- From: Justin Brookman <jbrookman@cdt.org>
- Date: Wed, 22 Oct 2014 11:15:51 -0400
- To: Walter van Holst <walter.van.holst@xs4all.nl>
- Cc: Amy Colando <acolando@microsoft.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Walter, I don’t think anyone objects to the idea of auditability in theory, but I think there are questions about what that means in the specification. If a DPA has the legal authority to require certain evidence or documentation from a data controller, then it does so — this standard cannot grant or deprive any consumer protection authority of those rights. What do you want this standard to require — that companies prepare some sort of documentation in advance of a request? That they architect their systems in ways that can be comprehended by a regulator? I think there was agreement that a general requirement of “auditability” was confusing and certainly not testable, but if you have a more concrete suggestion in mind, I think people would be open-minded. On Oct 22, 2014, at 5:38 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote: > On Tue, October 21, 2014 23:22, Justin Brookman wrote: >> No one spoke up for maintaining this language either on the list or on >> last week’s call; if anyone wants to make a pitch for maintaining this >> or other auditability language, please do so; otherwise, we’ll adopt >> Jack’s proposal to remove the sentence. > > Catching up with the WG. > > And yes, I feel that it strongly contributes to the compliance > standard's credibility if any access and use of data retained under > permitted uses is auditable. I would be fine by restricting its > auditability to data protection and/or consumer rights regulators or > similar governmental entities. > > If you commit to limiting your use of certain personal data for > certain circumscribed purposes, you create a burden of proof for > yourself that you have indeed done so. Audit requirements can only be > helpful in that regard. > > Regards, > > Walter > >
Received on Wednesday, 22 October 2014 15:16:40 UTC