W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: Action 368 - Definition of Service Provider/Data Processor

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 27 Mar 2013 16:54:11 -0700
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <564CFDF7-24FB-4D34-9363-9C5CDB11ED0A@gbiv.com>
To: Shane Wiley <wileys@yahoo-inc.com>
On Mar 27, 2013, at 11:52 AM, Shane Wiley wrote:

> Roy,
> I would prefer we continue to use Service Provider for the following reasons:
> - any term we use here will likely be imperfect from an individual term representation perspective (for example, Service Provider is easily seen as "one who provides service" but doesn't naturally lend itself to suggesting this is meant "on the behalf of another")

We would have a hard time coming up with a worse term than
"service provider" -- that is the common term for a first party
(anyone who provides a website) and also for a provider of
Internet service.  It already conflicts with the DAA guidelines
and the English translation of the German telemedia laws sent
a few days ago.

> - Data Processor is a legal term of art in the EU and I believe there is considerable confusion in reusing a term that may be interpreted as importing its legal entanglements

Nobody is going to get in trouble for claiming to be a data processor.
Failing to act as a data processor within the EU just means that the
data controller restrictions apply -- it does not add any entanglements.
Failing to obey data controller restrictions when acting as a controller
is what gets them in trouble.

The concern I would have is if we tried to precisely define what
qualifies as a data processor.  IMO, what we should be doing is
defining "party" as including data processors and then the rest of
our requirements just apply to party boundaries (i.e., we wouldn't
need a special term like SP if the only place it is used is within
the definition of party).

> - Vendor has a more natural equation between the definitional term it represents and our probably use but Service Providers have been unhappy with "Vendor" as they feel it equates them to a consumer packaged good purchasable in your local grocery store :-).  Service Provider somehow conveys a differentiated level of "value add" beyond a shrink wrapped product.

Vendor is not at all descriptive.

> - Contractor has ambiguous roots in that this is often used to refer to a human (i.e., "they're a contractor for Company XYZ" or "we hired a contractor to build our pool")

Which is also why I suggested it.  Service providers can be individual
humans as well.

Contractors are individuals or companies under contract to perform a
given service under NDA.  Under the existing compliance document,
a first party like Yahoo! would be forbidden from allowing its own
contractors access to the data collected on the Y! sites, because
contractors are a separate legal entity that is not wholly owned
by the first party. That's why I objected to the definition of
party being limited to a single legal entity.

I don't think restricting SP to IaaS/SaaS providers is a desirable
result, nor does any existing privacy law, which is why EU lumps
contractors into the category of data processors and HIPAA lumps
them into the category of business associates.

Received on Wednesday, 27 March 2013 23:54:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC