Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting
Issue #1068 resolved
As I have stated in the call of March 14, 2019, a technical document should not give any legal advice. To fulfill it, following ISO drafting rules (ISO Directive Part 2 and Global Relevance) is a good idea as they are carefully constructed so that we do not get into those issues.
Also, by following these, there is an additional benefit of it becoming easier to get the eye-balls of relevant people during the public review.
Nat will review the document in this regard in the future.
Nat will start in April
Just reviewed it. Mostly OK.
One sentence may be viewed as problematic.
OP and RP MUST establish a legal basis before exchanging any personally identifiable information.
It is basically saying that you MUST obey the law, which is obvious and should not be stated especially like this, because “you must obey the law” is always true. The following rewording may work:
OP and RP MUST communicate the established lawful basis to the Data Subject before transferring any PII.
In the following sentence, the phrase “in the course of OpenID process” appears.
It can be established upfront or in the course of the OpenID process.
Since the words are used to refer to the IPR regime in OpenID Foundation, I would avoid it and say “dynamically during the OpenID authorization request and response.”
I think the language used is derived from GDPR, meaning in practice that OP and RP must establish the legal basis for the data request (most likely data subject consent, but other causes are possible).
So what about this?
OP and RP MUST record the established lawful basis
If there is any prospect of making it accessible to the PII principal by some kind of protocol, e.g., machine-readable form of ISO/IEC 29184 Privacy notice, then, having “MUST” here makes sense.
Please don’t use RFC2119 language, this is not a protocol issue.
I‘m in favor of removing both sentences in the next revision.
remove the paragraph in Section 9 as discussed in the call today
see PR #30
resolved by PR 30