W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

RE: Action 368 - Definition of Service Provider/Data Processor

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Thu, 28 Mar 2013 01:34:09 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E31402CA14@GQ1-MB01-02.y.corp.yahoo.com>

Fair call-outs, so let the quest continue:

I agree Service Provider has some collision with Internet Service Provider (ISP) and the DAA choice to lump all parties related to the concept of deep packet inspection to carry a similar name.  Interestingly, I wasn't able to quickly find what the DAA calls the party that provides services on the behalf of another party (much to your previous arguments here it appears they are similarly referred to as simply the "1st party").

Data Processor is an EU legal term of art and does indeed come with some entanglements.  One of the simplest is the requirement for a contract between the DC and DP with certain specific elements.  How do you apply this to distributed ad serving scenarios through Exchanges where this is a chain of contracts but not a direct contract?  This is already being discussed in the EU context (Rigo touched on this last year).  There is also concern of exporting EU law to other markets - whereas reusing a single legal term isn't exactly doing that, that are those in our group that will resist that direction.

Not materials to this conversation but contractors don't necessarily have NDAs in place - confidentiality requirements may or may not be part of the relationship.  I believe this is a term that is overused but perhaps has some place here as it implies one party providing a service to another party under contract (similar to Data Processor in that regard).  It's the singular human confusion that causes me concern (whereas we're all "data processors" as humans but the term in isolation sounds like a company to me - not a specific person).

Other choices...

Perhaps Vendor not being overly descriptive actually works in our favor here.  It gives us a term to define for our own needs and implies a relationship where one party is providing (selling) something to another party.  In the Privacy world there is considerable discussion of "Vendor Management" to address this topic so there is some precedence here.  Would you have strong objection in this direction?

- Shane

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: Wednesday, March 27, 2013 4:54 PM
To: Shane Wiley
Cc: Tracking Protection Working Group
Subject: Re: Action 368 - Definition of Service Provider/Data Processor

On Mar 27, 2013, at 11:52 AM, Shane Wiley wrote:

> Roy,
> I would prefer we continue to use Service Provider for the following reasons:
> - any term we use here will likely be imperfect from an individual 
> term representation perspective (for example, Service Provider is 
> easily seen as "one who provides service" but doesn't naturally lend 
> itself to suggesting this is meant "on the behalf of another")

We would have a hard time coming up with a worse term than "service provider" -- that is the common term for a first party (anyone who provides a website) and also for a provider of Internet service.  It already conflicts with the DAA guidelines and the English translation of the German telemedia laws sent a few days ago.

> - Data Processor is a legal term of art in the EU and I believe there 
> is considerable confusion in reusing a term that may be interpreted as 
> importing its legal entanglements

Nobody is going to get in trouble for claiming to be a data processor.
Failing to act as a data processor within the EU just means that the data controller restrictions apply -- it does not add any entanglements.
Failing to obey data controller restrictions when acting as a controller is what gets them in trouble.

The concern I would have is if we tried to precisely define what qualifies as a data processor.  IMO, what we should be doing is defining "party" as including data processors and then the rest of our requirements just apply to party boundaries (i.e., we wouldn't need a special term like SP if the only place it is used is within the definition of party).

> - Vendor has a more natural equation between the definitional term it represents and our probably use but Service Providers have been unhappy with "Vendor" as they feel it equates them to a consumer packaged good purchasable in your local grocery store :-).  Service Provider somehow conveys a differentiated level of "value add" beyond a shrink wrapped product.

Vendor is not at all descriptive.

> - Contractor has ambiguous roots in that this is often used to refer 
> to a human (i.e., "they're a contractor for Company XYZ" or "we hired 
> a contractor to build our pool")

Which is also why I suggested it.  Service providers can be individual humans as well.

Contractors are individuals or companies under contract to perform a given service under NDA.  Under the existing compliance document, a first party like Yahoo! would be forbidden from allowing its own contractors access to the data collected on the Y! sites, because contractors are a separate legal entity that is not wholly owned by the first party. That's why I objected to the definition of party being limited to a single legal entity.

I don't think restricting SP to IaaS/SaaS providers is a desirable result, nor does any existing privacy law, which is why EU lumps contractors into the category of data processors and HIPAA lumps them into the category of business associates.

Received on Thursday, 28 March 2013 01:36:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC