|
Top-level
 The report fundamentally assumes that service providers evaluate each other (sender A and receiver B of a transfer of personal data of some user) on a peer-to-peer basis: A evaluates B, B evaluates A, using a template they provide in the appendix of the report, and on that basis, A decides whether to send data to B, and B whether to accept it. Trust is needed in both directions. /cc @DTinitiative 3 comments
Also, in many cases, source and destination service providers for a data transfer are direct competitors. Chances are they are less frank with each other about what they do than they would be with a 3rd-party organization.... which also could contractually require, as part of the certification program, that it be informed of major changes etc. So @DTinitiative, that's all just a thought, I'm sure you have thought about all of this, so I wouldn't be surprised if there were another report soon! @J12t @DTinitiative I'll just say these thoughts have crossed our minds and we aren't done yet, this was a first step :-) Thanks for your feedback Johannes and we will for sure stay in touch. |
Gregory's Server
The report does not cover the case where a third party -- say dtinit :-) -- were to have a conformance program that A and B go through, and where they accept anybody certified as a partner in a data exchange because they have the certification.
I'm bringing this up because doing this mutual evaluation is not just an N*2 cost problem, but it also doubtful that an individual service provider has the ability to actually ascertain other service providers practices.
/cc @DTinitiative