2015-11-24-CH_student_request.txt

From: Paul-Olivier Dehaye
To: legal@coursera.org
Subject: Access and Notice under US-CH Safe Harbor as Coursera student

Dear Coursera Representative,

My name is Paul-Olivier Dehaye, I am a resident of Zurich, Switzerland. I have 
an account on the Coursera website associated to the email address 
xxxxxxxxxx@gmail.com . 

I have used the Coursera platform as a student since late 2012. Since January 
2014, Coursera has agreed to comply to the self-regulatory data protection 
framework called US-CH Safe Harbor, to be enforced by the FTC [1, where I in 
fact found your email address]. This framework encompasses seven principles 
[2], and is meant to offer equivalent protection to the Swiss Federal Act on 
Data Protection [3]. Two of those principles are Access and Notice. 

I would like to ask you for the following:

1. Under Access, I would like to get all the information associated to the 
deletion and moderation of my posts (including method used, logic, and timing 
information) in any of the courses I have participated in. I seek also to have 
information whether this moderation or deletion was automated, semi-automated 
or purely manual. 

2. Under Notice, please inform me of any data that might have been collected or 
computed about me. This includes any of the hundreds of A/B tests that I might 
have unknowingly participated in as a student. Under Notice, please also inform 
me of the logic followed to decide whether to include me or not in those 
experiments. This would include information about the ethical protocols 
followed by Coursera to decide whether and how to run this experimentation. I 
am assuming I would be informed on a case-by-case basis by universities when 
they decide to run their own experimentation (and in fact this has happened). 
This request also includes any information about the building of a "personality 
profile" [3], based on my interactions with the platform. 

3. Under Access, please provide me with all the information collected by the 
Coursera app, which I have installed on my smartphone at some point in 2015.

4. Under Access, please provide me with all the information collected for the 
purpose of identification and authentication for tests and quizzes on the 
platform. This would include keystroke biometrics and the associated 
processing, as well as pictures and the associated processing. 

5. Under Notice, please provide me with a listing of all the third parties that 
Coursera has shared or intends to share my data with, and the conditions that 
governed this transfer (a data policy, for instance). This would include 
confirmation or denial of any transfer or intent to transfer my data to law 
enforcement or intelligence services, confirmation or denial of any transfer or 
intent to transfer my data to for-profit or nonprofit universities, and 
confirmation or denial of any transfer or intent to transfer my data with 
potential investors or buyers of Coursera.

It is my understanding that Coursera has 40 days to comply with this request, 
which would bring us to January 4th 2016. Should you have any clarifying 
question, for instance about the scope of my requests, I would be happy to 
answer, but this would most likely eat into that time period. Should you fail 
to fully comply with this request, I reserve the right to use any or all 
possible avenues to exercise my rights.

Sincerely,

Paul-Olivier Dehaye
Zurich

[1] https://safeharbor.export.gov/companyinfo.aspx?id=26126 (accessed Nov 24 
2015)
[2] http://export.gov/safeharbor/swiss/eg_main_018500.asp (accessed Nov 24 2015)
[3] https://www.admin.ch/opc/en/classified-compilation/19920153/index.html 
(accessed Nov 24 2015)