RE: Action 368 - Definition of Service Provider/Data Processor

I've been working on new language to address the various concerns that have been raised about the Service Provider language and have floated the language by a few members of the working group.  Based on comments on the email list, the below language draws from the existing text in the compliance section 3.4.  That said, this language is not in a final form and many others may still have other concerns/suggestions.  However, I am distributing the below draft language in the hopes that we can begin a constructive discussion on today's call.


Outsourced service providers are considered to be the same party as their clients:
	- if the outsourced service providers act as data processors on behalf of that party, 
	- ensure that that the data can only be accessed and used as directed by that party, 
	- have no independent right to use or share the data except as necessary to ensure the integrity, 	security, and correct operation of the service being provided, and 
	- have a contract in place that outlines and mandates these requirements.


-----Original Message-----
From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: Wednesday, March 27, 2013 9:34 PM
To: Roy T. Fielding
Cc: Tracking Protection Working Group
Subject: RE: Action 368 - Definition of Service Provider/Data Processor

Roy,

Fair call-outs, so let the quest continue:

I agree Service Provider has some collision with Internet Service Provider (ISP) and the DAA choice to lump all parties related to the concept of deep packet inspection to carry a similar name.  Interestingly, I wasn't able to quickly find what the DAA calls the party that provides services on the behalf of another party (much to your previous arguments here it appears they are similarly referred to as simply the "1st party").

Data Processor is an EU legal term of art and does indeed come with some entanglements.  One of the simplest is the requirement for a contract between the DC and DP with certain specific elements.  How do you apply this to distributed ad serving scenarios through Exchanges where this is a chain of contracts but not a direct contract?  This is already being discussed in the EU context (Rigo touched on this last year).  There is also concern of exporting EU law to other markets - whereas reusing a single legal term isn't exactly doing that, that are those in our group that will resist that direction.

Not materials to this conversation but contractors don't necessarily have NDAs in place - confidentiality requirements may or may not be part of the relationship.  I believe this is a term that is overused but perhaps has some place here as it implies one party providing a service to another party under contract (similar to Data Processor in that regard).  It's the singular human confusion that causes me concern (whereas we're all "data processors" as humans but the term in isolation sounds like a company to me - not a specific person).

Other choices...

Perhaps Vendor not being overly descriptive actually works in our favor here.  It gives us a term to define for our own needs and implies a relationship where one party is providing (selling) something to another party.  In the Privacy world there is considerable discussion of "Vendor Management" to address this topic so there is some precedence here.  Would you have strong objection in this direction?

- Shane

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com]
Sent: Wednesday, March 27, 2013 4:54 PM
To: Shane Wiley
Cc: Tracking Protection Working Group
Subject: Re: Action 368 - Definition of Service Provider/Data Processor

On Mar 27, 2013, at 11:52 AM, Shane Wiley wrote:

> Roy,
> 
> I would prefer we continue to use Service Provider for the following reasons:
> 
> - any term we use here will likely be imperfect from an individual 
> term representation perspective (for example, Service Provider is 
> easily seen as "one who provides service" but doesn't naturally lend 
> itself to suggesting this is meant "on the behalf of another")

We would have a hard time coming up with a worse term than "service provider" -- that is the common term for a first party (anyone who provides a website) and also for a provider of Internet service.  It already conflicts with the DAA guidelines and the English translation of the German telemedia laws sent a few days ago.

> - Data Processor is a legal term of art in the EU and I believe there 
> is considerable confusion in reusing a term that may be interpreted as 
> importing its legal entanglements

Nobody is going to get in trouble for claiming to be a data processor.
Failing to act as a data processor within the EU just means that the data controller restrictions apply -- it does not add any entanglements.
Failing to obey data controller restrictions when acting as a controller is what gets them in trouble.

The concern I would have is if we tried to precisely define what qualifies as a data processor.  IMO, what we should be doing is defining "party" as including data processors and then the rest of our requirements just apply to party boundaries (i.e., we wouldn't need a special term like SP if the only place it is used is within the definition of party).

> - Vendor has a more natural equation between the definitional term it represents and our probably use but Service Providers have been unhappy with "Vendor" as they feel it equates them to a consumer packaged good purchasable in your local grocery store :-).  Service Provider somehow conveys a differentiated level of "value add" beyond a shrink wrapped product.

Vendor is not at all descriptive.

> - Contractor has ambiguous roots in that this is often used to refer 
> to a human (i.e., "they're a contractor for Company XYZ" or "we hired 
> a contractor to build our pool")

Which is also why I suggested it.  Service providers can be individual humans as well.

Contractors are individuals or companies under contract to perform a given service under NDA.  Under the existing compliance document, a first party like Yahoo! would be forbidden from allowing its own contractors access to the data collected on the Y! sites, because contractors are a separate legal entity that is not wholly owned by the first party. That's why I objected to the definition of party being limited to a single legal entity.

I don't think restricting SP to IaaS/SaaS providers is a desirable result, nor does any existing privacy law, which is why EU lumps contractors into the category of data processors and HIPAA lumps them into the category of business associates.

....Roy

Received on Wednesday, 3 April 2013 15:37:54 UTC