Final Recommendations of the Eutropian Task Force on Electronic Data Access and Protection (TaskFEDAP)

General Recommendations:

Note: The items enclosed in asterisks (**) did not receive a unanimous vote, but did receive a 2/3 majority vote; they have been included as indicative of the majority view of the delegates. Votes which were split (3:3) and those in which a majority opposed the text resulted in the striking of that point.

  1. Definition of terms:
    1. General information includes the following: name, surname, sex, date of birth, age, address, telephone number, financial records, criminal records, occupation and any data which is not categorised as confidential or restricted access data.
    2. Information which is accessible to the public without restriction or which has already been published shall not be considered confidential or restricted access information.This would include personal data such as telephone numbers and addresses.
    3. Sensitive or confidential information includes the following: religion, health-information, political orientation, sexual orientation, financial records, criminal records.
  2. Rights-related concerns:
    1. The personal freedom and privacy of the individual is a basic human right.
    2. **While an individual has a right to privacy; this does not automatically include a right to send anonymous e-mail.** (Note: A majority voted in favour of this amendment, but the vote was not unanimous - 4:1:1.)
    3. All laws and regulations concerning data access and protection should strive to achieve a balance between the safety of individuals and the opportunities that data communication and data surveillance provide.
  3. Ownership of electronic data:
    1. **The person who creates and posts electronic data is the owner of that data.** (Note: The vote was 5:1 in favour of the unmodified text; this modification represents an attempt to incorporate the intent of the discussion and Coastland's specific suggestion.)
    2. **If it is a group/cooperation/company, the owner/boss is responsible.** (Note: the vote was 5:1 in favour of this text, without any clarification of terminology; Northland proposed making the individual and not the company responsible.)
    3. Data become public property if they are needed to find people responsible for criminal acts.
  4. Legal Framework:
    1. Regarding the future of the Federation of Eutropia, we strongly recommend that a general framework of laws be set up, with leeway for our national governments to interpret them.
    2. **The user of Internet resources such as e-mail acknowledges and accepts the risks associated with that service. The use of tools to reduce the risks, such as anti-virus and encryption software is the responsibility of the user.** (Note: The vote was 4:2 in favour of 4b.)
    3. Children should be taught about chat rooms and e-mail and about the risks involved, such as the fact that people can fake their identity. They should also be taught never to reveal personal information such as name, address, or telephone number.
  5. Oversight (Data Surveillance Board or Eutropian Court for Data Protection):
    1. The following alternative was rejected by a majority vote of the delegates: We recommend the setting up of an independent Data Surveillance Board to deal with trans-national matters regarding data protection of the individual, financial and commercial institutions as well as the government. Each country of the Eutropian Federation shall be represented by three delegates on the board. These delegates should be politically independent and one of them has to be a judge. All NGOs who are appointed to the TaskFEDAP have consultative status to the Eutropian Data Surveillance Board.The aim of the board is to ensure that all questions of data storage and security are given the highest priority and are dealt with in total independence of the Eutropian Government. (Note: The vote on the first alternative was 1:4:1, with the majority opposing the inclusion of this point.)
    2. Eutropian Court and Task Force for Data Protection: Every member of Eutropia shall send two judges to a so-called "Eutropian Court" so that each country is represented. The judges, however, shall be independent enough from different party-interests. Judges are best for this job because they know best about existing laws and how to use them. The Federation shall decide on common laws concerning the storage and use of data as well as the treatment of identity theft.The Court itself does not perform any investigations, but a special task force shall be appointed to do that. This task force shall consist of various policemen and experts from each country.
    3. **The task force must ask the Court for permission to start investigations. The information they collect will be reported to the Court; the Court will determine what, if any, further action should be taken.** (Note: The vote on this point was 5:1 in favour, with one delegation dissenting.)

