Privacy/TPWG/Change Proposal Service Provider
- 1 Proposal: Implementation Partner
- 2 Proposal: Technical Precautions and Internal Practices
- 3 Proposal: No Independent Right
- 4 Editors' Draft Text
Proposal: Implementation Partner
Most sites, services, or resources on the Web involve multiple parties that process the data received in a given interaction. For example, the parties involved during an interaction might include domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers. Likewise, additional parties might be engaged after an interaction, such as when services or contractors are used to perform specialized data analysis or records retention.
For the data received in a given network interaction, a party is considered to be an implementation partner if it:
(1) processes the data on behalf of another party;
(2) ensures that the data is only retained, accessed, and used as directed by that party;
(3) has no independent right to use the data other than in a de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,
(4) has a contract in place with that party which is consistent with the above limitations.
Alternatively, replace implementation partner with service provider above if the WG wishes to continue using that term.
Proposal: Technical Precautions and Internal Practices
Proposal from Dan Auerbach. To see a longer version including non-normative examples, see the proposal email.
A first party may outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions.
Throughout all data reception, retention, and use, outsourced service providers must use all feasible technical precautions to both mitigate the linkability of and prevent the linking of data from different first parties.
Structural separation ("siloing") of data per first party, including both separate data structures and avoidance of shared unique identifiers are necessary, but not necessarily sufficient, technical precautions.
Throughout all data reception, retention, and use, outsourced service providers must use sufficient internal practices to prevent the linking of data from different first parties.
An outsourced service must use data retained on behalf of a first party ONLY on behalf of that first party, and must not use data retained on behalf of a first party for their own business purposes, or for any other reasons.
A first party's representation that it is in compliance with this standard includes a representation that its outsourcing service providers comply with this standard.
A first party must enter into a contract with an outsourcing service provider that requires that outsourcing service provider to comply with these requirements.
Proposal: No Independent Right
(3) has no independent right to use or share the data
except as necessary to ensure the integrity, security, and correct operation of the service being provided
Editors' Draft Text
The above proposals would replace the existing text below from the editors' draft.
An outsourced service provider is considered to be the same party as its client if the service provider:
(1) acts only as a data processor on behalf of the client;
(2) ensures that the data can only be accessed and used as directed by that client;
(3) has no independent right to use or share the data except as necessary to ensure the integrity, security, and correct operation of the service being provided; and
(4) has a contract in place that outlines and mandates these requirements.