On Fri, Sep 2, 2016 at 10:36 PM, Andrew Hughes <andrewhughes3000@gmail.com> wrote:

Well, given that GDPR is pan-EU and takes effect soon and has real financial penalties, I'd say that it's not a bad place to start.

Rather than dismissing other's proposals, what do you propose instead?

I'd love to see what you've got in mind to take the 10 pages down to the short versions. Also preferably text that works for non-US regulations.

andrew.

Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consulting
o +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com
ca.linkedin.com/pub/andrew-hughes/a/58/682/
Identity Management | IT Governance | Information Security

On Fri, Sep 2, 2016 at 6:22 PM, Adrian Gropper <agropper@healthurl.com> wrote:
The GDPR is useful but not enough. We need to see more companies compete on the basis of privacy the way they compete on cost or features. To enable that, we need privacy policies that are structured and standardized.

A standards-type of organization would need to categorize the various kinds of information business and then write a standard privacy policy for that category. Businesses would be asked to self-assert a category and only list the exceptions for their business relative to the standard. Categories could be for banks, telecom, merchants, social media, multi-player games, health services, media distribution, government services, productivity software, home appliances, and a handful more. It's pretty easy to tell which category any given product or service is in terms of personal information handling as defined in the GDPR.

Within the categories, we would pull out and structure obvious features such as: is a standard API available for 100% of the private information they hold (like a calendar or email service do); how does the business provide transaction notification to users; prior notification of policy changes; does the business ever export de-identified individual level data; which national jurisdiction is data processed under; is there a right to immediate export and deletion including backups, what technologies are used to track users; and a few more like that.

It would not take much to move from the 10-page privacy policies and terms of use we have today to a typical policy having 0 to 6 exceptions on a single mobile phone screen.

From my perspective as a privacy advocate, simply working toward model clauses or applying CommonAccord to GDPR would be helpful but it could also be a distraction at a time when we need to make very rapid progress to avoid a crisis. Do we really believe that GDPR and HIPAA are the future or are they just the camel's nose under a very shaky tent?

Adrian

On Fri, Sep 2, 2016 at 8:05 PM, James Hazard <james.g.hazard@gmail.com> wrote:
Great work!

As we considered "consent" vs other words in the conversation today, the GDPR's vocabulary seemed important, because it is likely to have great influence on privacy, in Europe and outside. http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Comment/Consent/0.md

A thought occurred to me - what if privacy policies and similar agreements relating to privacy mapped to the organization of provisions of the GDPR and reused, to the extent reasonable, the vocabulary of the GDPR. This would provide a base for a common taxonomy. The taxonomy would prove inadequate or undesirable, at least in detail, in many circumstances, but it is an influential starting place.

Some time ago, I played with this notion in connection with the CPBR - the proposed US Consumer Privacy Bill of Rights. Like the GDPR, the CPBR calls for organizations (like Kantara?) to create charters that can be used by companies. I played out the idea as a privacy policy that referenced a charter, which in turn mapped to (was mostly made from) the CPBR. The resulting privacy policy is goofy, but it demonstrates a chain-of-text that connects all the layers of the conversation.

http://www.commonaccord.org/index.php?action=list&file=Wx/gov/whitehouse/OMB/Legislative/Letters/cpbr-act-of-2015/

The GDPR has the additional advantage of being quite complete, actually enacted, available in many languages, etc.
http://www.commonaccord.org/index.php?action=doc&file=/Wx/eu/europa/eur-lex/GDPR/Form/0.md#Article.Sec

On Fri, Sep 2, 2016 at 3:43 PM, Eve Maler <eve@xmlgrrl.com> wrote:
http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+notes#UMAlegalsubgroupnotes-2016-09-02
2016-09-02
Working session on User-Managed Access (UMA) in Contractual and Regulatory Contexts
Eve will try to press ahead with lots of editing AIs prior to the call
Adrian and Kathleen have sent various suggestions in list/private email in the last month we should review
Attending: Eve, Kathleen, Ann, John W, Mary, Jim
We did a ton of work in the document.
If you haven't seen it, the latest version of the slides with the "legal use cases" is here. Please feel free to share it.
See also Jim's CommonAccord capture of the GDPR.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

--
@commonaccord

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

@commonaccord