- edited description
Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting
As I have stated in the call of March 14, 2019, a technical document should not give any legal advice. To fulfill it, following ISO drafting rules (ISO Directive Part 2[1] and Global Relevance[2]) is a good idea as they are carefully constructed so that we do not get into those issues.
Also, by following these, there is an additional benefit of it becoming easier to get the eye-balls of relevant people during the public review.
Comments (19)
-
reporter -
reporter - changed title to Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting
-
-
assigned issue to
Nat will review the document in this regard in the future.
-
assigned issue to
-
reporter -
assigned issue to
-
assigned issue to
-
- changed milestone to Amendment
-
- changed status to open
-
- changed milestone to Implementers Draft 2
-
- changed milestone to Implementer's Draft 2
-
- removed milestone
-
Nat will start in April
-
reporter Just reviewed it. Mostly OK.
One sentence may be viewed as problematic.
OP and RP MUST establish a legal basis before exchanging any personally identifiable information.
It is basically saying that you MUST obey the law, which is obvious and should not be stated especially like this, because “you must obey the law” is always true. The following rewording may work:
OP and RP MUST communicate the established lawful basis to the Data Subject before transferring any PII.
In the following sentence, the phrase “in the course of OpenID process” appears.
It can be established upfront or in the course of the OpenID process.
Since the words are used to refer to the IPR regime in OpenID Foundation, I would avoid it and say “dynamically during the OpenID authorization request and response.”
-
I think the language used is derived from GDPR, meaning in practice that OP and RP must establish the legal basis for the data request (most likely data subject consent, but other causes are possible).
-
reporter So what about this?
OP and RP MUST record the established lawful basis
If there is any prospect of making it accessible to the PII principal by some kind of protocol, e.g., machine-readable form of ISO/IEC 29184 Privacy notice, then, having “MUST” here makes sense.
-
Please don’t use RFC2119 language, this is not a protocol issue.
-
I‘m in favor of removing both sentences in the next revision.
-
- changed milestone to Implementer's Draft 3
-
-
assigned issue to
remove the paragraph in Section 9 as discussed in the call today
-
assigned issue to
-
see PR #30
-
- changed status to resolved
resolved by PR 30
- Log in to comment