Tag Archives: paul sawers

Permission simply means being open and up-front at all times …

27 Dec

“Permission simply means being open and up-front at all times about what data it’s gathering, how it will be used and, crucially, it should always be opt-in. – Paul Sawers

I found a blog post from Paul Sawers, The Good Word, about ‘international permission” and how it differs from the U.S., problems with Facebook and regulating data in light of Wikileaks.  Hope you find it enlightening as I did!


Living in London, Paul Sawers is a writer, marketer and a self-confessed web geek. Follow Paul on Twitter: @TGW_Paul, or read his blog at The Good Word

In the US, data privacy isn’t heavily legislated. There are regulations in place – but there is no overarching governmental law that stipulates how data can be acquired, stored or used. Bill Clinton and Al Gore even recommended in their “Framework for Global Electronic Commerce” that private companies should ‘self-regulate’.  And for US and other non-EU parties, this directive specifies that data can only be transferred to other countries where a similar, adequate level of data protection exists.

Europe, on the other hand, heavily regulates and rigidly enforces laws to protect a person’s “family life, his home and his correspondence”, as outlined in Article 8 of the European Convention on Human Rights. To ensure information flows freely across the EU, the various data protection regulations from the member states were brought together under the directive on the protection of personal data, which EU states were required to transpose into their respective laws by the end of 1998.

The US-EU Safe Harbor Principles were thus drawn up, a program which US companies can sign-up to if they adhere to the seven principles outlined in the privacy directive. US organizations – in theory – must re-certify under Safe Harbor every twelve months.

The seven principles are:

1.    Notice: Individuals must be informed that their data is being collected and about how it will be used.
2.    Choice: Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
3.    Onward Transfer: Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
4.    Security: Reasonable efforts must be made to prevent loss of collected information.
5.    Data Integrity: Data must be relevant and reliable for the purpose it was collected for.
6.    Access: Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
7.    Enforcement: There must be effective means of enforcing these rules.