- From: Walter van Holst <walter.van.holst@xs4all.nl>
- Date: Wed, 22 Oct 2014 17:34:34 +0200
- To: Justin Brookman <jbrookman@cdt.org>
- Cc: Amy Colando <acolando@microsoft.com>, public-tracking@w3.org
On 2014-10-22 17:15, Justin Brookman wrote: > Walter, I don’t think anyone objects to the idea of auditability in > theory, but I think there are questions about what that means in the > specification. If a DPA has the legal authority to require certain > evidence or documentation from a data controller, then it does so — > this standard cannot grant or deprive any consumer protection > authority of those rights. You are quite right that this standard cannot deprive any regulator of such rights (mind you, I object to framing all these issues as mere consumer protection issues). However, you are very wrong about the ability of this standard of granting any regulator rights. Whether by virtue of design or circumstance, the net result of this attempt at self-regulation is that it may grant the FTC an authority it never was granted through the legislative process in the USA and may give European regulators an unambiguous standard to establish consent for tracking (DNT:0). > What do you want this standard to require > — that companies prepare some sort of documentation in advance of a > request? That they architect their systems in ways that can be > comprehended by a regulator? I think there was agreement that a > general requirement of “auditability” was confusing and certainly not > testable, but if you have a more concrete suggestion in mind, I think > people would be open-minded. I still object to applying the same testability criteria to the compliance spec as we do to the technical spec. They are worlds apart and it is inherent to any compliance spec that it will contain elements that are ultimately only testable in court. It is more of a contract than of a technical specification. When I draft a contract with audit clauses, I typically rely on what an EDP auditor would consider "auditable". That field has a long history to ascertain the extent to which an organisation has taken plausible safeguards against unauthorised access to and manipulation of transaction data. May I suggest the inclusion of similar, but non-normative, language to clarify that notion of "auditability"? Regards, Walter
Received on Wednesday, 22 October 2014 15:35:25 UTC