Personal Terms and Contracts: Abbreviated Shorthand Designations
Abbreviation System for Terms: Human and Legal Implementations, Visualization of Implementation
-
Human Readable Implementation [TBD]
-
Legal Implementation
Legal Language (Appendix)
The choices that ordinary individuals make about disclosing their data are used to construct a contract between discloser and disclosee. The contract consists of some universal boilerplate, a few clauses that are selected from a standard set in order to match discloser choices, and several pieces of text that the discloser supplies as input. The resulting contract can be visualized like this:
1. Preamble
The preamble never changes:
This Agreement governs a specific Disclosure of Personal
Information by Discloser to Disclosee, as defined and
described hereafter. Discloser makes the Disclosure on the
condition that Disclosee agrees to be bound by the terms and
conditions herein.
2. Definitions
The agreement tries to incorporate terms by reference rather than redefining them.
Terms that begin with the prefix "dpv:" in this Agreement are defined in
v1 of the Data Privacy Vocabulary (DPV; dated 5 Dec 2022; see
https://w3c.github.io/dpv/dpv). Other terms are defined here.
The Agreement is this document, including inputs supplied by the parties,
along with any definitions and explanatory material that it incorporates
by reference.
The Discloser is the party to this Agreement that is the
dpv:DataController of the Personal Information, that offers to disclose
said information per the specified terms and conditions.
The Disclosed is a dpv:NaturalPerson dpv:DataSubject described by the
Personal Information. The Disclosed may be the Discloser, or may be some
other dpv:NaturalPerson (e.g., a dpv:Child or
dpv:VulnerableNaturalPerson) for whom the Discloser has a
dpv:DataController role (e.g., because the Discloser is a
dpv:Representative).
After defining the Discloser and Disclosed, the agreement identifies the Disclosed in a way that is already meaningful to the Disclosee — for example, by a DID, a public key, a username, an email address, a social media handle, a phone number, an account number, or similar. Either the Discloser or the Disclosee can supply these two inputs, but both parties must agree that they characterize the Disclosed.
In this Agreement, the Discloser is the party known to the Disclosee,
prior to the Disclosure, by the identifier ________________, which is of
type _________________.
Personal Information is information about a natural person, as defined in
regulatory frameworks such as GDPR, the UK's Data Protection Act 2018,
Australia's Privacy Act 1988, PIPEDA, HIPAA, CCPA, COPPA, HIPAA, and so
forth. This definition matches the meaning of dpv:PersonalInformation,
but the list of referenced regulations here is broader, and the intent is
that the list be illustrative, not exhaustive.
The Disclosee is the dpv:LegalEntity party to this Agreement that receives
the Personal Information through its automated and/or human processes as
a direct result of the Disclosure, and that processes that information.
The Disclosee thus becoming a dpv:Recipient and dpv:DataProcessor of data
about Disclosed. When the Discloser reasonably perceives the interaction
governed by this Agreement to be with a Disclosee that is a
dpv:Organisation, any dpv:NaturalPersons who serve as dpv:Representatives
of said organization may acquire duties and responsibilities related to
this agreement indirectly, via general legal constructs; however, it is
the dpv:Organisation as a dpv:LegalEntity that is bound directly by the
agreement.
After defining the Disclosee, the agreement identifies the Disclosee in a way that is already meaningful to the Discloser — for example, by a website, an SSL cert, a public key, a brand name, a street address, a phone number, or similar. Either the Discloser or the Disclosee can supply these two inputs, but both parties must agree that they characterize the Disclosee.
In this agreement, the Disclosee is the party known to the Discloser by
the identifier ________________, which is of type _________________.
The Disclosure is the act undertaken by the Discloser that communicates
the Personal Information to the Disclosee under the governance of this
Agreement. Disclosure may change how much the Disclosee knows about the
Disclosed, either by providing new information or by changing the
Disclosee's certainty about information that it may already know or infer.
