Re: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the Ultimate VRM and UMA Legal Opportunity

[Brian Behlendorf < >]

On Tue, 6 Oct 2015, M a r y H o d d e r wrote:
> Withdrawing consent is an important right, whether a "human right" or 
> not as classified in legal regimes. However, it's more subtle than just 
> yes or no, you have it or you don't. Basically, you ought to be able to 
> revoke consent going forward, but not backward, and if you shared data, 
> it's possible there is a mechanism or right to remove data and actions 
> with it. But those are the messy details and time, past, present, future 
> changes the right or ability to revoke.

I am not sure what's meant by "revoking going forward and not backwards". 
"Revoking" as a word applies to reversing something that has happened in 
the past.

It seems like we can have it one of two ways, but not both.  Either

#1) I should be able to grant to you or anyone else an irrevocable right 
to my data / software / IP / etc (I'm not compelled to, but I can choose 
to)

or

#2) I have the right to claw back any data / software / IP I have ever 
granted to you or anyone else, no matter what the terms were on the 
initial exchange.


If we have #2, then we can not have Open Source software as we know it 
today, where every user has the freedom to modify and copy software 
without ever having to worry about the original authors revoking their 
rights to do that.  It would be very bad for Open Source if that were 
possible - imagine Oracle clawing back all rights to all the open source 
code Sun ever released, or a disgruntled individual open source developer 
who released fabulous code embedded everywhere decided it was time to 
start asking for a tithe.

If we have #1, then we get Open Source, but then we also get corporations 
like Facebook asking for and receiving consent from end-users to do 
whatever they like with consumer data, irrevocably.  Consumers always have 
the freedom to not accept those terms.  Who are regulators to tell them 
they don't deserve that choice?

There are nuances and differentiations that one could construct delicate 
regulations around, but that kind of hair-splitting seems to frequently 
end up with lots of collateral damage, and lots of money spent on 
lobbyists and lawyers, which tends to not go well for individual citizens.

I feel the ghost of Crosbie haunting me as I type this.

> If end-users of systems cannot revoke consent going forward, they have 
> no ability (depending on the context) to take their business elsewhere 
> in future, or at least have their information trapped depending. I do 
> think choice and autonomy are key to human freedom even if it's not 
> classified legally as a human right.

I love Google's Data Liberation Front and other network services that make 
it easy for me to get a copy of the data I contributed in some very usable 
form.  I think data and computational portability is a highly desireable 
state for any network service.  I don't see them as human rights though, 
or desireable to regulate/legislate - I think businesses that offer these 
extra services should be rewarded by the market.  This is simply not a 
safety or fair practices kind of issue - this is not like requiring food 
handlers to wash their hands after using the restroom.

Of course where companies are violating the terms under which the user 
consented to share their data, e.g. are sharing it with third parties even 
if in indirect ways, then there should be legal recourse, at least civil 
and I'd argue criminal as deceptive practices.  But contracts should be 
able to be entered into freely.

