[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

[Pamela Chestek]

Van,

Someone posted this on Twitter: "Scenario: Company X claims they are the 
Recipient, demands from Licensee the User Data associated with a list of 
employee names or IP addresses. Licensee incentivized to hand over the 
User Data to Company X: why risk going to court and end up not being the 
prevailing party?"

My response was "Company X has to have possessory interest in User Data. 
Interesting potential conflict with privacy laws though."

Can you elaborate on what happens if the CAL and privacy laws, or even 
just privacy interests, conflict? Say an employer that self-insures 
provided identity data about its employee to its claims management 
company. The claims management company processes health care claims for 
its employees. The employer claims that information about the employees' 
health care claims is Recipient Data and it is entitled to it (after 
all, it is paying out on the claims).

1. Who decides, and how, whether information is Recipient Data?

2. What if HIPAA says that the employer may not have health care 
information about its employees? But the CAL says they must provide it?


Pam


Pamela S. Chestek
Chestek Legal
PO Box 2492
Raleigh, NC 27602
pamela at chesteklegal.com
919-800-8033
www.chesteklegal.com