Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

Session 32 BCR + Legal Entity – Global eScience Inc

If you give some legal "dust" on the CoCo-requirement, would that work?

Approach in two ways:

  • What if you have a single.. IP?
  • Setup a foundation typically or the "Dutch way" of a cooperation (coop in English)

Put all of this rules in there and make a statement that the members are abiding. There might be some liability involved in it. It might be interesting to include liability. If research entities need liability it would be better to treat them as one?

Scope :

To address the data-protection-issue or federation?

It is both.

If the price to do it yourself is higher than joining the collaborative thing.

Is this the only possible approach? Only one, the other approach (CoCo) has different Pros and Cons.

You could use a Dutch "stitching" to use in Europe.

It is about creating templates others can use. IdPs don´t have this problem, I think

We have legal entities (CERN), ESFRI-Projects, Géant. Would these together found such a large company?

Even for the Baseline we had a lot of discussion.

Legal entity can enforce its policies to its members. Is that not that what you want?

It can enforce, because it can kick out entities which are not have the necessary requirements.

The CoCo-Stuff does not fit in the privacy legislation a GDPR does? No, I think not that it is that way.

What is the value of a self-declared thing?

Data protecting authority would not enforce using CoCo.

EU reacts most of the time only if someone complains.

Somebody signed up to do the liability of that.

If the equipment is destroyed, then there is no liability left.

Today there is always user-consent. Everyone is doing that for their daily jobs. It is time for a lawsuit for..?

Is there a risk to manage (and how much)?

With IGTF and the collaborators, the risk is neglectable.

There are no new risk for the collaborators.

Wondering, if the last step would make the life of the collaborators easier.

Now we only have a single CoCo.

Existing legal entities, could they do the job? ITF is not such a legal entity. Apache, JSEC, same kind of IDL. Someone has to have an operational responsibility.

Any ISP can have as much IDPs as they want in the Netherlands.

Status quo is that they are not in the federation, not a legal entity.

You don´t have to sign a contract to have CoCo.

For the federations view only the SP-proxies are registered.

IPR does not look at the legal entities?

If you write a CoCo on behalf of the members, does that make them legal entities?

We simply declare ourselves to be a group, pull up a website and list the members.

The compromise is to follow the CoCo-Club.

Maybe it would be enough. CoCo is already being published. Maybe we should just create an extra place (not technical) like a website. We already have a list of characteristic of IdPs.

We maybe should put this list up?

We should talk to a lawyer first.

Is there a liability issue? No, I don´t think so.

Link to cloud select industry group code of conduct effort: https://ec.europa.eu/digital-single-market/en/cloud-computing-strategy-working-groups

Conclusion: Nice Idea, found out that the CoCo-approach is maybe good enough.