The Data Protection Act

[Sir Lüc]

WHEREAS, during the electoral campaign for the 62nd Cosa General Elections, issues regarding the then-existing and outdated provisions on privacy and electoral communications were brought to light; and

WHEREAS, those issues were generally amicably resolved between contesting political parties and the Chancery, through the issuing of 61PD01 and certain stopgap provisions in the Election Rules for the 62nd Cosa General Elections; and

WHEREAS, it is regardless evident that Talossa needs a more permanent framework for data protection, resulting from open discussion between all stakeholders and data protection experts; and

WHEREAS, it is now necessary to have such a framework in place, so that Talossa is fully compliant with macronational data protection standards, and so that campaigning for the next General Election can be held under stable, democratically set rules; so

THEREFORE we, the Ziu of the Kingdom of Talossa, hereby enact as follows.

El Lexhatx Title D Section 7.4 is repealed in full and amended to read:

7.4 Data Protection
7.4.1 Personal information such as, but not limited to, private mailing addresses, contact telephone numbers, private email addresses, given names, ages, dates of birth, and national identification numbers shall be held on file by the Chancery and shall only be accessed by the Secretary of State or The King, except where the citizen to whom the data relates has given explicit, informed, and freely given consent for such access or disclosure.

7.4.2 The Chancery shall ensure that all personal data collected, stored, or processed by any body of the Kingdom complies with the following principles:
a. Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the citizen to whom it relates.
b. Purpose limitation: Personal data shall be collected only for specified, explicit, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes.
c. Data minimisation: Personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
d. Accuracy: Personal data shall be accurate and, where necessary, kept up to date. Inaccurate data shall be corrected or erased without delay.
e. Storage limitation: Personal data shall not be retained in identifiable form for longer than is necessary for the purpose for which it was collected.
f. Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised access, loss, or destruction, through suitable technical and organisational measures.
g. Accountability: The Chancery, as the data controller, shall be responsible for and able to demonstrate compliance with all of the above principles.

7.4.3 Citizens shall have the right to request access to any personal data held about them by the Chancery, to request correction of inaccurate data, or to request deletion of their personal data unless retention is legally required for citizenship verification or archival purposes.

7.4.4 All personal data shall be securely stored, encrypted when technically feasible, and automatically deleted or anonymised after two years of inactivity, unless required for lawful archival purposes.

7.4.5 Any unauthorised disclosure, misuse, or negligent handling of citizens' personal data shall be treated as a data breach, and reported immediately upon discovery or knowledge of such breach to the citizen to whom the breached data pertains and the Uppermost Cort, which may order appropriate remedies and sanctions.

El Lexhatx Title D Section 7.6 is created to read:

7.6 Mailing Lists
7.6.1 The Chancery shall serve as an email forwarding service for a number of purposes outlined in this section. To this end, the Chancery shall maintain a number of Mailing Lists for each separate purpose, such that 1) senders do not have access to citizens' personal email addresses; 2) messages are distributed only to citizens who have provided valid consent to receive them; and 3) all data processing complies with the principles set out in D.7.4 and its subsections.

7.6.2 The Chancery shall provide a simple and accessible mechanism for citizens to withdraw consent for the use or sharing of their personal data at any time, for what concerns any or all of the purposes listed below. Upon withdrawal, the Chancery shall ensure that the data is no longer used for the specified purposes.

7.6.3 No personal data, including email addresses, shall be disclosed to anyone unless a citizen has given explicit, informed, and specific consent for such disclosure. Consent to receive forwarded communications for any purpose shall not be interpreted as consent for direct data sharing.

7.6.4 Emails containing the Clark or electoral ballots, or reminders for voting on the Clark or on a General Election, or invitations to respond to a Census, or any other communication that originates directly from the Chancery and that the Chancery must send as a result of its operations, are exempt from the requirements of this section.

7.6.5 An Electoral Mailing List shall be maintained by the Chancery for the purpose of enabling electoral communications.
7.6.5.1 The Electoral Mailing List shall only be accessible to the Chancery for the purpose of forwarding electoral literature on behalf of political parties that are fully registered and have paid their registration fee.
7.6.5.2 Political parties shall not have direct access to the Electoral Mailing List. Each registered party shall be entitled to submit electoral literature through its leader or an agent authorised during registration, which shall be forwarded by the Chancery within a day to all citizens who have opted in to receive electoral communications.
7.6.5.3 Up to one communication may be forwarded prior to Balloting Day, and up to two communications may be forwarded between Balloting Day and the subsequent Election Deadline, no fewer than a week apart.
7.6.5.4 Each communication shall be titled and clearly identify the author, the person submitting the literature, and the registered political party on whose behalf the literature is being sent.
7.6.5.5 The Chancery shall maintain an auditable record of all parties that have submitted electoral communications and the dates on which messages were forwarded.

7.6.6 A News Mailing List shall be maintained by the Chancery for the purpose of sharing monthly gazettes compiled by the Government.
7.6.6.1 Communications shared in this way shall entirely consist of news about Talossa and drafted by the relevant Government minister.
7.6.6.2 Such communications may only be forwarded up to once per calendar month.

7.6.7 A Governmental Mailing List shall be maintained by the Chancery for the purpose of sharing information about Government business.
7.6.7.1 Communications shared in this way must entirely pertain to official Government business.
7.6.7.2 Such communications may not include publicity for, or any other business pertaining to, any political party or candidate for election, or any particular outcome for a specific referendum.
7.6.7.3 Such communications may only be forwarded no fewer than thirty days apart, and not in the period between a Dissolution of the Cosa and the Certification Deadline for the subsequent General Election.

El Lexhatx Title D Section 7.7 is created to read:

7.7 GDPR Compliance
7.7.1 The Chancery shall be the designated data controller for all personal data processed in connection with the conduct of elections, referendums, censuses, or official communications.

7.7.2 If Talossan law conflicts with the data protection laws of a citizen's country of residence, the Chancery shall interpret and apply Talossan law in a manner consistent with those laws to the greatest extent possible. No officer of the Kingdom shall be compelled by Talossan law to act in a manner that would breach the applicable data protection laws of their country of residence.

7.7.3 The Chancery may, in consultation with the Technology Minister and the Uppermost Cort, issue regulations governing the technical and procedural aspects of this system, including encryption, password protection, and secure message forwarding.

7.7.4 The Chancery shall publish an annual Privacy Notice summarising the categories of data collected, the lawful bases for processing, and the data protection rights of citizens.

FURTHERMORE, El Lexhatx Title C Section 1.2.2.1. be amended by removing the clause "The Chancery will provide an option for respondents to share their email address with party leaders, pursuant to D.8.5.4."

FURTHERMORE, El Lexhatx Title C Section 1.2.2.3. be amended by removing the clause "The only exception is that citizens may opt to have their e-mail address shared with party leaders, pursuant to D.8.5.4."

FURTHERMORE, El Lexhatx Title C Section 1.2.2.5. and all its subsections, whose purpose has been transferred to El Lexhatx Title D Section 7.6.7 and its subsections, be repealed in full.

FURTHERMORE, El Lexhatx Title E Section 11.4 be amended to read:

If, during the immigration process, a prospective citizen states that it is OK for Talossans to contact them by email, the prospective shall be opted-in to the Electoral, News and Governmental Mailing Lists once they are granted citizenship. The Secretary of State shall notify the new citizen that they may opt-out from any of the Mailing Lists at any time by contacting the Chancery.

FURTHERMORE we, the Ziu of the Kingdom of Talossa, hereby pay tribute to Baroness Cjantscheir of Tamoran Beach, and recognise her invaluable input in the drafting of parts of this bill, while regretting that medical reasons leave her unable to support the bill further.

Uréu q'estadra så,

Sir Lüc da Schir (Secretary of State)

[Sir Lüc]

There we go. 7.6.6 and 7.6.7 need a bit of work but otherwise this should be pretty complete.

Despite past discussions on the topic, I did not include in my draft a hypothetical "cultural" mailing list, because:

• I think it would be undesirable to chuck vastly different endeavours under that label, but conversely, it would be pretty onerous to implement separate lists for each (I think there should be a reasonable limit to what the Chancery is expected to do for what isn't really one of its core tasks); and
• I think it would be difficult to define who could use that list without either someone being the arbiter of what counts as a "legitimate cultural entity" (and someone also deciding if a specific mailer qualifies as a cultural mailer), or potentially exposing citizens to massive spam by simply not making that call and letting anything go.

I would obviously welcome input regarding how this could be implemented, but this can also be safely deferred to some future piece of legislation.

[Breneir Tzaracomprada]

There we go. 7.6.6 and 7.6.7 need a bit of work but otherwise this should be pretty complete.

Despite past discussions on the topic, I did not include in my draft a hypothetical "cultural" mailing list, because:

• I think it would be undesirable to chuck vastly different endeavours under that label, but conversely, it would be pretty onerous to implement separate lists for each (I think there should be a reasonable limit to what the Chancery is expected to do for what isn't really one of its core tasks); and
• I think it would be difficult to define who could use that list without either someone being the arbiter of what counts as a "legitimate cultural entity" (and someone also deciding if a specific mailer qualifies as a cultural mailer), or potentially exposing citizens to massive spam by simply not making that call and letting anything go.

I would obviously welcome input regarding how this could be implemented, but this can also be safely deferred to some future piece of legislation.

This looks good to me. I was wondering how consent is gained during the process and it was answered with the amended Section E 11.4