<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Wayne,</div>
<div class="moz-cite-prefix"><br>
</div>
<blockquote type="cite"
cite="mid:1764a910a39.e14846f8839613.2781088703153336734@viratrace.us">
<div style="font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10pt;">
<div>First, regarding rationale: Our company is in the business
of creating frameworks and software products which facilitate
automated contact tracing initiatives across the globe. These
frameworks and products must be GDPR- and HIPPA-compliant and
have been designed to be such, with strict, ongoing legal
review processes undertaken to ensure this. The frameworks and
products that we create are designed to be utilized by
governmental agencies and private corporations in the creation
of applications and platforms which aid in the fight against
COVID-19 and future pandemic scenarios. In order for this to
be of benefit, the frameworks and software we develop must be
open source, so that the governmental agencies and private
corporations can be free to utilize them. Unfortunately, due
to the legal compliance issues vis-a-vis GDPR and HIPPA, a
level of control regarding development must be maintained. It
is our position that the GNU and other OSI-approved licenses
do not provide this level of control. <br>
</div>
</div>
</blockquote>
<p>Others are addressing the appearance of a profound
incompatibility between what you're proposing ("free to utilise"
vs. "level of control [by Viratrace]") and the Open Source
Definition.</p>
<p>I'm interested in the concept of software license terms as an
element of GDPR compliance. Can you explain how you see license
terms being a relevant part of this? It is my understanding that
data protection law in most jurisdictions is about the legal
obligations of organisations in control of personal data both with
respect to that data and to people that it relates to (and often
to regulators), and legal/contractual obligations of other
organisations processing that data on their behalf; software
licensors are not part of the picture. As neither Viratrace nor
likely licensees would be looking to establish a
controller/processor relationship[1] through the license, the
relevance is not immediately clear to me.</p>
<p>(For a sense of where I'm coming from:</p>
<ul>
<li>Although this is my first ever post to license-review, I've
been involved in open-source license advocacy for rather a long
time. It was I who initially proposed late last century (!) a
multi-license approach for Mozilla.</li>
<li>I serve as Chief Privacy Officer for my employer — a
specialist processor of personal data — and in that capacity
have assisted customers with data protection obligations across
a dozen jurisdictions on four continents.</li>
<li>Although the specific concerns of Free Software are largely
out of scope here, I am an advocate of the approach and have
spoken in public about the overlapping objectives of Software
Freedom and of GDPR data subject rights.<br>
</li>
<li>I am tangentially involved in Singapore's TraceTogether
program as an independent expert, both on the technology and on
personal data protection.<br>
</li>
<li>I am working on a design for a system to extend TraceTogether
which coincidentally also uses secure enclaves, although for a
much simpler purpose that the one that you appear to be
pursuing.)</li>
</ul>
<p><br>
</p>
<p>- Roland</p>
<p><br>
</p>
<p>1: nor the analogous relationships in other jurisdictions</p>
<p><br>
</p>
</body>
</html>