Respect and protect people’s fundamental online privacy and data rights

So everyone can use the internet freely, safely, and without fear

1. By establishing and enforcing comprehensive data protection and rights frameworks

– to protect people’s fundamental right to privacy in both public and private sectors, underpinned by the rule of law. These frameworks should be applicable to all personal data — provided by the user, observed or inferred — and include:

1. An appropriate legal basis for data processing. Where the legal basis is consent, it must be meaningful, freely given, informed, specific, and unambiguous.
2. The right of access to personal data, including to obtain a copy of all personal data undergoing processing by an entity, so long as such access does not adversely affect the rights and freedoms of other users.
3. The right to object or withdraw from processing of personal data, including automated decision making and individual profiling, subject to explicit limits defined by law.
4. The right to rectification of inaccurate personal data, and erasure of personal data, when not against the right of freedom of expression and information or other narrow limits defined by law.
5. The right to data portability, applicable to the personal data provided by the user, either directly or collected through observing the users’ interaction with the service or device.
6. The right to redress through independent complaints mechanisms against public and private bodies that fail to respect people’s privacy and data rights.

(137)

2. By requiring that government demands for access to private communications and data are necessary and proportionate to the aim pursued,

– lawful and subject to due process, comply with international human rights norms, and do not require service providers or data processors to weaken or undermine the security of their products and services. Particularly, such demands should always be:

1. Made under clearly defined laws subject to a competent and independent judicial authority that includes fair avenues for redress.
2. Restricted to those cases where there is a legitimate public interest defined in law.
3. Time-bounded, and not unduly restricted from disclosure to affected individuals and the public.

(85)

3. By supporting and monitoring privacy and online data rights

– in their jurisdictions, particularly:

1. Minimizing their own data collection to what is adequate, relevant, and necessary to achieve a clearly specified public interest.
2. Requiring providers of public services and private actors to comply with existing relevant legislation and supporting strong enforcement —including administrative penalties— by independent, skilled, empowered, and well-resourced dedicated regulators.
3. Mandating public registers to promote transparency of data sharing and/or purchase agreements in public and private sectors for profiling purposes, as well as for significant data breaches that are of public interest, to make users aware of when and how their data could be exposed.
4. Requiring regular data security and privacy impact assessments, providing independent and transparent oversight of the assessments and independent audits for public and private sectors, and enforcing when appropriate.

(81)