Text archives Help


Re: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the Ultimate VRM and UMA Legal Opportunity


Chronological Thread 
  • From: M a r y H o d d e r < >
  • To: Brian Behlendorf < >
  • Cc: 'ProjectVRM list' < >
  • Subject: Re: [projectvrm] Re: [WG-UMA] The Death of Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
  • Date: Tue, 6 Oct 2015 14:25:00 -0700
Hi..

So the copyright example is excellent, because you can revoke copyright going
forward but the details depend on context and systemic decisions.

For example, if your photo is at Getty, and you sell it to me through them
for say: website use at a certain date, I can continue to use it for that
use. But if I change things dramatically, going forward, I do have to stop --
and I probably want to keep my receipt to prove the date I was given
permission to use.

However, If it's a flickr photo, and an owner revokes a Creative Common's
term (within their overall choices) or moves to full copyright, again, the
date that I used the photo under the proper license matters.

In both instances, the licensed use for the photo going forward is changed
but any old use is honored, within the license terms and system requirements.
However, If i purchased a Getty use for digital, and then decided to print, I
would have to re-buy in some instances, or stop, depending on what the owner
has set at the time of new use.

The reason it's different for copyright isn't about payment, but because we
have a legal regime around copyright and it works this way.

However, for personal data, there is the technical possibility of removing a
user's data, after revocation. Dabble, my old company, was coded that way. We
had about 50 people over 4 years ask to remove account and data, and we could
do it immediately.

But that's a technical issue right now in the US and not something coded in
the law or policy and up to coders and their TOUs.

mary


On Oct 6, 2015, at 12:39 PM, Brian Behlendorf wrote:

