Update Language on 7 #2
Conversation
Change from: The project must state that it complies with relevant privacy laws, and all applicable international and domestic laws Change to: The project must state that to the best of its knowledge it complies with relevant privacy laws, and all applicable international and domestic laws. Reason: It's not clear how DPGs are going to be able to state this with confidence. Referencing the privacy and security standards is one thing (and very possible), but attesting to compliance with domestic laws for all potential implementation countries does not seem possible. @eduffus
| @@ -12,7 +12,7 @@ Indicator | Requirement | |||
| **4. Mandatory dependencies** | If the open source project has mandatory dependencies that create more restrictions than the original license the projects must be able to demonstrate independence from the closed component and/or indicate the existence of functional, open alternatives. | |||
| **5. Documentation** | The project must have some documentation of the source code, use cases, and/or functional requirements. For content, this should indicate any relevant compatible apps, software, hardware required to access the content and instructions about how to use it. For software projects, this should be present as technical documentation that would allow a technical person unfamiliar with the project to launch and run the software. For data projects, this should be present as documentation that describes all the fields in the set, and provides context on how the data was collected and how it should be interpreted. | |||
| **6. Mechanism for Extracting Data** | If this project has non personally identifiable information there must be a mechanism for extracting or importing non personally identifiable information (PII) data from the system in a non-proprietary format. | |||
| **7. Adherence to privacy and applicable laws** | The project must state that it complies with relevant privacy laws, and all applicable international and domestic laws. | |||
| **7. Adherence to privacy and applicable laws** | The project must state that to the best of its knowledge it complies with relevant privacy laws, and all applicable international and domestic laws. | |||
There was a problem hiding this comment.
I agree that, in a globalized world its true that few organizations have the resources to even know if they are complying with the full scope of laws where the digital public good is used.
Perhaps the GDPR could be adopted as an exemplar to follow for the time being?
There was a problem hiding this comment.
@sgoggins: I like your suggestion about GDPR given that GDPR is a regulation in the European Union (EU) and the European Economic Area (EEA) and GDPR became a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR (ref).
In terms of the actual language of the standard, would something like this work?
**7. Adherence to privacy and applicable laws** | The project must state that
to the best of its knowledge it complies with relevant privacy laws (including
the General Data Protection Regulation (GDPR)), and all applicable international
and domestic laws.
There was a problem hiding this comment.
Yes, we have defined GDPR as standard in Europe. GDPR actually sets "the bar" fairly high in some arias so we might want to take a bit more time to consider the language around this as the could exclude some very interesting startup-projects.
There was a problem hiding this comment.
The GDPR is likely to force African countries, especially those with strong trade ties to the EU, to prioritise data privacy and to more decisively meet their duties and obligations to ensure compliance. But what of those countries without strong ties to the EU from which prospective DPGs could arise, what regulations would apply there?
Maybe considering to expand the list of other policies in addition to GDRP such as Framework for Cyber laws for the East African Community, Supplementary Act A/SA.1/01/10 on Personal Data Protection Within ECOWAS for the Economic Community of West African States (ECOWAS) et al.
There was a problem hiding this comment.
The notion of adding a mention/requirement around GDPR is out of the scope of the proposed change around the small addition on to the best of its knowledge here. As a result, I have created a new PR to continue the conversation around GDPR and other privacy laws in #20, and unblocking this PR for merging and closing.
Change from:
Change to:
Reason: It's not clear how DPGs are going to be able to state this with confidence. Referencing the privacy and security standards is one thing (and very possible), but attesting to compliance with domestic laws for all potential implementation countries does not seem possible.
CC: @eduffus