Any changes in the quality or quantity of information that Disclosee
possesses about Disclosed, or about the relationship between Discloser
and Disclosed, as a result of Disclosure, are known as the Disclosed
Delta. This Agreement places the processing of the Disclosed Delta under
the dpv:Consent basis.
3. Recitals
The recitals document the context in which the Disclosure interaction is occurring. The begin with the following standard paragraph:
This Agreement focuses only on the narrow question of how to
govern the Disclosure and subsequent usage of the enumerated
Personal Information in the specified context. It
supplements rather than replaces any fabric of larger and
more general legal and regulatory frameworks that may exist
at the time the Disclosure occurs. It must also be
interpreted within the context of human rights that are
stable across time and that cannot be contracted away.
The next piece of context is an enumeration of what specific pieces of data the Discloser is willing to disclose. These pieces of data must be described in terms that are meaningful to the Disclosee. If disclosure takes place via an HTML form, for example, the pieces of data must be described in terms of the arguments to the HTML form (effectively, the Discloser is saying, “I propose to give you data in your first_name, last_name, and zip_code fields”). If disclosure takes place with verifiable credentials, the pieces of data must be described in terms of a credential schema / credential manifest.
The Discloser proposes to disclose the following pieces of
Personal Information about the Disclosed, in a structure
known to the Disclosee, as follows (field names, schema, or
similar):
_______________________________________________________.
We also need a timestamp is to map the contract to larger context such as when a regulation or when a privacy policy went into effect.
The Discloser proposes to disclose this information at
approximately this UTC timestamp: _____________________.
We also need some kind of documentation of what the Discloser perceives to be the context for the request. In most web-based interactions, this is communicated by a URL and possibly a cookie value for the session. If the Discloser is purchasing something, the URL should show a shopping cart checkout action, and the cookie would capture the state of the cart. This context serves as a constraint on how later provisos are interpreted.
The Discloser proposes to disclose the Personal Information
in the following process context (URL plus cookie value, or
similar): _____________________ .
We also need to stipulate some things about how the following provisos should be interpreted.
The following section of the Agreement imposes constraints
on how Disclosee processes Personal Information. Disclosee
agrees to be bound by these constraints: all uses of the
data that are not granted by these provisos are prohibited.
Disclosee further agrees that the Discloser retains all
rights to privacy and constrained data processing that are
established or upheld by applicable regulatory regimes, that
are not explicitly limited by this Agreement.
4. Provisos
This section of the contract is where the Discloser selects whichever clauses correspond to the choices that they make about the four central questions of P7012.
Possible Usage Provisos
The TXN, REL, and N provisos are mutually exclusive. The ENU proviso can stand on its own or can be combined with TXN or REL. If it is combined, it must follow the other proviso
TXN
TXN Usage: The Disclosee agrees that the Primary Use of the
Disclosed Delta will be to deliver the specific good(s) or
service(s) that the Discloser has already identified and
that directly associate with the aforementioned process
context (e.g., to deliver a nearly completed purchase). Data
processing purposes that are compatible with this constraint
include dpv:CustomerManagement, dpv:LegalCompliance,
dpv:EnforceSecurity, dpv:OrganisationGovernance and
dpv:RecordManagement. The dpv:ServiceProvision purpose is
also compatible, except that processing for future
dpv:SellProducts purposes is explicitly prohibited.
Processing for purposes such as dpv:Marketing and
dpv:Personalisation is explicitly prohibited.
REL
REL Usage: The Disclosee agrees that the Primary Use of the
Disclosed Delta will be to facilitate an ongoing
relationship in which the Disclosee delivers good(s) or
service(s) to the Discloser and/or Disclosed. Data
processing purposes that are compatible with this constraint
include dpv:CustomerManagement, dpv:LegalCompliance,
dpv:EnforceSecurity, dpv:OrganisationGovernance,
dpv:ServiceProvision, dpv:Marketing and dpv:Personalisation.
ENU
ENU Usage: The Discloser allows the Disclosee to use the
Personal Information for the following DPV processing
purposes:
_______________________________________________________. If
a Primary Use is not defined elsewhere, the first item in
this list is the Primary Use.
N
N Usage: Via this Agreement, the Discloser imposes no new
constraints on how Personal Information is used. Data
processing may still be governed by ambient regulation,
policies of the Disclosee, and choices negotiated between
the two parties elsewhere.
Possible Sharing Provisos
A given contract must contain exactly one of the following sharing provisos.
X
X Sharing: The Disclosee may share the Disclosed Delta with
any party that is a dpv:LegalEntity in one of these
jurisdictions: _________________, if that entity is a
dpv:Representative of Disclosee. Disclose must not share the
Disclosed Delta with any other party.
2
2 Sharing: The Disclosee may share the Disclosed Delta with
any party that is a dpv:LegalEntity in one of these
jurisdiction(s): _________________, if that entity is a
dpv:Representative of Disclosee. Disclosee may also share
the Disclosed Delta with other dpv:LegalEntitys in those
same jurisdictions, referred to as Collaborators, if and
only if the following conditions are met: 1) the
Collaborator's help is required for Disclosee to accomplish
approved data processing purposes; 2) the Collaborator
enters into a copy of this Agreement (hereafter "Chained
Agreement"), with all of its associated terms, conditions,
and provisos, directly with Discloser. Collaborator may
execute the Chained Agreement in a direct interaction with
Discloser. Alternatively, Collaborator may initially record
the Chained Agreement only with Disclosee. However,
Disclosee must retain records of all such Chained
Agreements, and must produce them upon demand from
Discloser. All Chained Agreements must be between
Collaborator and Discloser, not between Collaborator and
Disclosee, and must leave Discloser with direct legal remedy
vis-a-vis the Collaborator.
3
3 Sharing: The Disclosee may share the Disclosed Delta with
any party that is a dpv:LegalEntity in one of these
jurisdiction(s): _________________, referred to as a Third
Party, if and only if the Third Party enters into a copy of
this Agreement (hereafter "Chained Agreement"), with all of
its associated terms, conditions, and provisos, directly
with Discloser. Third Party may execute the Chained
Agreement in a direct interaction with Discloser.
Alternatively, Third Party may initially record the Chained
Agreement only with Disclosee. However, Disclosee must
retain records of all such Chained Agreements, and must
produce them upon demand from Discloser. All Chained
Agreements must be between Third Party and Discloser, not
between Collaborator and Disclosee, and must leave Discloser
with direct legal remedy vis-a-vis the Third Party.
N
N Sharing: Via this Agreement, the Discloser imposes no new
constraints on how Personal Information is shared. Data
sharing may still be governed by ambient regulation,
policies of the Disclosee, and choices negotiated between
the two parties elsewhere.
Possible Erasure Provisos
A given contract must contain exactly one of the following erasure provisos.
X
X Erasure: The process of erasing the Disclosed Delta from
Disclosee records is intended to begin as soon as the
Primary Use is accomplished. The Disclosee is required to
implement this erasure policy, with the following caveat. If
the regulatory context includes legal requirements about
data retention that conflict with the previous rule,
Disclosee must notify Discloser as soon as Disclosee is
aware of the conflict, must comply with the data retention
requirements, and must erase the data as soon after the
Primary use is accomplished as the those retention
requirements are satisfied.
T
T Erasure: The process of erasing Disclosed Delta from
Disclosee records is intended to begin within this time
interval after the Primary Use is accomplished:
__________________. If the Agreement includes REL Usage,
this countdown must begin from the time that Discloser last
took an affirmative action that proves they were deriving
concrete, demonstrable benefit from the relationship; the
Disclosee may not assume that the relationship is providing
value simply because the relationship exists. The intent is
to require erasure if the Discloser is passive and
essentially idle. The Disclosee is required to implement
this erasure policy, with the following caveat. If the
regulatory context includes legal requirements about data
retention that conflict with the preceding rules, Disclosee
must notify Discloser as soon as Disclosee is aware of the
conflict, must comply with the data retention requirements,
and must erase the data as soon after the time interval has
elapsed as those retention requirements are satisfied.
