Regarding @aschrijver’s Declaration of rights idea, yes good idea! The Declaration could be about better enforcing rights through new laws, but stating it as a Declaration is effective from a marketing perspective. In addition there could be follow-ups to get people involved as activists.
According to the New Zealand Human Rights Commission’s Privacy, Data and Technology: Human Rights Challenges in the Digital Age, published in May 2018:
“the UN General Assembly and UN Human Rights Council resolutions on the right to privacy in the digital age has called for Governments [sic] to:”
“Develop or maintain legislation, preventive measures and remedies addressing harm from the sale or multiple resale or other corporate sharing of personal data without the individual’s free, explicit and informed consent.”
“Inform users of the collection, use, sharing and retention of data about them.”
This is according to the 19 December 2016 UN General Assembly Resolution on the Right to Privacy in the Digital Age, A/RES/71/199, Resolution 34/7.
Given the UN Resolution and that the UN Human Rights charter of 1948 already mentions privacy, I would say no we do not need to officially amend the charter to account for tech.
However perhaps we could ensure governments are actually making progress to enacting this UN Resolution by creating new human rights laws. I think right now there are few new laws that have arisen out of the UN Resolution. As we have seen, laws such as the European Union’s GDPR and California’s initiatives do not seem to be in the right spirit for actually fixing the largest privacy issues.
The Resolution is open to broad interpretation especially “individual’s free, explicit and informed consent”. Any reasonable person would say that what is going on now is not informed consent. Clicking on a button that says “continue” or “agree and continue” which strips you of all human privacy rights in my opinion is not informed consent, especially when there are no other options given. This is where GDPR fails.
What I would suggest that we need is a law where ANY use of non-anonymised personal information by a company must be explicit (yes / no), with the no option being as at least as easy to select as the yes option, and no always as the default option. This should be for each type of information before it is collected. Selecting no should not affect a person’s ability to use the service at all. For example:
“Can we store your name, email, IP address, geolocation, and page history?”
- name yes / NO
- email yes / NO
- IP address yes / NO
- geolocation yes / NO
- page history yes / NO
“Can we share this information with our affiliated companies?”
“Can we share this information with third parties?”
In order to allow companies to continue making revenues at least 90% of what they made before, we could allow them to collect anonymised information (based on anonymous random ids such as cookies – but device and app ids, browser fingerprints or IP addresses should not be permitted as these are ‘identifiable’) about users and their behaviour without any prior consent at all (easier than GDPR or stupid EU Cookie Law), only under the conditions that information is kept temporarily (say no more than 90 days), never transferred or sold to third parties, and that anonymised information can never ever be combined with any identifiable information.
In addition, companies should be required to ask us say every year or so if we would like them to still keep identifiable personal information about us.
“We’re currently have all of the following information about you: x, x, x… Please reply yes within 180 days for each of these, otherwise they will each be deleted in accordance with criminal law. If we fail to delete information about you after this time we agree that we will be sent to prison as felons.”