Skip to Content.
Sympa Menu

interfed - [inc-interfed] NOTES, discussion of the Geant Code of Conduct

Subject: Interfederation

List archive

[inc-interfed] NOTES, discussion of the Geant Code of Conduct

Chronological Thread 
  • From: Steven Carmody <>
  • To:
  • Subject: [inc-interfed] NOTES, discussion of the Geant Code of Conduct
  • Date: Tue, 12 Mar 2013 13:05:38 -0400
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

what is the Directive

because its a Directive, implemented via national law
multiple interpretations
enforced by each national data regulator
EU Article 29 Working Party offers non-binding "interpretations"
The new EU data protection regulation proposal (directly binding to the 27 EU countries) -- DRAFT, not yet adopted,

Summary of the Directive
url, mikael's doc

objective -- The objective of the directive is to protect a person’s fundamental rights while guaranteeing the free flow of personal data between member states.

data controllers, processors VS home org, SP
"joint data controllers"

imposes requirements on both parties
seems to expect bilateral contracts

Problems with the Directive, from the HE viewpoint

bilateral contracts do not scale
crossing national boundaries -- different interpretations
org-org, not person to person
many possible approaches to compliance, but the two parties in any given transaction must use the same approach

How does the CoC approach this situation


developed with advice from DLA Piper
only tackles part of the problem (declares optional attr/user consent out of scope)
defines AN approach for the two parties
if party A sees that party B is operating in compliance with the CoC, then party A can make some assumptions about how to proceed

the CoC does not do away with RISK, but aims to minimize it

Phase 1 avoids optional attributes; only refers to "Attributes that are necessary for the legitimate interests of the Service Provider to provide the service"

How does the CoC Actually Work

-- SP indicates that it has committed to the CoC (not a contract -- a declaration)
-- SP asks, via metadata, for required attributes
-- SP INFORMS the user (via its privacy policy) of its processing of attributes
-- IDP INFORMs the user when required attributes are released

Extending Beyond the EU
"countries with comparable privacy protection"
US -- SAfe Harbor, Commerce Dept, specifically excludes Higher Ed

CoC -- "combine the current CoC with the EC model contractual clauses and make both the home organization and service provider commit to them."

  • [inc-interfed] NOTES, discussion of the Geant Code of Conduct, Steven Carmody, 03/12/2013

Archive powered by MHonArc 2.6.16.

Top of Page