether the permitted usage is not exceeded and whether the
data subjects can still exert its personal rights to that data granted
by the EU data protection laws.


> 
> So if one's goal is to reduce risk to the IETF so the IETF is not  
> harmed by legal liability, I think there are very strong arguments to  
> have a privacy policy.  Indeed, the legal-risk-related arguments in  
> favor of a having a privacy policy are so strong that I believe the  
> powers-that-be should move to promulgate such a policy even if there  
> is not consensus in the broader IETF community

The world is going to end!  News at 11:00


-Martin