John Morris wrote:
1. As a general matter, many organizations that interact with lots of
people (especially collecting financial information from them) use a
broad range of written policies to reduce risk, by plainly stating a
position on an issue so that employees have clear guidance about how
to act or respond in a given situation.
I think you misrepresent the purpose of these policies.
The issues are
1. a blame-shifting tool for PR if something goes wrong
2. limit liabilities by disclaiming as much as legally possible,
3. have yet another means to fire an employee/clerk.
How often have you seen it happening that an employee or clerk
(or federal agent for that matter) pulls out a big binder of policies
when being faced with a new situation and study them carefully while
you (and others) wait paitently?
2. We have many examples of leading banks, stores, and others
mishandling credit card and other records
Yeah -- and that happens although all of these have big binders
full of policies.
so unless the IETF has come
up with some secret security sauce to eliminate all possibility of a
human or technical screwup with personal info, there is clear risk
that the IETF could mishandle data and be at the wrong end of a
litigation. The IETF would likely face liability risk with or without
a privacy policy, but the fact that it could not even be bothered to
have such a policy would certainly be used by the plaintiffs to argue
for an increase in the damages that the IETF might have to pay.
Having a written privacy policy would avoid this particular risk, and
might even reduce the risk of a screwup in the first place.
This is ridiculous. I have not seen a single privacy policy
that is in the interest of the data subject. They're all in the
interest of the data collector for 1+2+3 above.
3. And, although my legal expertise is limited to U.S. law
it shows.
I think
is very likely (if not certain) that right now the IETF is operating
in violation of the European Union's Data Protection Directive,
nope, never while they're in the U.S. National data protection laws do
not apply for someone operating entirely in a different country.
which requires that any entity that collects personal information must
provide clear prior notice to affected individuals about the data
collection.
While this is true in principle, there are some exemptions in that law.
You can collect data that you need for billing an order placed by
a data subject for the purpose of billing and for as long as you
legally need it _without_ having to get a consent agreement from
the data subject.
btw. the EU data protection directive is a framework for which each
national EU legislator has to create a national law.
The EU is particularly sensitive when European citizens'
data is collected by U.S. entities, which happens all of the time when
European citizens register with the IETF's California-based
administrative secretariat.
The EU is particularly sensitive about passing on data that was collected
_within_ the EU, potentially with a clear usage restriction, outside of
the EU jurisdiction without consent of the data subject and without
control whether the permitted usage is not exceeded and whether the
data subjects can still exert its personal rights to that data granted
by the EU data protection laws.
So if one's goal is to reduce risk to the IETF so the IETF is not
harmed by legal liability, I think there are very strong arguments to
have a privacy policy. Indeed, the legal-risk-related arguments in
favor of a having a privacy policy are so strong that I believe the
powers-that-be should move to promulgate such a policy even if there
is not consensus in the broader IETF community
The world is going to end! News at 11:00
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf