Dear all,

As I hadn't properly defined the summary I produced here a revised copy of my summary.

After reviewing the documents in the section above the following can be summarised as follows:

There has been enough discussion on the if I can call it the maintenance of how data should be kept in according to the laws of various countries as all have different laws that more or less try to do the same thing in different words and explanation. For e.g. 

Opinion 5/2000 - The use of Public Directories for Reverse or Multi-criteria Searching Services

  1.  Directive 95/46/EC - the protection of individuals with regard to the processing of the personal data, in Article 6.1 b), which establishes that personal data must be "collected for specified, explicit and legitimate purpose and not further processed in a way incompatible with those purposes".
  2. Note the purpose of conventional telephone directories is the disclosure of subscriber's telephone number starting from the knowledge of subscriber's name and that its use is limited to that specific purposes.
  3. Must establish the balance of interests, the interests and risks to privacy at stake have to be identified and evaluated. Directive 97/66/EC gives helpful indications: as long as the minimum information necessary to identify a subscriber is at stake, thus this information can be included in conventional public directories unless the subscriber objects. It must be considered that the interest of the individual in being protected override the interests of controller or third parties. Therefore such processing is only legitimate if the individual has given his/her informed consent prior to any inclusion of his /her personal data in public directories for reverse or multi-criteria searches. 
  4. Specific and informed consent of the subscriber must be obtained prior to the inclusion of his personal data into all kinds of public directories which include all type of communication devices used for reverse or multi-criteria searches. There must be some given consent on how personal data can be used.
  5.  As most conclusions regard the directives of the EC previous WP on the Protection of Individuals with regards to protection of data takes the position that processing of said personal data in reverse directories or multi-criteria searching services without unambiguous and informed consent by subscriber is unfair and unlawful. Thus fully implementing and accepting the EC proposal for draft directive on processing personal data.
t     Opinion 4/2001 - On the Council of Europe's Draft Convention on Cyber-Crime

  1.        Article 15 of draft Convention could create the impression that the protection of human rights shall only be considered when it is "due" and shall on be "adequate". It can be seen as limiting the safeguards and procedures it would considerably low if not fully undermine the protection of fundamental rights.  
  2.        Finally with several EU countries implementing Directive 95/46/EC shows that national laws requires personal data can be in principle only be sent to non-EU countries if this country does provide an adequate level of protection of individuals with regard to the processing of their personal data. The level of protection in these countries must be checked. Otherwise if no adequate protection on offer in third country then transfer f personal data may nevertheless be necessary to fight against crime.

Adopted 30/2002 - Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web site

In all these cases, the application of EU data protection law means among other things the following: 

  1. With a view to making the collection of personal data fair and lawful, the controller has to clearly define the purpose of the processing. 
  2. The controller has also to ensure that the data are adequate, relevant and not excessive in relation to the purpose for which they are collected.
  3. The collection must be based on a legitimate ground (unambiguous consent, performance of a contract, compliance with a legal obligation, in pursuance of legitimate interests of the controller etc.) and the individual has the right of access to and the rectification or erasure of his personal data. 
  4. The individual has at least to be informed about the identity of the controller and his representative if any, the purpose of the collection, the recipients and about his rights 32 . 
  5. Another important aspect is the security of the processing which may require the controller, right from the collection on, to apply specific technical and organisational measures in order to protect the data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the data are transmitted over a network. Such measures shall ensure a level of security appropriate to the risks presented and the nature of the data. 
  6. As regards sensitive data, specific provisions, dealing in particular with security requirements, regulate their collection.
  7. The Article 29 Data Protection Working Party considers that the development of a programme for the promotion of European data protection rules in a pragmatic way would also help controllers in third countries to better understand, implement and demonstrate privacy compliance. A European system of labels/web seals, open also to non-EU web sites, could be the cornerstone of such action.
17 April 2014 - ICANN's public consultation on 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention

  1. The Draft Specification should only require collection of personal data, which is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing) or for other compatible purposes such as fighting fraud related to domain name registration. This data should be retained for no longer than is necessary for these purposes. It would not be acceptable for the data to be retained for longer periods or for other, incompatible purposes, such as law enforcement purposes or to enforce copyright. 
  2. Retention of personal data originally collected for commercial purposes, and subsequently retained for law enforcement purposes, has been the subject of a recent landmark ruling by the European Court of Justice, which held Directive 2006/24/EC to be invalid, as an unjustified interference with those rights.  The Court recognised that the retention of personal data might be considered appropriate for the purposes of the detection, investigation and prosecution of serious crime, but judged that the Directive 'exceeded the limits imposed by compliance with the principle of proportionality'. It is reasonable to expect requirements for retaining personal data to be subject to increasing scrutiny and legal challenges in the EU. And  limit processing of this data to compatible purposes, such as proportionate measures to fight fraud related to domain name registration.
Opinion 6/2014 - Opinion of the European Data Protection Supervisor on the Commission Communication on Internet Policy and Governance - Europe`s role in shaping the future of Internet Governance 

  1. Base the future development of Internet Governance on the respect of fundamental rights. We welcome this principle, but we stress the need to translate it into practical policy initiatives, which is not always sufficiently the case. 
  2. We emphasise that, in order to "sustain and develop the Internet as an essential part of life" and to create a "single, open, free, unfragmented network of networks" with a "safe, secure, sound and resilient architecture", Internet Governance should be built starting from commonly shared international rights and values. Consequently, privacy and data protection principles need to gain more weight within Internet Governance fora and mechanisms. 
  3. We note some positive developments at international level in recognising privacy and data protection as essential values for the internet. At the Net Mundial, a general consensus was reached on the need to protect privacy on the Internet, by pointing out that "The right to privacy must be protected. This includes not being subject to arbitrary or unlawful surveillance, collection, treatment and use of personal data. The right to the protection of the law against such interference should be ensured". 
  4. The Communication emphasizes that the Internet has become a key infrastructure with global dimensions and that, as a consequence, greater international balance within the existing structures would increase the probability of issuing legitimate outcomes.
Finally the other documents seem to repeat or rewrite similar points that will not make this summary any easier to further what can be used as a defined process of how data can be collated for use and kept in the way that provides the privacy required. This shows that the EU or EC directive on the protection of personal data has been the benchmark and implemented to used to protect personal data and privacy. No specific mention of length of time to hold such data although I think 6 weeks has been mentioned in one document I think. Also the last couple of summarised documents are definitely more on the privacy relation of personal data but think there may show some relevance towards the items we collect that can reference how data can be seen. 

Hope I defined it better this time


Regards


R. Padilla MSc.



--
Richard Padilla MSc