[License-discuss] GDPR compliance through software license terms?

Tue Dec 15 19:09:02 UTC 2020

On 12/14/20 7:01 PM, Roland Turner via License-discuss wrote:
> Were such a compliance basis to exist I think there would be a most
> interesting discussion for OSI. I still think that it would probably be
> a non-starter, but it would address many of the problems with the
> approaches that I critiqued in my SOTS talk earlier in the year. While
> much of the debate quite properly punts "comply with the law" to the law
> instead of embedding it in licenses, there's a definite cross-border
> concern here. I really don't buy use-discriminatory licensing as
> compatible with OSD, but I can see that there's going to be a concern
> for some developers in highly-developed regulatory environments who are
> comfortable with deferring to law for licensees in their own
> jurisdiction as a harm-mitigation approach, nonetheless being quite
> uncomfortable about the lack of comparable protections elsewhere and
> looking to embedding compliance obligations in licenses to assuage this
> (e.g. compliance with data protection law in the licensor's
> jurisdiction, not the licensee's).

We may have actually approved special-purpose -- specifically,
government agency -- licenses with legal compliance language in them
before.  I haven't done a review of those licenses anytime recently, and
that's where I would expect to see such language.

However, "must comply with the law" is very different from "must comply
with this specific law in this specific country regardless of where the
software is used".  That's effectively asking to extend the legal
dominion of one country over other countries through nothing other than
a software license.  However laudable the goals of the license author
may be, the actual attempt is both futile and harmful as a side effect.

Aside from the legal issues of trying to override national law, there's
also the issue of "who decides?"  When we're talking about international
copyright law or complying with the law of your home country, a court,
presumably a neutral third party, decides.  If we're talking about
compliance with something like a privacy policy, though, there is no
neutral third party to decide; the copyright holder must decide.  And
the problem with that is that nothing prevents their decisions from
being wholly arbitrary.

Like, I have no personal experience with Viratrace and no business
relationship with them.  If they can revoke my license to their software
at any time based on whether they think, in their sole judgement, that
I've violated their privacy polices?  That's not an open source license,
it's a "shared source" license.

Ultimately, tacking the GDPR onto a license is just another "unrelated
conditions" license, and thus a clear violation of OSD5/6.  We have OSD5
and 6 for good reasons.

-- 
Josh Berkus