Re: alternative to party and outsourcing definitions

On Oct 2, 2012, at 1:09 PM, Jonathan Mayer wrote:

> What's the "rabbit hole" this text spares us from?  In my reading it roughly tracks where the Compliance document currently stands, save considering service providers to be part of the first party.

The spec is focused on the party as a legal entity (or group of
entities under common ownership) and assumes that the legal
entity operates a website that is determined by inference to
be the first party.  Service providers are grafted on top of that.
The rest of the spec is then strewn with requirements that are
based on party and first party being allowed to do certain
things and not do other things, most of which contradict the
service provider definition and don't take into account the
need for sharing within the entire group.

That's a rabbit hole.  We have already spent a year exploring it
and made zero progress.

The user doesn't care about ownership.  They care about data flow.
It doesn't matter how many companies, contractors, outsourcers,
consultants, and general busy bodies are active on a site; what
matters is who is responsible for control of the data and the
scope in which it can be retained/used/shared.

A typical large website consists of dozens of contractors working
on behalf of the site owner.  In many cases, the contractors are
split across multiple continents.  Since most of them will be
working under SLAs, they will be logging information about whatever
they are responsible for on the site and dynamically adjusting
behavior based on that information.  When sh*t happens, all of the
people involved in running a site will be sharing their observations
and doing whatever it takes to get things right again.

Even companies that wholly own and operate their systems will
occasionally contract with marketing consultants to look at the
data they have and advise them on better ways to reach their
audience (under confidentiality restraints, of course).
Likewise for traditional audits.  These are not difficult concepts,
but the way in which the spec is focused completely fails to
support them.

The user just sees a brand, usually associated with a domain name,
and doesn't care whether the operators are employees of the owner
or merely working on a contract.  They do (or at least should) care
about confidentiality and where their data can be used.  Thus, we
can and should define the first party as a group, with one entity
being the data controller (or multiple being joint controllers)
and then focus on the data flow after that.


Received on Wednesday, 3 October 2012 07:32:06 UTC