[License-discuss] GDPR compliance through software license terms?

Roland Turner roland at rolandturner.com
Tue Dec 15 03:01:11 UTC 2020 

Thanks Pam,

I was conscious of the scope problem when I posted, but figured that a 
short excursion into the novel benefit claimed of the proposed license 
was probably reasonable within the review, given that that claim was the 
basis for its design. Do you feel that opening that discussion here 
instead would have been a better approach?

For the benefit of those not watching license-review: Viratrace withdrew 
its proposal without providing a basis for the 
GDPR-compliance-determination claim, and so far as I can tell there can 
be no basis for such a thing. I suspect that they have confused 
mandatory registration of a data processing operation with compliance 
certification of their software.

Were such a compliance basis to exist I think there would be a most 
interesting discussion for OSI. I still think that it would probably be 
a non-starter, but it would address many of the problems with the 
approaches that I critiqued in my SOTS talk earlier in the year. While 
much of the debate quite properly punts "comply with the law" to the law 
instead of embedding it in licenses, there's a definite cross-border 
concern here. I really don't buy use-discriminatory licensing as 
compatible with OSD, but I can see that there's going to be a concern 
for some developers in highly-developed regulatory environments who are 
comfortable with deferring to law for licensees in their own 
jurisdiction as a harm-mitigation approach, nonetheless being quite 
uncomfortable about the lack of comparable protections elsewhere and 
looking to embedding compliance obligations in licenses to assuage this 
(e.g. compliance with data protection law in the licensor's 
jurisdiction, not the licensee's).

- Roland

------------------------------------------------------------------------

On 14/12/20 6:59 am, Pamela Chestek wrote:
>
> Moving the conversation to license-discuss, since it's not about the 
> terms of this license specifically but more generally about the 
> intersection of GDPR compliance and software licensing.
>
> Pam
>
> Pamela Chestek
> Chair, License Committee
> Open Source Initiative
>
> On 12/10/20 10:39 PM, Roland Turner via License-review wrote:
>> Hi Wayne,
>>
>>> First, regarding rationale: Our company is in the business of 
>>> creating frameworks and software products which facilitate automated 
>>> contact tracing initiatives across the globe. These frameworks and 
>>> products must be GDPR- and HIPPA-compliant and have been designed to 
>>> be such, with strict, ongoing legal review processes undertaken to 
>>> ensure this. The frameworks and products that we create are designed 
>>> to be utilized by governmental agencies and private corporations in 
>>> the creation of applications and platforms which aid in the fight 
>>> against COVID-19 and future pandemic scenarios. In order for this to 
>>> be of benefit, the frameworks and software we develop must be open 
>>> source, so that the governmental agencies and private corporations 
>>> can be free to utilize them. Unfortunately, due to the legal 
>>> compliance issues vis-a-vis GDPR and HIPPA, a level of control 
>>> regarding development must be maintained. It is our position that 
>>> the GNU and other OSI-approved licenses do not provide this level of 
>>> control.
>>
>> Others are addressing the appearance of a profound incompatibility 
>> between what you're proposing ("free to utilise" vs. "level of 
>> control [by Viratrace]") and the Open Source Definition.
>>
>> I'm interested in the concept of software license terms as an element 
>> of GDPR compliance. Can you explain how you see license terms being a 
>> relevant part of this? It is my understanding that data protection 
>> law in most jurisdictions is about the legal obligations of 
>> organisations in control of personal data both with respect to that 
>> data and to people that it relates to (and often to regulators), and 
>> legal/contractual obligations of other organisations processing that 
>> data on their behalf; software licensors are not part of the picture. 
>> As neither Viratrace nor likely licensees would be looking to 
>> establish a controller/processor relationship[1] through the license, 
>> the relevance is not immediately clear to me.
>>
>> (For a sense of where I'm coming from:
>>
>>   * Although this is my first ever post to license-review, I've been
>>     involved in open-source license advocacy for rather a long time.
>>     It was I who initially proposed late last century (!) a
>>     multi-license approach for Mozilla.
>>   * I serve as Chief Privacy Officer for my employer — a specialist
>>     processor of personal data — and in that capacity have assisted
>>     customers with data protection obligations across a dozen
>>     jurisdictions on four continents.
>>   * Although the specific concerns of Free Software are largely out
>>     of scope here, I am an advocate of the approach and have spoken
>>     in public about the overlapping objectives of Software Freedom
>>     and of GDPR data subject rights.
>>   * I am tangentially involved in Singapore's TraceTogether program
>>     as an independent expert, both on the technology and on personal
>>     data protection.
>>   * I am working on a design for a system to extend TraceTogether
>>     which coincidentally also uses secure enclaves, although for a
>>     much simpler purpose that the one that you appear to be pursuing.)
>>
>>
>> - Roland
>>
>>
>> 1: nor the analogous relationships in other jurisdictions
>>
>>
>>
>> _______________________________________________
>> The opinions expressed in this email are those of the sender and not necessarily those of the Open Source Initiative. Communication from the Open Source Initiative will be sent from an opensource.org email address.
>>
>> License-review mailing list
>> License-review at lists.opensource.org
>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
> -- 
> Pamela S. Chestek
> Chair, License Committee
> Open Source Initiative
>
> _______________________________________________
> The opinions expressed in this email are those of the sender and not necessarily those of the Open Source Initiative. Communication from the Open Source Initiative will be sent from an opensource.org email address.
>
> License-review mailing list
> License-review at lists.opensource.org
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20201215/60b7ae8b/attachment.html>

More information about the License-discuss mailing list