[License-review] GDPR compliance through software license terms? (Re: Approval Request - ViraTrace Public Source License 1.0)

Roland Turner roland at rolandturner.com
Fri Dec 11 03:39:10 UTC 2020

Hi Wayne,

> First, regarding rationale: Our company is in the business of creating 
> frameworks and software products which facilitate automated contact 
> tracing initiatives across the globe. These frameworks and products 
> must be GDPR- and HIPPA-compliant and have been designed to be such, 
> with strict, ongoing legal review processes undertaken to ensure this. 
> The frameworks and products that we create are designed to be utilized 
> by governmental agencies and private corporations in the creation of 
> applications and platforms which aid in the fight against COVID-19 and 
> future pandemic scenarios. In order for this to be of benefit, the 
> frameworks and software we develop must be open source, so that the 
> governmental agencies and private corporations can be free to utilize 
> them. Unfortunately, due to the legal compliance issues vis-a-vis GDPR 
> and HIPPA, a level of control regarding development must be 
> maintained. It is our position that the GNU and other OSI-approved 
> licenses do not provide this level of control.

Others are addressing the appearance of a profound incompatibility 
between what you're proposing ("free to utilise" vs. "level of control 
[by Viratrace]") and the Open Source Definition.

I'm interested in the concept of software license terms as an element of 
GDPR compliance. Can you explain how you see license terms being a 
relevant part of this? It is my understanding that data protection law 
in most jurisdictions is about the legal obligations of organisations in 
control of personal data both with respect to that data and to people 
that it relates to (and often to regulators), and legal/contractual 
obligations of other organisations processing that data on their behalf; 
software licensors are not part of the picture. As neither Viratrace nor 
likely licensees would be looking to establish a controller/processor 
relationship[1] through the license, the relevance is not immediately 
clear to me.

(For a sense of where I'm coming from:

  * Although this is my first ever post to license-review, I've been
    involved in open-source license advocacy for rather a long time. It
    was I who initially proposed late last century (!) a multi-license
    approach for Mozilla.
  * I serve as Chief Privacy Officer for my employer — a specialist
    processor of personal data — and in that capacity have assisted
    customers with data protection obligations across a dozen
    jurisdictions on four continents.
  * Although the specific concerns of Free Software are largely out of
    scope here, I am an advocate of the approach and have spoken in
    public about the overlapping objectives of Software Freedom and of
    GDPR data subject rights.
  * I am tangentially involved in Singapore's TraceTogether program as
    an independent expert, both on the technology and on personal data
  * I am working on a design for a system to extend TraceTogether which
    coincidentally also uses secure enclaves, although for a much
    simpler purpose that the one that you appear to be pursuing.)

- Roland

1: nor the analogous relationships in other jurisdictions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20201211/01b774a1/attachment.html>

More information about the License-review mailing list