[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Josh Berkus josh at berkus.org
Tue Dec 24 19:49:06 UTC 2019


On 12/24/19 6:20 AM, Pamela Chestek wrote:
> Can you elaborate on what happens if the CAL and privacy laws, or even
> just privacy interests, conflict? Say an employer that self-insures
> provided identity data about its employee to its claims management
> company. The claims management company processes health care claims for
> its employees. The employer claims that information about the employees'
> health care claims is Recipient Data and it is entitled to it (after
> all, it is paying out on the claims).

Well, GDPR is all about user ownership of data, so I don't really see
this as a problem with privacy laws (I can get a GDPR expert to opine on
this if you want).

However, you are getting into the issues around "who is the owner of the
data", which will definitely be an issue with CAL-licensed applications.
 The employees would regard themselves to be owners of their healthcare
data, whereas the company (the one paying for the software) regards
*itself* as the owner.  But ... this is honestly not a question for a
license to answer.  Sometimes, one still needs litigation attorneys ;-)

(BTW, this health claims example isn't a great example, because as I
read it that's not the kind of data that would be covered by the CAL,
since that's "content" data as opposed to data required for the software
to operate.  However, I can can personally come up with examples where
PII would be covered by the CAL, so it's a legit question)

Fundamentally, though, that's no different from "who is the author of
the code" in older licenses; the same sorts of issues apply, and
likewise can only be determined in court.


-- 
Josh Berkus



More information about the License-review mailing list