Moving the conversation to license-discuss, since it's not about the
terms of this license specifically but more generally about the
intersection of GDPR compliance and software licensing.
Pam
Pamela Chestek
Chair, License Committee
Open Source Initiative
On 12/10/20 10:39 PM, Roland Turner via License-review wrote:
Hi Wayne,
First, regarding rationale: Our company is in the business of
creating frameworks and software products which facilitate automated
contact tracing initiatives across the globe. These frameworks and
products must be GDPR- and HIPPA-compliant and have been designed to
be such, with strict, ongoing legal review processes undertaken to
ensure this. The frameworks and products that we create are designed
to be utilized by governmental agencies and private corporations in
the creation of applications and platforms which aid in the fight
against COVID-19 and future pandemic scenarios. In order for this to
be of benefit, the frameworks and software we develop must be open
source, so that the governmental agencies and private corporations
can be free to utilize them. Unfortunately, due to the legal
compliance issues vis-a-vis GDPR and HIPPA, a level of control
regarding development must be maintained. It is our position that the
GNU and other OSI-approved licenses do not provide this level of
control.
Others are addressing the appearance of a profound incompatibility
between what you're proposing ("free to utilise" vs. "level of control
[by Viratrace]") and the Open Source Definition.
I'm interested in the concept of software license terms as an element
of GDPR compliance. Can you explain how you see license terms being a
relevant part of this? It is my understanding that data protection law
in most jurisdictions is about the legal obligations of organisations
in control of personal data both with respect to that data and to
people that it relates to (and often to regulators), and
legal/contractual obligations of other organisations processing that
data on their behalf; software licensors are not part of the picture.
As neither Viratrace nor likely licensees would be looking to
establish a controller/processor relationship[1] through the license,
the relevance is not immediately clear to me.
(For a sense of where I'm coming from:
* Although this is my first ever post to license-review, I've been
involved in open-source license advocacy for rather a long time.
It was I who initially proposed late last century (!) a
multi-license approach for Mozilla.
* I serve as Chief Privacy Officer for my employer — a specialist
processor of personal data — and in that capacity have assisted
customers with data protection obligations across a dozen
jurisdictions on four continents.
* Although the specific concerns of Free Software are largely out of
scope here, I am an advocate of the approach and have spoken in
public about the overlapping objectives of Software Freedom and of
GDPR data subject rights.
* I am tangentially involved in Singapore's TraceTogether program as
an independent expert, both on the technology and on personal data
protection.
* I am working on a design for a system to extend TraceTogether
which coincidentally also uses secure enclaves, although for a
much simpler purpose that the one that you appear to be pursuing.)
- Roland
1: nor the analogous relationships in other jurisdictions
_______________________________________________
The opinions expressed in this email are those of the sender and not
necessarily those of the Open Source Initiative. Communication from the Open
Source Initiative will be sent from an opensource.org email address.
License-review mailing list
license-rev...@lists.opensource.org
http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
--
Pamela S. Chestek
Chair, License Committee
Open Source Initiative
_______________________________________________
The opinions expressed in this email are those of the sender and not
necessarily those of the Open Source Initiative. Official statements by the
Open Source Initiative will be sent from an opensource.org email address.
License-discuss mailing list
License-discuss@lists.opensource.org
http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