>
> OK, that makes sense.
>
> If I'm a professional photographer, and I've paid you for your consent to
> use my photo of you in the portfolio I show to prospective clients, should
> you be able to revoke that consent? Would you have to refund the money?
>
> Why is this different in a scenario where I've "paid" you with free content?
>
> I'm all for willing participants entering into a contract that stipulates
> such things, perhaps with things like monetary penalties for breach so that
> there's real teeth. I'm absolutely opposed to it being impossible legally
> for someone to give irrevocable consent despite their wishes. We've got to
> get out of the frame of just "Facebook profiles" and think about all the
> other kinds of information sharing going on.
>
> Brian
>
>
> On Tue, 6 Oct 2015, M a r y H o d d e r wrote:
>> HI Brian,
>> I'm using "revoke" in this sense"
>> re·voke
>> rəˈvōk/
>> verb
>> 1. 1.
>> put an end to the validity or operation of (a decree, decision, or
>> promise).
>> "the men appealed and the sentence was revoked"
>> synonyms:
>> cancel, repeal, rescind, reverse, annul, nullify, void,
>> invalidate,countermand, retract, withdraw, overrule, override; More
>> Basically what I'm meaning is rescinding consent. IE no more consent going
>> forward to use my data. Still may be in the data base, but going forward,
>> no use.
>> So.. how that happens technically, is another issue.. but the idea is that
>> from today forward, I should be able to revoke, cancel, rescind, nullify
>> consent to my participation and use
>> of my data.
>> Taking back data from the past may or may not be possible depending on
>> context. Maybe I can take a copy of my data, and after some time, my data
>> is mostly or all expunged from the
>> system where I canceled my consent to participate or allow use.
>> Does that make sense?
>> Example:
>> In the past, I gave consent.
>> Today, in the present I cancel, revoke, and it depends on the context and
>> system rules about what that means, as well as policy regimes, etc.
>> In the future, my consent is no longer there.. and that means going
>> forward my data shouldn't be used for new business by the company.
>> BTW, Facebook does allow you to quit, but they keep your data "in case you
>> go back" and there are people (kids?) who do this daily.. "Deleting" their
>> account and then reinstating it
>> after some hour when an adult won't be looking. That isn't revoking
>> consent, but it's revoking the ability of FB to show the account to
>> friends, public, etc. So in some sense, there is
>> a canceling of others seeing or FB displaying your info. So that is a
>> revocation of display and interaction which means partially there is
>> revocation.
>> So companies now are allowing subtly different versions of revocation. And
>> that's kind of what I'm saying about this.. there is the practical and
>> then there is the policy or legal
>> regime.
>> mary
>> On Oct 6, 2015, at 11:17 AM, Brian Behlendorf wrote:
>>
>> On Tue, 6 Oct 2015, M a r y H o d d e r wrote:
>> Withdrawing consent is an important right, whether a "human
>> right" or not as classified in legal regimes. However, it's more subtle
>> than just yes or no, you
>> have it or you don't. Basically, you ought to be able to revoke
>> consent going forward, but not backward, and if you shared data, it's
>> possible there is a
>> mechanism or right to remove data and actions with it. But
>> those are the messy details and time, past, present, future changes the
>> right or ability to revoke.
>>
>> I am not sure what's meant by "revoking going forward and not
>> backwards". "Revoking" as a word applies to reversing something that has
>> happened in the past.
>>
>> It seems like we can have it one of two ways, but not both. Either
>>
>> #1) I should be able to grant to you or anyone else an irrevocable
>> right to my data / software / IP / etc (I'm not compelled to, but I can
>> choose to)
>>
>> or
>>
>> #2) I have the right to claw back any data / software / IP I have
>> ever granted to you or anyone else, no matter what the terms were on the
>> initial exchange.
>>
>> If we have #2, then we can not have Open Source software as we know
>> it today, where every user has the freedom to modify and copy software
>> without ever having to worry
>> about the original authors revoking their rights to do that. It
>> would be very bad for Open Source if that were possible - imagine Oracle
>> clawing back all rights to all the
>> open source code Sun ever released, or a disgruntled individual open
>> source developer who released fabulous code embedded everywhere decided it
>> was time to start asking for
>> a tithe.
>>
>> If we have #1, then we get Open Source, but then we also get
>> corporations like Facebook asking for and receiving consent from end-users
>> to do whatever they like with
>> consumer data, irrevocably. Consumers always have the freedom to not
>> accept those terms. Who are regulators to tell them they don't deserve
>> that choice?
>>
>> There are nuances and differentiations that one could construct
>> delicate regulations around, but that kind of hair-splitting seems to
>> frequently end up with lots of
>> collateral damage, and lots of money spent on lobbyists and lawyers,
>> which tends to not go well for individual citizens.
>>
>> I feel the ghost of Crosbie haunting me as I type this.
>>
>> If end-users of systems cannot revoke consent going forward,
>> they have no ability (depending on the context) to take their business
>> elsewhere in future, or at
>> least have their information trapped depending. I do think
>> choice and autonomy are key to human freedom even if it's not classified
>> legally as a human right.
>>
>> I love Google's Data Liberation Front and other network services that
>> make it easy for me to get a copy of the data I contributed in some very