Recommendations regarding data collection and surveillance

  1. Basic, general or personal information:
    1. Governments are allowed to collect and store general data (as defined above) about their citizens.
    2. This information can be used to produce statistics or to look for tax fraud or child support evasion.
    3. Commercial enterprises should only be allowed to collect and store data about their customers and employees that might be relevant for a contract.
    4. Data stored by commercial enterprises can be used for statistical reasons, as long as the anonymity of the individual is guaranteed.
  2. Confidential or sensitive information:
    1. Further information about citizens may only be collected in case of reasonable suspicion of criminal activity.
    2. Permission to do so may only be given by a court, the highest of which shall be the Eutropian Court for Data Protection.
    3. **Employers have no right to deal with private matters at the workplace, unless it seriously effects the productivity of the employee.** (Note: The vote on this point was 5:1 in favour, with one delegation dissenting. There was considerable discussion as to the intended meaning of this point.)
  3. Explicit consent; transparency of surveillance and data collection measures:
    1. Commercial enterprises must inform individuals about the data being collected and stored about him/her and must obtain that person's consent.
    2. At the latest, every citizen about whom data is collected must be informed of this after the completion of an investigation.
    3. While investigations are ongoing, surveillance may be kept secret to make sure that the success of the investigation is not endangered.
    4. **You should have to be told by the government which information they are collecting about you.** (Note: The vote on this item was 5:1 in favour, with one delegation dissenting because it was felt that this item was covered by points b and c.)
  4. Video Surveillance
    1. **Governments are allowed to install video cameras, but only at places or in buildings which are known to have a high crime rate.** (Note: The vote on this item was 5:0:1 in favour of inclusion, though there was some discussion of the phrase "at places or in buildings.")
    2. The population has to be informed about this kind of surveillance.
    3. The following alternative was rejected by a majority vote of the delegates: As a rule, the recorded material must be stored three months. (Note: The vote was 2:4 against this point, with questions being raised about the specific formulation. The discussion suggests agreement that this aspect needs to be more closely considered and carefully formulated.)
    4. **In case of a criminal investigation, the information should/may be stored indefinitely.** (Note: The vote was 5:1 in favour of including this point, but there was no agreement regarding the choice of "should" or "may.")
  5. Recording of data
    1. The following alternative did not receive a majority vote of the delegates as currently formulated: All personal data should be recorded and stored for future use such as name, address, telephone number, date of birth, financial and occupational data, etc. (Note: Three of the delegations suggested removing financial and occuplational data or keeping this data in a separate database.)
    2. Collection of data on web site usage is permitted, as long as this data is associated with user groups and not associated with a single individual (e.g. which sites a person visits).
    3. Commercial firms must inform visitors to their web site about the fact that information provided by customers will be saved and how it will be used.
    4. Sensitive data can only be collected by the government in cases concerning the country's safety or in special cases contributing a great concern for the country.
  6. Electronic surveillance
    1. In general no electronic surveillance should occur unless the results can be expected to be of great use for society, like preventing crime, etc.
    2. Surveillance should not be used in areas that are not considered to be possible crime scenes. Possible crime scenes include public places like railway stations, airports, main streets, and so on.
    3. **Surveillance is permitted if the material collected is only used to prevent criminal actions, and to maintain law and order in the society.** (Note: The vote on this point was 5:1 in favour of including the point.)

Recommendations regarding data protection and security

  1. Guaranteeing confidentiality of data
    1. Authorized use of commercial, governmental or individual data must be ensured.
    2. Confidentiality of commercial, governmental or individual data must be ensured.
    3. Commercial enterprises or financial institutions should not be allowed to sell information about their customers or employees.
  2. Sharing of personal data outside the Eutropian Federation
    1. Personal data shall not be transferred to countries or territories outside the Eutropian Federation unless those countries or territories guarantee adequate protection of the rights and freedom of data subjects in relation to the processing of personal data.
    2. Regarding the prevention, detection and prosecution of crimes, information-sharing and data processing between the Eutropian States is to be guaranteed by all member states.
  3. Sensitive data
    1. The following alternative did not receive a majority vote of the delegates: Sensitive data should not be stored for a long time (as a general rule, not longer than 1 week), but exceptions may be made on a case by case basis. (Note: The vote on this point was split 3:3.)
    2. Commercial companies are not allowed to exchange all kinds of information.
    3. Information which may be shared, expecially confidential data, must be defined by the Eutropian Court.
    4. ONLY with the consent of all implied people through a ''trust contract'' may this personal information be shared between companies
  4. Data accuracy and integrity
    1. If the data collected about a person is incorrect, it must be treated as a mistake and corrected.
    2. The government can only be held liable (i.e. taken to court) if the incorrect information is proved to have caused negative consequences for those involved.

Recommendations regarding data access

To decide which data should be widely accessed it should be categorised in the following way:1) generally accessible data, 2) restricted access or confidential data.

