RA21's endorsement of the GEANT Data Protection Code of Conduct

Action item from today’s call: - recent adoption of GEANT Data Protection Code of Conduct by RA21 Heather: Will send a note to the mailing list explaining what’s happened within RA21 re: the GEANT DPCoCo
Hello all,
We didn’t have time to cover this on the call today, so I promised to send out an email to let folks know what’s happened here.
Back at the end of January of this year, the RA21 Security and Privacy working group met to discuss whether they were willing to request that the RA21 initiative as a whole endorse the GEANT Data Protection Code of Conduct. Members of that group, which included publishers, librarians, and federated identity infrastructure people, agreed that the principles in the code of conduct were definitely worth endorsing. That said, they were only willing to endorse version 1, as version 2 is still considered a draft. Version 1 does not apply to Service Providers outside the EU, and does not cover GDPR, but the principles of data minimization, etc, are important in and of themselves to endorse in any federated service. The working group requested that any future work related to RA21 keep an eye on this space so that when version 2 of the code of conduct is finalized, whatever group is governing RA21 (or its successors) consider whether to endorse that future version.
I wrote up a blog post https://ra21.org/index.php/2019/02/28/ra21-adopts-refeds-data-protection-code-of-conduct/ on the RA21 website about this.
Please let me know if you have any questions! Heather

* Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 16:40]:
That said, they were only willing to endorse version 1, as version 2 is still considered a draft. Version 1 does not apply to Service Providers outside the EU, and does not cover GDPR, but the principles of data minimization, etc, are important in and of themselves to endorse in any federated service.
FWIW: It is my understanding that v2 is done for all matters and intents with only the question of the "monitoring body" being open.
Of course it will then be presented to the European Data Protection Authority and may require further changes before it might be approved. (v1 is only "done" and stable because it will never again be presented to anyone for approval since it does not represent the state of the law nor of our work in this area.)
So technically you're right that v2 is not published/final/"done". *But* v1 was never approved by the authorities either, because at the time we were submitting it it was already clear that the Data Protection Directive (aka 95/46/EC) would be replaced "soon" and so no decisions were being made by the authorities under the "old" rules (and no decisions under the "new" rules could be made by those authorities since those new rules did not exist back then).
Both are equally not legally valid approved Codes of Conduct today. But v2 may be in the future and is is based on the current legal regime and community inputs. Whereas v1 will never be and is based on an obsolete, irrelevant legal regime. I know which version I'd chose to endorse today (a hint: something that's not already irrelevant) but RA21's opinion differed, obviously.
Your argument that the data protection principles in v1 are still solid could also be used to endores v2 today as its data protection principles and formulations are at least as solid and more fleshed out than v1's, and v2 also provides more practical guidance for implementers, to name just one improvement requested by the "then" authorities.
-peter

* Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 16:40]:
I wrote up a blog post https://ra21.org/index.php/2019/02/28/ra21-adopts-refeds-data-protection-code-of-conduct/ on the RA21 website about this.
Ignoring other nonsensical parts of that endorsement (about applying a document that specifically says it's only for EU/EEA "globally, regardless of the location") my issue with v1 vs. v2 is this:
On 31 January 2019, the RA21 Security and Privacy Work Group voted to endorse the GEANT Data Protection Code of Conduct v1 (the current approved version)
"Approved" by whom? Codes of conduct (in both the current and the previous European Data Protection regime) only become legal instruments if they are approved by the data protection authorities. And v1 was never approved as I explained in my previous post.
Now, other groups may have "approved" the v1 version but that just means "We agree that this is a good idea and we support that it may be submitted to the authorities in the hopes that it may be approved by them".
But claiming v1 to be an "approved Code of Conduct" (to raise it above a "draft" v2) is mispresenting the status of v1 and ignoring all the work the community has put into creating an improved v2.
-peter

HI Peter,
On Apr 4, 2019, at 9:24 AM, Peter Schober peter.schober@univie.ac.at wrote:
- Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 16:40]:
I wrote up a blog post https://ra21.org/index.php/2019/02/28/ra21-adopts-refeds-data-protection-code-of-conduct/ on the RA21 website about this.
Ignoring other nonsensical parts of that endorsement (about applying a document that specifically says it's only for EU/EEA "globally, regardless of the location") my issue with v1 vs. v2 is this:
I disagree with your categorization that endorsing the principles of a document is nonsense.
On 31 January 2019, the RA21 Security and Privacy Work Group voted to endorse the GEANT Data Protection Code of Conduct v1 (the current approved version)
"Approved" by whom? Codes of conduct (in both the current and the previous European Data Protection regime) only become legal instruments if they are approved by the data protection authorities. And v1 was never approved as I explained in my previous post.
The GEANT Data Protection Code of Conduct v1 was approved in June 2013 by the eduGAIN Technical Steering Group and announced as such on the REFEDS mailing list. Did that make it a legal document? No. But it set a solid marker on what consists of v1 versus future work.
Now, other groups may have "approved" the v1 version but that just means "We agree that this is a good idea and we support that it may be submitted to the authorities in the hopes that it may be approved by them”.
And given the work in the community of REFEDS and eduGAIN, I think this is sufficient for the sake of this particular document.
But claiming v1 to be an "approved Code of Conduct" (to raise it above a "draft" v2) is mispresenting the status of v1 and ignoring all the work the community has put into creating an improved v2.
Completely disagree. We did not misrepresent the status of v1, thus the emphasis on principles and not an assumption of legal language, and it did not ignore the work going into v2 as we explicitly said to watch for that to develop. Mikael Linden and Nicole Harris were on the RA21 S&P call to discuss this with the group; the decisions were not made without expert consultation.
-Heather

* Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 18:40]:
Ignoring other nonsensical parts of that endorsement (about applying a document that specifically says it's only for EU/EEA "globally, regardless of the location") my issue with v1 vs. v2 is this:
I disagree with your categorization that endorsing the principles of a document is nonsense.
The section I specifically referred to is this:
"[T]he RA21 Security and Privacy Work Group voted to endorse the GEANT Data Protection Code of Conduct v1 (the current approved version) and further stated that this should apply globally"
That does not say that you endorse /the principles/ of the v1 CoCo nor does it say that you encourage to apply /the principles/ of that document globally. It says you endorse the v1 coco (which is of course welcome, but misguided IMHO, but we can easily disagree on that) and it says -- and that's the main gripe I have -- that "this" (meaning the v1 CoCo) should be applied globally. Which I continue to claim is not possible and does therefore not make sense.
The GEANT Data Protection Code of Conduct v1 was approved in June 2013 by the eduGAIN Technical Steering Group and announced as such on the REFEDS mailing list. Did that make it a legal document? No. But it set a solid marker on what consists of v1 versus future work.
Since even the term and document title "Code of conduct" (i.e., in the current context) comes directly from a legal document (the EU Data Protection Directive and now the Regulation) I read the term "approved" next to it with the same terminological meaning.
We did not misrepresent the status of v1, thus the emphasis on principles and not an assumption of legal language
Well, it's only at the end of that news entry (from "While" to "today.") that principles and v1's obsolete status are mentioned, far from being "the emphasis".
And again if all you want are principles why not take them from v2? Those principles are not up for discussion nor change, whatever amendments the data protection authorities may demand for v2.
Mikael Linden and Nicole Harris were on the RA21 S&P call to discuss this with the group; the decisions were not made without expert consultation.
While I'm surprised to hear that maybe that just means I'm just a stickler for words (and others are not). ;)
As I said I wouldn't have bothered to even comment if the text had said that RA21 subgroup encouraged to apply the principles of v1 (e.g. as highlighted in the "Key points" of the news entry) -- those are the principles of data protection as such! Hard not to agree with those principles (unless you're Facebook, I guess).
Cheers, -peter

Dear all,
thanks a lot, Heather, for the details regarding RA21's endorsement of the GEANT Data Protection Code of Conduct. Thanks, Peter, for your comments. Regardless of version GEANT Data Protection Code of Conduct creates a framework helping to fix current issues with attributes release to library service providers. Looking forward to fine tune our recommendations and guidelines in next call.
Sunny regards
Jiri
On Thu, Apr 4, 2019 at 8:19 PM Peter Schober peter.schober@univie.ac.at wrote:
- Heather Flanagan hlf@sphericalcowconsulting.com [2019-04-04 18:40]:
Ignoring other nonsensical parts of that endorsement (about applying a document that specifically says it's only for EU/EEA "globally, regardless of the location") my issue with v1 vs. v2 is this:
I disagree with your categorization that endorsing the principles of a document is nonsense.
The section I specifically referred to is this:
"[T]he RA21 Security and Privacy Work Group voted to endorse the GEANT Data Protection Code of Conduct v1 (the current approved version) and further stated that this should apply globally"
That does not say that you endorse /the principles/ of the v1 CoCo nor does it say that you encourage to apply /the principles/ of that document globally. It says you endorse the v1 coco (which is of course welcome, but misguided IMHO, but we can easily disagree on that) and it says -- and that's the main gripe I have -- that "this" (meaning the v1 CoCo) should be applied globally. Which I continue to claim is not possible and does therefore not make sense.
The GEANT Data Protection Code of Conduct v1 was approved in June 2013 by the eduGAIN Technical Steering Group and announced as such on the REFEDS mailing list. Did that make it a legal document? No. But it set a solid marker on what consists of v1 versus future work.
Since even the term and document title "Code of conduct" (i.e., in the current context) comes directly from a legal document (the EU Data Protection Directive and now the Regulation) I read the term "approved" next to it with the same terminological meaning.
We did not misrepresent the status of v1, thus the emphasis on principles and not an assumption of legal language
Well, it's only at the end of that news entry (from "While" to "today.") that principles and v1's obsolete status are mentioned, far from being "the emphasis".
And again if all you want are principles why not take them from v2? Those principles are not up for discussion nor change, whatever amendments the data protection authorities may demand for v2.
Mikael Linden and Nicole Harris were on the RA21 S&P call to discuss this with the group; the decisions were not made without expert consultation.
While I'm surprised to hear that maybe that just means I'm just a stickler for words (and others are not). ;)
As I said I wouldn't have bothered to even comment if the text had said that RA21 subgroup encouraged to apply the principles of v1 (e.g. as highlighted in the "Key points" of the news entry) -- those are the principles of data protection as such! Hard not to agree with those principles (unless you're Facebook, I guess).
Cheers, -peter _______________________________________________ FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l

* Jiri Pavlik jiri.pavlik@mzk.cz [2019-04-05 10:03]:
thanks a lot, Heather, for the details regarding RA21's endorsement of the GEANT Data Protection Code of Conduct. Thanks, Peter, for your comments. Regardless of version GEANT Data Protection Code of Conduct creates a framework helping to fix current issues with attributes release to library service providers.
Ideally library SPs wouldn't even need attributes that required data protection but sure, any such endorsement is welcome (even if I find issues with the specifics it's undoubtly a positive signal) and will pave the way to endorsing a v2 later if that ever happens (and RA21 is still around by then).
-peter
Teilnehmer (3)
-
Heather Flanagan
-
Jiri Pavlik
-
Peter Schober