Re: June Change Proposal, service provider => implementation partner

Hi Roy,

I've create ISSUE-206 on the Compliance June product; a new issue for the topic of this change. (It may also be closely related to pending review ISSUE-49.)

I've set up a wiki page for this proposal: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Service_Provider

Thanks,
Nick

On Jun 25, 2013, at 4:17 AM, "Roy T. Fielding" <fielding@gbiv.com> wrote:

> The definition of service provider in the June draft is not
> adequate to describe what is commonly known as data processors
> in the EU or business associates in HIPAA.  As a result, the
> spec as written actually forbids a party from sharing data
> amongst its own services and contractors even if the data
> remains under the party's control.  For example, it would
> forbid a contractor (not an employee) from looking at a logfile,
> would forbid an independent auditor from looking at any of
> the data records, and would forbid multiple service providers
> from working together with a common data set.  It also presumes
> that existing contracts will be rewritten.  And the SP term
> itself is confusing.
> 
> Existing text in Sec 2:
> ============================
> An outsourced service provider is considered to be the same
> party as its client if the service provider:
> 
> 1. acts only as a data processor on behalf of the client;
> 2. ensures that the data can only be accessed and used as
>    directed by that client;
> 3. has no independent right to use or share the data except
>    as necessary to ensure the integrity, security, and correct
>    operation of the service being provided; and
> 4. has a contract in place that outlines and mandates these
>    requirements.
> ============================
> 
> 
> Replacement:
> ============================
> Most sites, services, or resources on the Web involve
> multiple parties that process the data received in a given
> interaction.  For example, the parties involved during an
> interaction might include domain name services, network access
> points, content distribution networks, load balancing services,
> security filters, cloud platforms, and software-as-a-service
> providers.  Likewise, additional parties might be engaged after
> an interaction, such as when services or contractors are used
> to perform specialized data analysis or records retention.
> 
> For the data received in a given network interaction, a party
> is considered to be an "implementation partner" if it
> 
>  (1) processes the data on behalf of another party;
> 
>  (2) ensures that the data is only retained, accessed, and
>      used as directed by that party;
> 
>  (3) has no independent right to use the data other than as
>      aggregated and anonymous counts (e.g., for monitoring
>      service integrity, load balancing, capacity planning, or
>      billing); and,
> 
>  (4) has a contract in place with that party which is consistent
>      with the above limitations.
> ============================
> 
> 
> and then use the term where needed ...
> 
> Existing text in Sec 2:
> ============================
> A third party is any party other than a first party, service provider, or the user.
> 
> Whether a party is a first or third party is determined within and limited to a specific network interaction.
> ============================
> 
> Replacement:
> ============================
> Within the context of a specific network interaction, a third party is any party other than the user, the first party, or a party acting as an implementation partner for the first party.
> ============================
> 
> 
> Existing text in Sec 4:
> ============================
> The first party MUST NOT pass information about this network interaction to third parties who could not collect the data themselves under this standard. Information about the transaction MAY be passed on to service providers acting on behalf of the first party
> ============================
> 
> Replacement:
> ============================
> A first party and its implementation partners MUST NOT pass information about this network interaction to third parties who could not collect the data themselves under this standard.
> ============================
> 
> 
> and after the existing text in Sec 5:
> ============================
> The third party MAY nevertheless collect, use, and retain such information for the set of permitted uses described below. Further, parties MAY collect, use, and retain such information in order to comply with applicable laws, regulations, and judicial processes.
> ============================
> 
> Add:
> ============================
> A party acting as an implementation partner for a third party is subject to the same constraints as that third party, except that the data it collects on behalf of that third party MAY be shared with that third party.
> ============================
> 
> ....Roy

Received on Wednesday, 26 June 2013 23:19:06 UTC