9. Privacy considerations - reference to legal basis (1st sentence)
Issue #1198
resolved
The revised language is unclear : if the legal basis is to be established before any PII is exchanged, then what does ‘in the course of the OpenID process’ means in practice? It also appears to imply that a contract must be put in place between the OP and the RP, which could in theory be a good thing, in practice much less so I fear.
More importantly, I suspect OPs are unlikely to give away customer PIIs ‘upon request' without either a clear representation from the RP that the end-user’s consent has been obtained in accordance with applicable privacy rules or the RP submitting verifiable consent evidence originating from the end-user - and my guess is that OPs will insist on the latter unless there is an established relationship between the OP and the RP. It goes back to the liability issue already discussed - why should they when there are liability implications arising either from GDPR or, for financial institutions, banking secrecy rules?
Comments (4)
-
-
-
assigned issue to
Torsten Lodderstedt
-
assigned issue to
-
see PR #30
-
- changed status to resolved
- Log in to comment
As discussed in the call, I suggest to add a paragraph describing the pieces needed to really deploy a overall solution and clearly state it is out of scope.