6 June 1998
Thanks to CM
Swiss Federal Data Protection Commissioner (SDPC)
Laws and other decrees
Council of Europe
Council of Europe Conseil de l'Europe
Strasbourg, 13 May 1998 CJ-PD (97) 47 rev 3
PROJECT GROUP ON DATA PROTECTION (CJ-PD)
Strasbourg, 25-27 March 1998
"The protection of privacy on the Internet"
Draft Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highways, which may be incorporated in or annexed to Codes of conduct
On 12 May 1998 the Committee of Ministers of the COUNCIL OF EUROPE, sitting at Ministers' Deputies' level, authorised declassification of this draft with a view to broad public consultation of the various interested parties on the Internet.
Where appropriate, this draft needs to be supplemented by inserting suitably flagged hypertext links not only to international legal instruments, but also to national legislation and data protection agencies.
Following the public consultation procedure, the present draft could be amended to take account of preliminary comments forwarded to the Secretariat of the Council of Europe from users, Internet Service Providers and national data protection agencies.
The draft will be finalised by the Project Group on Data Protection (CJ-PD), in the early October, submitted for approval to the European Committee on Legal Co-operation (CDCJ) in December 1998, and then to the Committee of Ministers for adoption.
prepared by the Directorate of Legal Affairs
This paper sets out fair privacy practice for Users and Internet Service Providers (ISP). Users should be aware of the responsibilities of Internet Service Providers and vice versa. Therefore it is advisable that Users and Service Providers read all of the text, although for ease of use it is divided into several parts. You may be concerned by the guidelines of one or more parts. Use of the Internet places responsibilities on each of your actions and also poses risks to privacy. It is important to behave in a way which provides protection to yourself and promotes good relations with others. This paper suggests some practical ways to safeguard privacy but you should also know your legal rights and obligations. Remember that respect for privacy is a fundamental right which may be protected by law, especially by data protection legislation, so it may be well worth checking your legal position.
II. ESPECIALLY FOR USERS
1. Remember that the Internet is not secure. Use all available means to protect your data and communications, such as legally available encryption for confidential e-mail as well as access codes to your own PC.
3. Anonymous access to and use of services, and anonymous means of making payments, are the best protection of privacy. Find out about technical means to achieve anonymity, where appropriate.
4. If complete anonymity is impractical and if it is permitted by law you may use a pseudonym so that your personal identity is known only to your ISP.
5. Only give your ISP, or any other person, such data as are necessary in order to fulfil a specific purpose you have been informed about. Be especially careful with credit card and account numbers, which can be used and abused very easily in the context of Internet.
6. Remember that your e-mail address is personal data, and that others would like to use it for different purposes, such as inclusion in directories or user lists. Do not hesitate to ask about the purpose of the directory or other use. You can request to be omitted if you do not want to be listed.
7. Be wary of sites which request more data than are necessary for accessing the site or for making a transaction or which do not tell you why they want all these data from you.
8. Remember that you are legally responsible for processing of data for example if you illicitly upload or download, and that everything may be traced back to you even if you use a pseudonym.
9. Do not send malicious mail. It can bounce back with legal consequences.
10. Your ISP is responsible for proper use of personal data. Ask your ISP what data he/she collects, processes and stores, in what way and for what purpose. Repeat this request from time to time. Insist that your ISP change them if they are wrong or delete them if they are excessive, out of date or no longer required. Ask the ISP to notify this modification to other parties to whom he/she has communicated your data.
11. If you are not satisfied with the way your current ISP collects, uses, stores or communicates data, and he/she does not change his ways, then consider moving to another ISP. If you believe that the ISP does not comply with data protection rules, you could inform the competent authorities or take legal action.
12. Keep yourself informed of the latest privacy and security risks on the Internet as well as the methods available to reduce such risks.
13. Before you send data to another country ask the competent authorities in your country if the transfer is permissible. You might have to ask the recipient to provide safeguards necessary to ensure protection of the data.
III. ESPECIALLY FOR INTERNET PROVIDERS
1. Use all available procedures and new technologies to protect the privacy of the people concerned (users, or not) especially by ensuring data integrity and confidentiality as well as physical and logical security of the network and of the services provided over the network.
2. Inform users of privacy risks presented by use of the Internet, before they subscribe or start using services. Such risks may concern data integrity, confidentiality, the security of the network or other risks to privacy such as the hidden collection or recording of personal data.
3. Inform the user about technical means which he/she may lawfully use to reduce security risks to data and communications, such as legally available encryption and digital signatures. Offer such technical means at a cost-oriented price, not a deterrent price.
4. Before accepting subscriptions and connecting users to the Internet, inform them about the possibilities of accessing the Internet anonymously, and using its services and paying for them in an anonymous way (e.g. pre-paid access cards). If complete anonymity is not appropriate in certain circumstances defined by law, offer the possibility to use pseudonyms. Inform the user about programmes allowing them to search and browse anonymously on the Internet. Design your system in a way that avoids or minimises the use of personal data.
5. Do not read, modify or delete messages sent to others.
6. Do not allow any interference with the contents of communications unless this interference is provided for by law and is carried out by a public authority.
7. Collect, process and store personal data about Users only when necessary for explicit, specified and legitimate purposes.
8. Do not communicate personal data unless the communication is provided for by law.
9. Do not store data for longer than is necessary to achieve the purpose of processing.
10. Do not use personal data for your own promotional or marketing purposes unless the person concerned, after having been informed, has not objected or, in the case of processing of traffic data or sensitive data, he/she has given his explicit consent.
11. You are responsible for proper use of personal data. Before the User starts using services, when he/she visits your site, and whenever he/she asks, inform him who you are, what personal data you collect, process and store, in what way, for what purpose and for how long you keep them. If necessary, ask for his consent. At the request of the person concerned, correct inaccurate data immediately and delete them if they are excessive, out of date or no longer required and stop the processing carried out if the user objects to it. Notify the third parties to whom you have communicated the data of any modification. Avoid the hidden collection of personal data.
12. Information provided to the user must be accurate and kept up to date.
13. Think twice about publishing personal data on your site! Such publication may infringe other people's privacy and may also be prohibited by law.
14. Before you send data to another country ask the competent authorities in your country if the transfer is permissible. You might have to ask the recipient to provide safeguards necessary to ensure protection of the data.
IV. CLARIFICATION AND REMEDIES
1. Where in this text the term ISP is used, the same applies, where appropriate, to other actors on the Internet, such as access providers, content providers, network providers, navigation software designers, bulletin board operators, etc.
2. It is important to ensure that your rights are respected. Feedback mechanisms offered by Internet User Groups, Internet Service Provider Associations, Data Protection Authorities or other bodies are important ways of ensuring that these guidelines are respected. Contact them if your need clarification or remedies.