>> usable form. I think data
>> and computational portability is a highly desireable state for any
>> network service. I don't see them as human rights though, or desireable
>> to regulate/legislate - I think
>> businesses that offer these extra services should be rewarded by the
>> market. This is simply not a safety or fair practices kind of issue -
>> this is not like requiring food
>> handlers to wash their hands after using the restroom.
>>
>> Of course where companies are violating the terms under which the
>> user consented to share their data, e.g. are sharing it with third parties
>> even if in indirect ways, then
>> there should be legal recourse, at least civil and I'd argue criminal
>> as deceptive practices. But contracts should be able to be entered into
>> freely.
>>
>> Brian
>>
>> On Oct 6, 2015, at 9:45 AM, Brian Behlendorf wrote:
>>
>> People who publish Open Source software give irrevocable
>> consents all the time to share their IP - by necessity and without
>> exception. Where is an
>> irrevocable consent defined as alienating a human right?
>>
>> Brian
>>
>> On Tue, 6 Oct 2015, Neiditz, Jon wrote:
>>
>> You cannot give an irrevocable consent, because
>> that would be attempting to alienate a “human right.”
>>
>> Jon Neiditz
>>
>> Kilpatrick Townsend & Stockton LLP
>>
>> Suite 2800 | 1100 Peachtree Street NE | Atlanta, GA
>> 30309-4528
>>
>> office 404 815 6004 | cell 678-427-7809 | fax 770
>> 234 6341
>>
>>
>>
>> | My Profile | vCard
>>
>> [IMAGE] [IMAGE]
>>
>> From: Mike O'Neill
>> [mailto: ]
>>
>> Sent: Tuesday, October 06, 2015 11:21 AM
>>
>> To: 'James Hazard'
>>
>> Cc: Neiditz, Jon; 'WG UMA'; 'ProjectVRM list'
>>
>> Subject: RE: [projectvrm] Re: [WG-UMA] The Death of
>> Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
>>
>> Correct. Consent must be “freely given, specific
>> and informed”. Even if the basis is “legitimate interest” they still have
>> the right to
>> opt-out, by automated means (if that is still in
>>
>> the GDPR).
>>
>> From: James Hazard
>> [mailto: ]
>>
>> Sent: 06 October 2015 15:48
>>
>> To: Mike O'Neill
>> < >
>>
>> Cc: Neiditz, Jon
>> < >;
>> WG UMA
>> < >;
>> ProjectVRM list
>>
>> < >
>>
>> Subject: Re: [projectvrm] Re: [WG-UMA] The Death of
>> Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
>>
>> So, roughly,
>>
>> ?/
>>
>> "I consent to You taking the Specified Personal
>> Information to the US. You agree to: protect it, use it only for
>> Specified Purposes,
>> inform me of Leaks, and Destroy it when no longer
>>
>> needed for the Specified Purposes or I ask You to."
>>
>> Can a person give non-revocable consent to use of
>> data within EU?
>>
>> /?
>>
>> On Tue, Oct 6, 2015 at 4:21 PM, Mike O'Neill
>> < >
>> wrote:
>>
>> Consent must be “freely given”, so IMO it
>> follows that it must be revocable (with a “sunset”). Article 29 and many
>> DPAs also have
>> said that.
>>
>> From: James Hazard
>> [mailto: ]
>>
>> Sent: 06 October 2015 14:53
>>
>> To: Neiditz, Jon
>> < >
>>
>> Cc: WG UMA
>> < >;
>> ProjectVRM list
>> < >
>>
>> Subject: [projectvrm] Re: [WG-UMA] The Death of
>> Safe Harbor is the Ultimate VRM and UMA Legal Opportunity
>>
>> Do you mean that consent of the person permits
>> transfer of data, but consent is necessarily revocable and data must be
>> destroyed?
>>
>> On Oct 6, 2015 3:40 PM, "Neiditz, Jon"
>> < >
>> wrote:
>>
>> Why?
>>
>> The Advocate General's opinion and the
>> Court's decision both turn on the inability of Safe Harbor to prevent
>> surveillance. NO
>> permitted basis for data transfer
>>
>> prevents surveillance, not Model Clauses,
>> not Binding Corporate Rules (BCRs). Logically, if probably not in
>> immediate
>> corporate and EU national practice, the
>>
>> only bulletproof basis for data transfer
>> to the US is now the ever-so-revocable CONSENT, which presumes no
>> fictitious
>> protection from surveillance.
>>
>> See also:
>> https://www.linkedin.com/pulse/good-morning-safe-harbor-dead-what-does-mean-now-later-jon-neiditz?trk=prof-post
>>
>> Your thoughts?
>>
>> Jon Neiditz
>>
>> Kilpatrick Townsend & Stockton LLP
>>
>> Suite 2800 | 1100 Peachtree Street NE |
>> Atlanta, GA 30309-4528
>>
>> office 404 815 6004 | cell 678-427-7809
>> | fax 770 234 6341
>>
>>
>>
>> | www.kilpatricktownsend.com
>>
>> ________________________________
>>
>> Confidentiality Notice:
>>
>> This communication constitutes an
>> electronic communication within the meaning of the Electronic
>> Communications Privacy Act, 18
>> U.S.C. Section 2510, and its
>>
>> disclosure is strictly limited to the
>> recipient intended by the sender of this message. This transmission, and
>> any
>> attachments, may contain confidential
>>
>> attorney-client privileged information
>> and attorney work product. If you are not the intended recipient, any
>> disclosure,
>> copying, distribution or use of any of
>>
>> the information contained in or attached
>> to this transmission is STRICTLY PROHIBITED. Please contact us immediately
>> by return
>> e-mail or at 404 815 6500, and
>>
>> destroy the original transmission and its
>> attachments without reading or saving in any manner.
>>
>> ________________________________
>>
>> ***DISCLAIMER*** Per Treasury Department
>> Circular 230: Any U.S. federal tax advice contained in this communication
>> (including
>> any attachments) is not intended
>>
>> or written to be used, and cannot be
>> used, for the purpose of (i) avoiding penalties under the Internal Revenue
>> Code or (ii)
>> promoting, marketing or
>>
>> recommending to another party any
>> transaction or matter addressed herein.
>>
>>
>> _______________________________________________
>>
>> WG-UMA mailing list
>>
>>
>>
>>
>>
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
>>
>> --
>>
>> @commonaccord


Archive powered by MHonArc 2.6.19.

§