* Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 16:40]:
That said, they were only willing to endorse version 1, as version 2 is still considered a draft. Version 1 does not apply to Service Providers outside the EU, and does not cover GDPR, but the principles of data minimization, etc, are important in and of themselves to endorse in any federated service.
FWIW: It is my understanding that v2 is done for all matters and intents with only the question of the "monitoring body" being open.
Of course it will then be presented to the European Data Protection Authority and may require further changes before it might be approved. (v1 is only "done" and stable because it will never again be presented to anyone for approval since it does not represent the state of the law nor of our work in this area.)
So technically you're right that v2 is not published/final/"done". *But* v1 was never approved by the authorities either, because at the time we were submitting it it was already clear that the Data Protection Directive (aka 95/46/EC) would be replaced "soon" and so no decisions were being made by the authorities under the "old" rules (and no decisions under the "new" rules could be made by those authorities since those new rules did not exist back then).
Both are equally not legally valid approved Codes of Conduct today. But v2 may be in the future and is is based on the current legal regime and community inputs. Whereas v1 will never be and is based on an obsolete, irrelevant legal regime. I know which version I'd chose to endorse today (a hint: something that's not already irrelevant) but RA21's opinion differed, obviously.
Your argument that the data protection principles in v1 are still solid could also be used to endores v2 today as its data protection principles and formulations are at least as solid and more fleshed out than v1's, and v2 also provides more practical guidance for implementers, to name just one improvement requested by the "then" authorities.
-peter