Follow ISO rules (ISO Directive Part 2 and global relevance documents) on the drafting

Issue #1068 resolved
Nat Sakimura created an issue

As I have stated in the call of March 14, 2019, a technical document should not give any legal advice. To fulfill it, following ISO drafting rules (ISO Directive Part 2[1] and Global Relevance[2]) is a good idea as they are carefully constructed so that we do not get into those issues.

Also, by following these, there is an additional benefit of it becoming easier to get the eye-balls of relevant people during the public review.

Comments (19)

  1. Nat Sakimura reporter

    Just reviewed it. Mostly OK.

    One sentence may be viewed as problematic.

    OP and RP MUST establish a legal basis before exchanging any personally identifiable information.

    It is basically saying that you MUST obey the law, which is obvious and should not be stated especially like this, because “you must obey the law” is always true. The following rewording may work:

    OP and RP MUST communicate the established lawful basis to the Data Subject before transferring any PII.

    In the following sentence, the phrase “in the course of OpenID process” appears.

    It can be established upfront or in the course of the OpenID process.

    Since the words are used to refer to the IPR regime in OpenID Foundation, I would avoid it and say “dynamically during the OpenID authorization request and response.”

  2. Stephane Mouy

    I think the language used is derived from GDPR, meaning in practice that OP and RP must establish the legal basis for the data request (most likely data subject consent, but other causes are possible).

  3. Nat Sakimura reporter

    So what about this?

    OP and RP MUST record the established lawful basis

    If there is any prospect of making it accessible to the PII principal by some kind of protocol, e.g., machine-readable form of ISO/IEC 29184 Privacy notice, then, having “MUST” here makes sense.

  4. Log in to comment