search

DPGAlliance / DPG-Standard

Digital Public Goods Standard
Creative Commons Attribution Share Alike 4.0 International
104 stars 42 forks source link

Indicator 7. Adherence to Privacy and Applicable Laws #87

Closed llsandell closed 2 years ago

llsandell commented 2 years ago

The term “to the best of its knowledge” has a potential to become a huge liability. Again, I do understand why the term is used and the intentions behind it, however this is a classic pitfall when it comes to accountability. What about projects in countries that have little or no legislation regarding privacy and data protection? What international laws would apply then? Should there not at least be a “minimum” requirement regarding privacy and data protection?

Anyone can argue that they thought they did the right thing. I would seriously consider enforcing a minimum set of rules for privacy and data protection, and here is why:

Even though the U.S. and EU/ EEC countries have laws and legislation conserving data privacy and data protection, the U.S, and the EU have different approaches handling this. The lack of international laws procuring data privacy and data protection brought forth the need for a common framework. The “EU -U.S. Privacy Shield Framework” became a reality. This framework offered the users (both businesses and governments) a chance to comply with applicable laws on both sides of the pond. Even though EU, U.S. and Switzerland initially agreed upon this framework, it was later subject to scrutiny and is today invalid as a legal instrument for regulating data flow between countries.

However, the DPG standard is in its full right to invoke a “minimum” requirement regarding privacy and data protection, in order for any entity to be a eligible to partake in various programs, scopes or schemes

prajectory commented 2 years ago

Any baseline assessment criteria has to rely on self declarations. Especially since we focus on "by design" part of the solution and don't focus on deployment, that itself limits the scope of the standard's engagement with the DPG owner. The silos in privacy laws is a real concern. For now we use this catalogue https://unctad.org/page/data-protection-and-privacy-legislation-worldwide during the review process to identify and establish privacy related requirements.

Currently we have a minimum criteria that limits liability of the DPG owner to just privacy laws. We hope to build on this indicator as the world evolves its understanding and legislations get more robust.