P12. User notification about third-party requests for user information

The company should notify users to the extent legally possible when their user information has been demanded by governments and other third parties.

Elements:

  1. Does the company clearly disclose that it notifies users when government entities (including courts or other judicial bodies) demand their user information?
  2. Does the company clearly disclose that it notifies users when they receive requests for their user information through private processes?
  3. Does the company clearly disclose situations when it might not notify users, including a description of the types of government demands it is prohibited by law from disclosing to users?

Definitions:

Government demands — This includes demands from government ministries or agencies, law enforcement, and court orders in criminal and civil cases.

Notice / Notify – The company communicates with users or informs users about something related to the company or service.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

Private requests — Requests made through a private process rather than a judicial or governmental process. Private requests for content restriction can come from a self-regulatory body such as the Internet Watch Foundation, or a notice-and-takedown system, such as the U.S. Digital Millennium Copyright Act. For more information on notice-and-takedown, as well as the DMCA specifically, see the recent UNESCO report, “Fostering Freedom Online: The Role of Internet Intermediaries” at http://unesdoc.unesco.org/images/0023/002311/231162e.pdf (p. 40-52 of 211).

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: We expect companies to clearly disclose a commitment to notifying users when governments and other third parties request data about its users. We acknowledge that this notice may not be possible in legitimate cases of an ongoing investigation; however, we expect companies to specify what types of requests they are prohibited by law from disclosing.

Potential sources:

  • Company transparency report
  • Company law enforcement guidelines
  • Company privacy policy
  • Company human rights policy
No Comments

Post A Comment

Sign up for the RADAR

Subscribe to our newsletter to stay in touch!