Brian

> On Oct 6, 2015, at 9:45 AM, Brian Behlendorf wrote:
>
> > People who publish Open Source software give irrevocable consents all the 
> > time to share their IP - by necessity and without exception.  Where is an 
> > irrevocable consent defined as alienating a human right?
> >
> > Brian
> >
> >
> > On Tue, 6 Oct 2015, Neiditz, Jon wrote:
> > > You cannot give an irrevocable consent, because that would be attempting to 
> > > alienate a “human right.”
> > >
> > > Jon Neiditz
> > > Kilpatrick Townsend & Stockton LLP
> > > Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528
> > > office 404 815 6004 | cell 678-427-7809 | fax 770 234 6341
> > >
> > >  
> > >  | My Profile | vCard
> > > [IMAGE]    [IMAGE]
> > > From: Mike O'Neill 
> > > [mailto:
> > >  ]
> > > Sent: Tuesday, October 06, 2015 11:21 AM
> > > To: 'James Hazard'
> > > Cc: Neiditz, Jon; 'WG UMA'; 'ProjectVRM list'
> > > Subject: RE: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the 
> > > Ultimate VRM and UMA Legal Opportunity
> > >
> > > Correct. Consent must be “freely given, specific and informed”. Even if the 
> > > basis is “legitimate interest” they still have the right to opt-out, by 
> > > automated means (if that is still in
> > > the GDPR).
> > >
> > > From: James Hazard 
> > > [mailto:
> > >  ]
> > > Sent: 06 October 2015 15:48
> > > To: Mike O'Neill 
> > > <
> > >  >
> > > Cc: Neiditz, Jon 
> > > <
> > >  >;
> > >  WG UMA 
> > > <
> > >  >;
> > >  ProjectVRM list 
> > > <
> > >  >
> > > Subject: Re: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the 
> > > Ultimate VRM and UMA Legal Opportunity
> > >
> > > So, roughly,
> > >
> > > ?/
> > >
> > > "I consent to You taking the Specified Personal Information to the US.  You 
> > > agree to: protect it, use it only for Specified Purposes, inform me of Leaks, and 
> > > Destroy it when no longer
> > > needed for the Specified Purposes or I ask You to."
> > >
> > >
> > > Can a person give non-revocable consent to use of data within EU?
> > >
> > > /?
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Oct 6, 2015 at 4:21 PM, Mike O'Neill 
> > > <
> > >  >
> > >  wrote:
> > >
> > >      Consent must be “freely given”, so IMO it follows that it must be 
> > > revocable (with a “sunset”). Article 29 and many DPAs also have said that.
> > >
> > >
> > >
> > >
> > >
> > >      From: James Hazard 
> > > [mailto:
> > >  ]
> > >      Sent: 06 October 2015 14:53
> > >      To: Neiditz, Jon 
> > > <
> > >  >
> > >      Cc: WG UMA 
> > > <
> > >  >;
> > >  ProjectVRM list 
> > > <
> > >  >
> > >      Subject: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the 
> > > Ultimate VRM and UMA Legal Opportunity
> > >
> > >
> > >
> > >      Do you mean that consent of the person permits transfer of data, but 
> > > consent is necessarily revocable and data must be destroyed?
> > >
> > >      On Oct 6, 2015 3:40 PM, "Neiditz, Jon" 
> > > <
> > >  >
> > >  wrote:
> > >
> > >            Why?
> > >
> > >            The Advocate General's opinion and the Court's decision both turn 
> > > on the inability of Safe Harbor to prevent surveillance.  NO permitted basis 
> > > for data transfer
> > >            prevents surveillance, not Model Clauses, not Binding Corporate 
> > > Rules (BCRs).  Logically, if probably not in immediate corporate and EU 
> > > national practice, the
> > >            only bulletproof basis for data transfer to the US is now the 
> > > ever-so-revocable CONSENT, which presumes no fictitious protection from 
> > > surveillance.
> > >
> > >            See also:  
> > > https://www.linkedin.com/pulse/good-morning-safe-harbor-dead-what-does-mean-now-later-jon-neiditz?trk=prof-post
> > >
> > >            Your thoughts?
> > >
> > >            Jon Neiditz
> > >            Kilpatrick Townsend & Stockton LLP
> > >            Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA 30309-4528
> > >            office 404 815 6004  | cell 678-427-7809 | fax 770 234 6341
> > >            
> > >
> > >  
> > >  | www.kilpatricktownsend.com
> > >
> > >            ________________________________
> > >
> > >            Confidentiality Notice:
> > >            This communication constitutes an electronic communication within 
> > > the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 
> > > 2510, and its
> > >            disclosure is strictly limited to the recipient intended by the 
> > > sender of this message. This transmission, and any attachments, may contain 
> > > confidential
> > >            attorney-client privileged information and attorney work product. 
> > > If you are not the intended recipient, any disclosure, copying, distribution 
> > > or use of any of
> > >            the information contained in or attached to this transmission is 
> > > STRICTLY PROHIBITED. Please contact us immediately by return e-mail or at 404 
> > > 815 6500, and
> > >            destroy the original transmission and its attachments without 
> > > reading or saving in any manner.
> > >
> > >            ________________________________
> > >
> > >            ***DISCLAIMER*** Per Treasury Department Circular 230: Any U.S. 
> > > federal tax advice contained in this communication (including any 
> > > attachments) is not intended
> > >            or written to be used, and cannot be used, for the purpose of (i) 
> > > avoiding penalties under the Internal Revenue Code or (ii) promoting, 
> > > marketing or
> > >            recommending to another party any transaction or matter addressed 
> > > herein.
> > >            _______________________________________________
> > >            WG-UMA mailing list
> > >            
> > >
> > >  
> > >            http://kantarainitiative.org/mailman/listinfo/wg-uma
> > >
> > > --
> > > @commonaccord