  1. General Information
    1. If the entirety of the data also includes restricted access data, the institution shall provide only that part of the data, which is generally accessible.
  2. Individual
    1. Citizens should have the right to access the information on them, on specification of this information with a view of its completeness and reliability, have the right to know, who and in what purposes uses or used this information. Restriction of access of citizens to the information on them is allowable only on the bases stipulated by federal laws. (e.g. the person is subject of current criminal investigations )
    2. **Individuals should have access to all data that is collected about them by the government. They should also have the right to know by whom and for what purposes their data is used and have to agree to the use of their data beforehand.** (Note: The vote on this was at least 5 in favour, with one delegation indicating that they felt this point was included under 2a.)
    3. **The government can refuse access to the collected data if the individual is a crime suspect or already convicted of a crime.** (Note: The vote on this was 5:1 in favour of this point.)
    4. The following alternative did not receive a majority vote of the delegates: Generally accessible information shall be provided to anyone who wishes to receive it, subject to the equal rights of persons to obtain information. The applicant shall not be required to specially to justify his or her interest in such information, and he or she may not be denied it because this information does not apply to the applicant. (Note: The vote on this was split 3:3.)
    5. **The owner of documentary information on citizens is obliged to give the information free-of-charge on demand to those persons whom it concerns. Restrictions are possible only in the cases stipulated by the legislation of the Federation.4 Refusal of the owner of information resources to the subject in access to the information on person can be appealed against in the judicial order.** (Note: The vote on this was 4:0:2, with two delegations abstaining.)
  3. Commercial Enterprises and Financial Institutions
    1. **Organizations should have the right to access the information on them, on specification of this information with a view of its completeness and reliability, have the right to know who uses or has used this information and for what purposes . Restriction of citizens' access to the information on them is allowable only on the bases stipulated by Federation laws. (e.g. the person is the subject of a current criminal investigation)** (Note: The vote on this was 4:1:1.)
    2. Commercial enterprises and financial institutions may access all data which is given to them willingly by their customers in order to fulfill a contractual relationship.
    3. At their request, customers must be informed about stored data that concerns them.
    4. The exchange of data among commercial enterprises is only allowed with the customer's permission.
    5. The exchange of data among financial institutions is not desirable.
    6. In the case of criminal investigations, the government is allowed to access data stored by commercial enterprises and financial institutions.
  4. Government and governmental institutions
    1. **All data necessary for governmental operations (deeds and services necesssary to make the country run; to enable the country and the government to operate) can be accessed.** (Note: The vote on this was 5:1. Midland pointed out that two interpretations were possible: 1) The citizen has access to all data about how the country is run, and 2) The government can access all data that is necessary to run the country, including data on citizens and countries.)
    2. **Detailed information on the stored data is given on request.** (Note: The vote on this was 5:1. The Commissioner pointed out that this item also needed to be more carefully formulated.)
    3. With the Court's decision, confidential data can be accessed by the appropriate governmental institutions.
  5. Confidential data specified
    1. Individually identifiable data (the facts, events and circumstances of the private lives of individual citizens), except for data subject to distribution in mass media in cases established by Federation laws shall be deemed confidential.
    2. **The data making secret of consequence (investigation) and legal preceedings.** (Note: The vote on this was 5:1, with Highland pointing out that the text is an incomplete sentence. No suggestion was made to correct the problem.).
    3. Access to service data is limited to bodies of the government according to the Federation laws.
    4. Data which is subject to professional codes of confidentiality, the access to which is limited according to Federation laws (medical, notorial, client privilege, personal correspondence, telephone conversations, items of mail, cable, facsimile or other messages).
    5. Data connected with commercial activities, access to which is limited according to the Federation laws protecting trade secrets.
    6. Intellectual property, including technical specifications or other data concerning inventions that could be used to model or produce an industrial prototype before the official publication of the information on these inventions.
  6. Third-party access
    1. Any data, whether personal or public, are only to be made available to third parties with due reason. This reason needs to be specified in every case.
    2. Medical data should never be used by unauthorized personnel.
    3. Sensitive data should only be accessed by authorized personnel, such as police, and then only to document criminal actions or to get information when people are ill and unconscius.
  7. Sharing of Data
    1. Eutropian governments are allowed to request basic information about an immigrant from another Eutropian country because it might be important for safety matters to know more about a new immigrant.
    2. The following alternative did not receive a majority vote of the delegates: Data must not be shared with non-Eutropian countries, non-governmental organisations, or commercial enterprises. (Note: The vote on this was 3:3.)
    3. **Basic information may be shared with non-Eutropian governments, because it is important for us to collaborate with another countries. This would allow us to know basic information about non-Eutropian immigrants.** (Note: The vote on this was 5:1.)