![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
[A legal question rather than a programming one, for a change.]
This article reminded me of a question that's been nagging at the back of my mind ever since the ECJ ruling came out, striking down the Safe Harbor pact: what, exactly, does "personal data" *mean*?
I mean, the Safe Harbor thing is a fairly real and immediate question for me: Querki, like most cloud systems, is trying to be international in scope, and I'd prefer that folks from Europe be able to use it without difficulty. The question is, am I going to have to tie myself in knots architecturally to do so?
And that comes down to the definition of "personal data". By many definitions, I think we're free and clear -- one advantage of my firm "Querki is not another freaking social network" stance is that it contains precious little of the sort of personally-identifying information that is often the lightning rod for these arguments. I have no intention of recording credit card information or anything like that (that's what third-party payment processors are for). Querki follows LJ's attitude towards identity: we not only don't require wallet names, I'm kind of biased in favor of pseudonyms in general. In the medium term, we probably won't even require email addresses or passwords -- we'll allow OAuth2 login by linking to a Facebook/Google/Twitter/etc account.
That said, Querki is all *about* creating and storing information as you choose. If you create a Space in Querki, is that "personal data"? If you comment in someone *else's* Space, is that "personal data"? Trying to separate that sort of stuff based on country of origin is, to say the least, a nightmarish prospect.
In all the news coverage I've seen so far, none of it has clarified this. Does anyone have a pointer or two to the legal definitions in question? It would be useful to know now whether any of this actually affects the running of my company...
This article reminded me of a question that's been nagging at the back of my mind ever since the ECJ ruling came out, striking down the Safe Harbor pact: what, exactly, does "personal data" *mean*?
I mean, the Safe Harbor thing is a fairly real and immediate question for me: Querki, like most cloud systems, is trying to be international in scope, and I'd prefer that folks from Europe be able to use it without difficulty. The question is, am I going to have to tie myself in knots architecturally to do so?
And that comes down to the definition of "personal data". By many definitions, I think we're free and clear -- one advantage of my firm "Querki is not another freaking social network" stance is that it contains precious little of the sort of personally-identifying information that is often the lightning rod for these arguments. I have no intention of recording credit card information or anything like that (that's what third-party payment processors are for). Querki follows LJ's attitude towards identity: we not only don't require wallet names, I'm kind of biased in favor of pseudonyms in general. In the medium term, we probably won't even require email addresses or passwords -- we'll allow OAuth2 login by linking to a Facebook/Google/Twitter/etc account.
That said, Querki is all *about* creating and storing information as you choose. If you create a Space in Querki, is that "personal data"? If you comment in someone *else's* Space, is that "personal data"? Trying to separate that sort of stuff based on country of origin is, to say the least, a nightmarish prospect.
In all the news coverage I've seen so far, none of it has clarified this. Does anyone have a pointer or two to the legal definitions in question? It would be useful to know now whether any of this actually affects the running of my company...
(no subject)
Date: 2015-11-13 07:06 pm (UTC)(no subject)
Date: 2015-11-13 07:45 pm (UTC)