- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 27 Mar 2013 16:54:11 -0700
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: Tracking Protection Working Group <public-tracking@w3.org>
On Mar 27, 2013, at 11:52 AM, Shane Wiley wrote: > Roy, > > I would prefer we continue to use Service Provider for the following reasons: > > - any term we use here will likely be imperfect from an individual term representation perspective (for example, Service Provider is easily seen as "one who provides service" but doesn't naturally lend itself to suggesting this is meant "on the behalf of another") We would have a hard time coming up with a worse term than "service provider" -- that is the common term for a first party (anyone who provides a website) and also for a provider of Internet service. It already conflicts with the DAA guidelines and the English translation of the German telemedia laws sent a few days ago. > - Data Processor is a legal term of art in the EU and I believe there is considerable confusion in reusing a term that may be interpreted as importing its legal entanglements Nobody is going to get in trouble for claiming to be a data processor. Failing to act as a data processor within the EU just means that the data controller restrictions apply -- it does not add any entanglements. Failing to obey data controller restrictions when acting as a controller is what gets them in trouble. The concern I would have is if we tried to precisely define what qualifies as a data processor. IMO, what we should be doing is defining "party" as including data processors and then the rest of our requirements just apply to party boundaries (i.e., we wouldn't need a special term like SP if the only place it is used is within the definition of party). > - Vendor has a more natural equation between the definitional term it represents and our probably use but Service Providers have been unhappy with "Vendor" as they feel it equates them to a consumer packaged good purchasable in your local grocery store :-). Service Provider somehow conveys a differentiated level of "value add" beyond a shrink wrapped product. Vendor is not at all descriptive. > - Contractor has ambiguous roots in that this is often used to refer to a human (i.e., "they're a contractor for Company XYZ" or "we hired a contractor to build our pool") Which is also why I suggested it. Service providers can be individual humans as well. Contractors are individuals or companies under contract to perform a given service under NDA. Under the existing compliance document, a first party like Yahoo! would be forbidden from allowing its own contractors access to the data collected on the Y! sites, because contractors are a separate legal entity that is not wholly owned by the first party. That's why I objected to the definition of party being limited to a single legal entity. I don't think restricting SP to IaaS/SaaS providers is a desirable result, nor does any existing privacy law, which is why EU lumps contractors into the category of data processors and HIPAA lumps them into the category of business associates. ....Roy
Received on Wednesday, 27 March 2013 23:54:25 UTC