Re: [w3c/payment-request] Regulatory Compliance Support (#632)

This is the new EU regualtion
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

You'll find various references in there to privacy by design and privacy by default. It's worth searching for those words, even if you don't read the whole spec, to get an understanding of what we need to do in the EU.

I don't think the wider policy of the w3c needs to be the topic for this api discussion, but if you want my opinion:

I think the w3c needs to assess that need on a case by case basis where it decides to explicitly decide what user data will be handled by it's apis and sent to other parties.

For example, if the w3c has a spec for a Message Queue; then it would be silly to worry about the privacy impact, it has made no decision about the data included, it has to be for the parties on either side of the queue to work that out.
But, if the w3c decided to replace email protocols tomorrow with a rest based one that is enriched with user profile lookup; then yes it should go through the same process.

It may need to do this retrospectively if it already has other apis, like this payment api, that make explicit decisions about how third parties will gain to the public's personal data.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/payment-request/issues/632#issuecomment-335995634

Received on Thursday, 12 October 2017 01:41:53 UTC