HI Brian,
I'm using "revoke" in this sense"
re·voke
rəˈvōk/
verb
1. 1.
put an end to the validity or operation of (a decree, decision, or promise).
"the men appealed and the sentence was revoked"
synonyms:
cancel, repeal, rescind, reverse, annul, nullify, void,
invalidate,countermand, retract, withdraw, overrule, override; More
Basically what I'm meaning is rescinding consent. IE no more consent going
forward to use my data. Still may be in the data base, but going forward, no
use.
So.. how that happens technically, is another issue.. but the idea is that
from today forward, I should be able to revoke, cancel, rescind, nullify
consent to my participation and use
of my data.
Taking back data from the past may or may not be possible depending on
context. Maybe I can take a copy of my data, and after some time, my data is
mostly or all expunged from the
system where I canceled my consent to participate or allow use.
Does that make sense?
Example:
In the past, I gave consent.
Today, in the present I cancel, revoke, and it depends on the context and
system rules about what that means, as well as policy regimes, etc.
In the future, my consent is no longer there.. and that means going forward
my data shouldn't be used for new business by the company.
BTW, Facebook does allow you to quit, but they keep your data "in case you go back" and
there are people (kids?) who do this daily.. "Deleting" their account and then
reinstating it
after some hour when an adult won't be looking. That isn't revoking consent,
but it's revoking the ability of FB to show the account to friends, public,
etc. So in some sense, there is
a canceling of others seeing or FB displaying your info. So that is a
revocation of display and interaction which means partially there is
revocation.
So companies now are allowing subtly different versions of revocation. And
that's kind of what I'm saying about this.. there is the practical and then
there is the policy or legal
regime.
mary
On Oct 6, 2015, at 11:17 AM, Brian Behlendorf wrote:
On Tue, 6 Oct 2015, M a r y H o d d e r wrote:
Withdrawing consent is an important right, whether a "human
right" or not as classified in legal regimes. However, it's more subtle than just
yes or no, you
have it or you don't. Basically, you ought to be able to revoke
consent going forward, but not backward, and if you shared data, it's
possible there is a
mechanism or right to remove data and actions with it. But those
are the messy details and time, past, present, future changes the right or
ability to revoke.
I am not sure what's meant by "revoking going forward and not backwards".
"Revoking" as a word applies to reversing something that has happened in the past.
It seems like we can have it one of two ways, but not both. Either
#1) I should be able to grant to you or anyone else an irrevocable
right to my data / software / IP / etc (I'm not compelled to, but I can
choose to)
or
#2) I have the right to claw back any data / software / IP I have ever
granted to you or anyone else, no matter what the terms were on the initial
exchange.
If we have #2, then we can not have Open Source software as we know it
today, where every user has the freedom to modify and copy software without
ever having to worry
about the original authors revoking their rights to do that. It would
be very bad for Open Source if that were possible - imagine Oracle clawing
back all rights to all the
open source code Sun ever released, or a disgruntled individual open
source developer who released fabulous code embedded everywhere decided it
was time to start asking for
a tithe.
If we have #1, then we get Open Source, but then we also get
corporations like Facebook asking for and receiving consent from end-users to
do whatever they like with
consumer data, irrevocably. Consumers always have the freedom to not
accept those terms. Who are regulators to tell them they don't deserve that
choice?
There are nuances and differentiations that one could construct
delicate regulations around, but that kind of hair-splitting seems to
frequently end up with lots of
collateral damage, and lots of money spent on lobbyists and lawyers,
which tends to not go well for individual citizens.
I feel the ghost of Crosbie haunting me as I type this.
If end-users of systems cannot revoke consent going forward, they
have no ability (depending on the context) to take their business elsewhere
in future, or at
least have their information trapped depending. I do think choice
and autonomy are key to human freedom even if it's not classified legally as
a human right.
I love Google's Data Liberation Front and other network services that
make it easy for me to get a copy of the data I contributed in some very
usable form. I think data
and computational portability is a highly desireable state for any
network service. I don't see them as human rights though, or desireable to
regulate/legislate - I think
businesses that offer these extra services should be rewarded by the
market. This is simply not a safety or fair practices kind of issue - this
is not like requiring food
handlers to wash their hands after using the restroom.
Of course where companies are violating the terms under which the user
consented to share their data, e.g. are sharing it with third parties even if
in indirect ways, then
there should be legal recourse, at least civil and I'd argue criminal
as deceptive practices. But contracts should be able to be entered into
freely.
Brian
On Oct 6, 2015, at 9:45 AM, Brian Behlendorf wrote:
People who publish Open Source software give irrevocable
consents all the time to share their IP - by necessity and without exception.
Where is an
irrevocable consent defined as alienating a human right?
Brian
On Tue, 6 Oct 2015, Neiditz, Jon wrote:
You cannot give an irrevocable consent, because that
would be attempting to alienate a “human right.”
Jon Neiditz
Kilpatrick Townsend & Stockton LLP
Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA
30309-4528
office 404 815 6004 | cell 678-427-7809 | fax 770 234
6341
| My Profile | vCard
[IMAGE] [IMAGE]
From: Mike O'Neill
[mailto: ]
Sent: Tuesday, October 06, 2015 11:21 AM
To: 'James Hazard'
Cc: Neiditz, Jon; 'WG UMA'; 'ProjectVRM list'
Subject: RE: [projectvrm] Re: [WG-UMA] The Death of
Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
Correct. Consent must be “freely given, specific and
informed”. Even if the basis is “legitimate interest” they still have the
right to
opt-out, by automated means (if that is still in
the GDPR).
From: James Hazard
[mailto: ]
Sent: 06 October 2015 15:48
To: Mike O'Neill
< >
Cc: Neiditz, Jon
< >;
WG UMA
< >;
ProjectVRM list
< >
Subject: Re: [projectvrm] Re: [WG-UMA] The Death of
Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
So, roughly,
?/
"I consent to You taking the Specified Personal
Information to the US. You agree to: protect it, use it only for Specified
Purposes,
inform me of Leaks, and Destroy it when no longer
needed for the Specified Purposes or I ask You to."
Can a person give non-revocable consent to use of
data within EU?
/?
On Tue, Oct 6, 2015 at 4:21 PM, Mike O'Neill
< >
wrote:
Consent must be “freely given”, so IMO it follows
that it must be revocable (with a “sunset”). Article 29 and many DPAs also
have
said that.
From: James Hazard
[mailto: ]
Sent: 06 October 2015 14:53
To: Neiditz, Jon
< >
Cc: WG UMA
< >;
ProjectVRM list
< >
Subject: [projectvrm] Re: [WG-UMA] The Death of
Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
Do you mean that consent of the person permits
transfer of data, but consent is necessarily revocable and data must be
destroyed?
On Oct 6, 2015 3:40 PM, "Neiditz, Jon"
< >
wrote:
Why?
The Advocate General's opinion and the
Court's decision both turn on the inability of Safe Harbor to prevent
surveillance. NO
permitted basis for data transfer
prevents surveillance, not Model Clauses,
not Binding Corporate Rules (BCRs). Logically, if probably not in immediate
corporate and EU national practice, the
only bulletproof basis for data transfer to
the US is now the ever-so-revocable CONSENT, which presumes no fictitious
protection from surveillance.
See also:
https://www.linkedin.com/pulse/good-morning-safe-harbor-dead-what-does-mean-now-later-jon-neiditz?trk=prof-post
Your thoughts?
Jon Neiditz
Kilpatrick Townsend & Stockton LLP
Suite 2800 | 1100 Peachtree Street NE |
Atlanta, GA 30309-4528
office 404 815 6004 | cell 678-427-7809 |
fax 770 234 6341
| www.kilpatricktownsend.com
________________________________
Confidentiality Notice:
This communication constitutes an
electronic communication within the meaning of the Electronic Communications
Privacy Act, 18
U.S.C. Section 2510, and its
disclosure is strictly limited to the
recipient intended by the sender of this message. This transmission, and any
attachments, may contain confidential
attorney-client privileged information and
attorney work product. If you are not the intended recipient, any disclosure,
copying, distribution or use of any of
the information contained in or attached to
this transmission is STRICTLY PROHIBITED. Please contact us immediately by
return
e-mail or at 404 815 6500, and
destroy the original transmission and its
attachments without reading or saving in any manner.
________________________________
***DISCLAIMER*** Per Treasury Department
Circular 230: Any U.S. federal tax advice contained in this communication
(including
any attachments) is not intended
or written to be used, and cannot be used,
for the purpose of (i) avoiding penalties under the Internal Revenue Code or
(ii)
promoting, marketing or
recommending to another party any
transaction or matter addressed herein.
_______________________________________________
WG-UMA mailing list
http://kantarainitiative.org/mailman/listinfo/wg-uma
--
@commonaccord
Archive powered by MHonArc 2.6.19.