Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Copy-edit the Common Concepts section, except for the Recognition sub-section. #369

Merged
merged 4 commits into from
Dec 6, 2023

Conversation

jyasskin
Copy link
Collaborator

@jyasskin jyasskin commented Nov 9, 2023

Fixes #317, because I think we've already done a pass over Recognition.


Preview | Diff

index.html Outdated Show resolved Hide resolved
Comment on lines 2087 to +2162
* their location data,
* an online identifier such as email or IP addresses,
* browser fingerprints (based on a combination of
configuration characteristics), or
* factors specific to their physical, physiological, genetic, mental,
economic,
cultural, social, or behavioral [=identity=],
configuration characteristics), or
* factors specific to their physical, physiological, genetic, mental, economic,
cultural, social, or behavioral [=identity=],
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure these are all actually identifiers. They're ways to identify people, but we've defined an identifier as a thing that got assigned to a person.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed today maybe these are characteristics rather than unique identifiers...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Punting further discussion to #374.

@@ -2122,41 +2113,39 @@
destruction.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yikes! What parts of this do we actually need to list, and what parts could we simplify?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We looked at this today and agreed we need to re-write.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left for discussion in #375.

@jyasskin jyasskin requested a review from darobin November 9, 2023 01:29
Comment on lines +2026 to +2097
is a [=person=] whose ability to make their own choices can be taken away more
easily than usual. Among other things, they should
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filed #373 to keep thinking about whether we need this at all.

index.html Outdated Show resolved Hide resolved
index.html Outdated
[=actor=] and solely for the list of explicitly-specified [=purposes=]
detailed by the directing [=actor=] or [=data controller=];
[=data controller=] and solely for the list of explicitly-specified [=purposes=]
detailed by the directing [=data controller=];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@darobin can you review this change? It looked good to us on today's call but wanted your eyes on it as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also incorrect as it rules out the possibility of being the processor of a processor.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

index.html Outdated

* is processing the data on behalf of that [=actor=];
* [=processes=] data on behalf of a [=data controller=];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is incorrect: you can have a service provider of a service provider, in fact it's very common.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

index.html Outdated
* may determine implementation details of the data processing in question but
does not determine the [=purpose=] for which the data is being [=processed=]
nor the overarching [=means=] through which the [=purpose=] is carried out;
* has no independent right to use the data other than in a [=de-identified=] form (e.g., for
monitoring service integrity, load balancing, capacity planning, or billing); and,
* has a contract in place with the [=actor=] which is consistent with the above limitations.
* has a contract in place with the [=data controller=] which is consistent with the above limitations.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Copy link
Member

@darobin darobin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is generally good, but replacing actor with controller in the definition of a processor introduces a bug.

Comment on lines -2074 to -2151
The <dfn>Vegas Rule</dfn> is a simple implementation of privacy in which "<i>what happens with the
[=first party=] stays with the [=first party=]</i>." Put differently, the [=Vegas Rule=] is followed
when the [=first party=] is the only [=data controller=]. While the [=Vegas Rule=] is a good
guideline, it's neither necessary nor sufficient for [=appropriate=] [=data processing=]. A [=first
party=] that maintains exclusive access to a person's data can still [=process=] it
[=inappropriately=], and there are cases where a third party can learn information about a person
but still treat it [=appropriately=].

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We re-discussed this today and decided to keep the Vegas Rule out.

index.html Outdated
## Acting on Data {#acting-on-data}

We define <dfn data-lt="data">personal data</dfn> as any information that is directly or
indirectly related to an identified or identifiable [=person=], such as by reference to an
[=identifier=] ([[GDPR]], [[OECD-Guidelines]], [[Convention-108]]).
[=identifier=]. (This matches the [[[GDPR]]], the [[[OECD-Guidelines]]], and the [[[Convention-108]]].)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I worry about "this matches" as that is expressing a legal opinion. Referencing documents that define PD is helpful as it allows folks to explore the space further if they need to, but claiming that our definition matches the exact sense used by three distinct legal documents really worries me.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've un-done this change.

@jyasskin jyasskin dismissed darobin’s stale review December 5, 2023 20:04

We agreed in https://github.com/w3ctag/privacy-principles/blob/main/meetings/2023-11-29-minutes.md#369-copy-edit-the-common-concepts-section-except-for-the-recognition-sub-section that my changes after the meeting would be good enough to land this, but I'll still wait for someone to approve to confirm that my changes were the ones we agreed on.

Copy link
Member

@torgo torgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as agreed in today's TF call

@jyasskin jyasskin merged commit 0be2995 into w3ctag:main Dec 6, 2023
1 check passed
@jyasskin jyasskin deleted the copy-edit-common-concepts branch December 6, 2023 17:16
github-actions bot added a commit that referenced this pull request Dec 6, 2023
…-section. (#369)

SHA: 0be2995
Reason: push, by jyasskin

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Copy edit section A, Common Concepts
6 participants