D
D Erasure: The process of erasing Disclosed Delta from
Disclosee records must begin upon demand by the Discloser,
with the following caveat. If the regulatory context
includes legal requirements about data retention that
conflict with the timing of the erasure demand, Disclosee
must notify Discloser as soon as Disclosee is aware of the
conflict, must comply with the data retention requirements,
and must erase the data as soon after the erasure demand as
those retention requirements are satisfied.
N
N Erasure: Via this Agreement, the Discloser imposes no new
constraints on how or when Personal Information is erased.
Data erasure may still be governed by ambient regulation,
policies of the Disclosee, and choices negotiated between
the two parties elsewhere.
Possible Correlation Provisos
The X, S, and P provisos are mutually exclusive. The A proviso can stand on its own or can be combined with X or S. If it is combined, it must follow the other proviso.
X
X Correlation: The Personal Information must not be
correlated with any other personal data about Discloser or
Disclosed that is now known or that will become known to the
Disclosee or to any third parties, unless that other data
was or will be disclosed for an overlapping Primary Use and
according to compatible sharing and erasure constraints, or
unless the additional "A Correlation" use is specifically
allowed below. The intent is that correlation only happens
to facilitate the specific shared purpose governed by this
Agreement. In all other contexts, the Disclosed and the
Discloser as revealed by the Personal Information remains
exactly as pseudonymous or as identified as they would be
without the Disclosure.
S
S Correlation: The Personal Information must not be
correlated with any other personal data about Discloser or
Disclosed that is now known or that will become known to the
Disclosee or to any third parties, unless that other data
was or will be disclosed according to compatible sharing,
correlation, and erasure constraints, or unless the
additional "A Correlation" use is specifically allowed
below.
A
Correlation: Independent of any other constraints on the
usage of Personal Information, the Disclosure may be used to
facilitate a correlation by Disclosee or by another party
that correctly ties multiple pieces of data to the Discloser
or Disclosed (the Correlated Party), preventing the
Corelated Party from being erroneously counted more than
once in a large corpus. However, once the correlation has
accomplished this purpose, the data must be pseudonymized so
the temporarily correlated, now pseudonymized Correlated
Party cannot be easily correlated to additional external
data sets. Furthermore, the party that performs correlation
must agree not to de-pseudonymize the Correlated Party, and
must place all consumers of the aggregate data set under an
identical agreement, with the Correlated Party having legal
remedy directly with those who violate this constraint.
P
P Correlation: Via this Agreement, the Discloser imposes no
new constraints on how or when Personal Information is
correlated. The Discloser encourages correlation because the
intent is to build public reputation.
5. Agreement
This section finishes the contract. It clarifies what evidence constitutes proof that the Discloser and Disclosee have both agreed to be bound by the contract. It always begins like this:
The Discloser is deemed to accept the terms and conditions
set forth in this Agreement if they complete the Disclosure
process. They may prove that they are responsible for a
Disclosure under the terms of this Agreement by signing
(electronically, digitally, and/or cryptographically) the
Disclosure together with this Agreement.
Disclosee Commitment Options
The Disclosee also needs to be committed in a non-repudiable way. There are two options for this.
Contract of Adhesion
This option simply says that if the Disclosee uses the data, and cannot prove that they received it in any other way, they are deemed to have accepted the Agreement.
The Disclosee is deemed to accept the terms and conditions
set forth in this agreement if, after seeing the Agreement,
they give no overt signal to the Discloser that they have
rejected it, and if they then process the Disclosed Delta in
any way other than deleting it immediately.
Explicit Acceptance
The Disclosee accepts the terms and conditions set forth in
this Agreement, as witnessed by the associated signature
(electronic, digital, and/or cryptographic) over the
Agreement.