[License-review] GDPR compliance through software license terms? (Re: Approval Request - ViraTrace Public Source License 1.0)

[Brian Behlendorf]

On Fri, 11 Dec 2020, Wayne Thornton wrote:
> You raise an interesting set of questions and I will admit that when it 
> comes to the “ins-and-outs” of GDPR and HIPPA compliance, I am probably 
> not as well versed as yourself or our attorneys. That being said, we at 
> ViraTrace have from the very beginning sought to ensure that the 
> products we develop for automated contact tracing are the most secure 
> and privacy-protective on the market. 

I can speak with a fair bit of experience and authority on this front that 
boutique licenses are not required for either GDPR or HIPAA compliance, 
nor are they required by the unique circumstances of contact tracing or 
exposure notification.

Linux Foundation Public Health has two projects, COVID Green (used in 
Ireland, NYC, NJ, Penn, DE, and others on the way) and COVID Shield (used 
in Canada), both licensed under the Apache license. https://lfph.io/ 
Wayne, come work with us if you're interested in this space, lots going on 
and we can save you time and hassle over DIY, especially as we've already 
addressed many of the concerns of public health authorities while also 
meeting a high bar for privacy protection.

Certification, data management practices, or other regulatory processes 
are the domain of the people who deploy these apps and manage the servers 
the data from those apps feed, and do not encumber the distribution of 
source code software. Put another way, Viratrace has no liability when a 
downstream recipient of your software deploys it and fails to meet their 
regulatory obligations.

But IANAL, TINLA, etc.

Brian