[License-review] GDPR compliance through software license terms? (Re: Approval Request - ViraTrace Public Source License 1.0)

[Josh Berkus]

On 12/11/20 9:04 AM, Wayne Thornton wrote:
> The software we have, are and will release under the proposed license
> has undergone stringent legal review for both HIPPA and GDPR compliance
> in terms of automated contact tracing applications. It has been
> determined to be fully compliant with both regulations by the
> Information Commissioner’s Office for the EU and the Attorney General’s
> Office of the United States. 
> 
> By including the provisions at issue within our license, we ensure that
> we remain responsible for legal compliance with data privacy regulations
> and that end users have a central point of contact for questions or
> concerns regardless of where or how, or by whom the technology is deployed.

I'm confused, because this is simply not how software works.

If I make a copy of Viratrace and deploy it, its adherence to privacy
standards is based on how I carry out that deployment, much more than
what's in the code.  You can write the most secure, privacy-conscious
contact tracing application in the world and it won't matter if I post
the main administration credentials on Twitter, or run the software on a
machine that the world can telnet into.

>From my perspective, you are trying to address something through a
license that *cannot* be meaningfully addressed through a license,
whether open source or proprietary.  What you want is a compliance
program, not a license. That is, let people do whatever they want with
the code, but they can only call it Viratrace if it's certified
privacy-compliant by your company.  That's the way to handle this, and I
work for a company that currently makes a lot of money doing exactly that.

Also ... the CAL was specifically written to be compatible with the
GDPR, so I don't think you correctly understood 4.2.1.

-- 
Josh Berkus