Privacy/TPWG/Change Proposal Service Provider
- 1 Proposal: Service Provider
- 2 Proposal: Technical Precautions and Internal Practices
- 3 Proposal: No Independent Right
- 4 Editors' Draft Text
Proposal: Service Provider
Access to Web resources often involves multiple parties that might process the data received in a network interaction. For example, domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers might be a party to a given network interaction because they are contracted by either the user or the resource owner to provide the mechanisms for communication. Likewise, additional parties might be engaged after a network interaction, such as when services or contractors are used to perform specialized data analysis or records retention.
For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:
(1) processes the data on behalf of the contractee;
(2) ensures that the data is only retained, accessed, and used as directed by the contractee;
(3) has no independent right to use the data other than in a de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,
(4) has a contract in place with the contractee which is consistent with the above limitations.
Proposal: Technical Precautions and Internal Practices
Proposal from Dan Auerbach. To see a longer version including non-normative examples, see the proposal email.
A first party may outsource website functionality to a third party, in which case the third party may act as the first party under this standard with the following additional restrictions.
Throughout all data reception, retention, and use, outsourced service providers must use all feasible technical precautions to both mitigate the linkability of and prevent the linking of data from different first parties.
Structural separation ("siloing") of data per first party, including both separate data structures and avoidance of shared unique identifiers are necessary, but not necessarily sufficient, technical precautions.
Throughout all data reception, retention, and use, outsourced service providers must use sufficient internal practices to prevent the linking of data from different first parties.
An outsourced service must use data retained on behalf of a first party ONLY on behalf of that first party, and must not use data retained on behalf of a first party for their own business purposes, or for any other reasons.
A first party's representation that it is in compliance with this standard includes a representation that its outsourcing service providers comply with this standard.
A first party must enter into a contract with an outsourcing service provider that requires that outsourcing service provider to comply with these requirements.
Proposal: No Independent Right
(3) has no independent right to use or share the data
except as necessary to ensure the integrity, security, and correct operation of the service being provided
Editors' Draft Text
The above proposals would replace the existing text below from the editors' draft.
An outsourced service provider is considered to be the same party as its client if the service provider:
(1) acts only as a data processor on behalf of the client;
(2) ensures that the data can only be accessed and used as directed by that client;
(3) has no independent right to use or share the data except as necessary to ensure the integrity, security, and correct operation of the service being provided; and
(4) has a contract in place that outlines and mandates these requirements.