Thanks Adrian! Tim, I wonder how this compares to RUFADAA. I suppose this would be a single federal law, for one. Any comments? (See "SEC. 5. DELEGATABILITY") *Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl On Thu, Oct 24, 2019 at 2:33 PM Adrian Gropper wrote:

Here’s my analysis of the ACCESS Act

http://blog.petrieflom.law.harvard.edu/2019/10/24/access-act-points-the-way-...

Adrian

On Tue, Oct 22, 2019 at 11:02 PM Adrian Gropper wrote:

...

Check out https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bi...

Especially Section 5: Delegation. (There's a link https://www.scribd.com/document/431507476/ACCESS-Act-Section-by-Section-FINA... to a nice summary at the very end of the page.) It calls for a right to specify a fiduciary agent, hopefully one that I can compile and own myself. I can imagine a law like this applying to all of our service providers above a certain size, like say 50 employees.

-- Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: https://patientprivacyrights.org/donate-3/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma

I am not talking about RUFADAA although there may be some alignment. Delegation to a family member or another individual doesn’t scale in the sense of empowering groups to influence the world. It doesn’t change the asymmetric relationship in who owns and controls technology and who can benefit form ML / AI on personal data. This kind of delegation doesn’t reduce the power of the resource server to manipulate data uses by wearing down the individual subject or their proxy - the so-called dark patterns. Delegation to authorization server *technology* that is specified by the data subject *reduces* the control of the resource server because they no longer control and cannot manipulate the user interface and the user experience. They don’t control the UI. They don’t control the domain because the subject can use the same AS across healthcare and social media, etc... The resource server does benefit from reduced privacy liability, however, not to mention goodwill for their brand. Adrian On Thu, Oct 24, 2019 at 4:42 PM Eve Maler wrote:

Wait, Adrian, are you thinking of the UMA authorization server as being the custodial agent, or a separate person? I think I'm confused. We have collected a variety of use cases that are more like the RUFADAA ones, and I was reading this delegatability provision more in that fashion.

*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Thu, Oct 24, 2019 at 3:13 PM Eve Maler wrote:

...

Thanks Adrian! Tim, I wonder how this compares to RUFADAA. I suppose this would be a single federal law, for one. Any comments? (See "SEC. 5. DELEGATABILITY")

*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Thu, Oct 24, 2019 at 2:33 PM Adrian Gropper wrote:

...

Here’s my analysis of the ACCESS Act

http://blog.petrieflom.law.harvard.edu/2019/10/24/access-act-points-the-way-...

Adrian

On Tue, Oct 22, 2019 at 11:02 PM Adrian Gropper wrote:

...

Check out https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bi...

Especially Section 5: Delegation. (There's a link https://www.scribd.com/document/431507476/ACCESS-Act-Section-by-Section-FINA... to a nice summary at the very end of the page.) It calls for a right to specify a fiduciary agent, hopefully one that I can compile and own myself. I can imagine a law like this applying to all of our service providers above a certain size, like say 50 employees.

-- Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: https://patientprivacyrights.org/donate-3/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma

--

Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: https://patientprivacyrights.org/donate-3/

Thanks, Tim. I think the difference is like the difference between the chicken and the pig when it comes to ham and eggs. The chicken is involved but the pig is committed. By this I mean that UMA might be involved in RUFADAA but it is not essential. Each resource server can implement delegation in many ways that don't involve UMA. I see no major secondary economic benefits arising from this. On the other hand, implementing the ACCESS delegation mandate, including the relative safe harbor for standards, can only be done with UMA or oauth.xyz or other standard protocol for delegation. The economic impact for such a mandate across the full range of personal data transfers would be immense. Adrian On Thu, Oct 24, 2019 at 6:40 PM Tim Reiniger wrote:

Eve,

The two laws are conceptually similar in that they give legal standing to third-party custodial agents in information governance --- great developments for UMA!. But RUFADAA and the Access Act involve different agent qualifications and oversight (for example, the Access Act positions the FTC as the regulatory body while RUFADAA custodians are unregulated). The two laws also deal with different use cases. (In other words, the Access Act doesn't encompass or even overlap the RUFADAA.)

Tim

On Thu, Oct 24, 2019 at 4:13 PM Eve Maler wrote:

...

Thanks Adrian! Tim, I wonder how this compares to RUFADAA. I suppose this would be a single federal law, for one. Any comments? (See "SEC. 5. DELEGATABILITY")

*Eve Maler*Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Thu, Oct 24, 2019 at 2:33 PM Adrian Gropper wrote:

...

Here’s my analysis of the ACCESS Act

http://blog.petrieflom.law.harvard.edu/2019/10/24/access-act-points-the-way-...

Adrian

On Tue, Oct 22, 2019 at 11:02 PM Adrian Gropper wrote:

...

Check out https://www.warner.senate.gov/public/index.cfm/2019/10/senators-introduce-bi...

Especially Section 5: Delegation. (There's a link https://www.scribd.com/document/431507476/ACCESS-Act-Section-by-Section-FINA... to a nice summary at the very end of the page.) It calls for a right to specify a fiduciary agent, hopefully one that I can compile and own myself. I can imagine a law like this applying to all of our service providers above a certain size, like say 50 employees.

-- Adrian

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: https://patientprivacyrights.org/donate-3/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org https://kantarainitiative.org/mailman/listinfo/wg-uma

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: https://patientprivacyrights.org/donate-3/