Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Location Constraints #245

Open
PrivacyCDN opened this issue Feb 5, 2016 · 2 comments
Open

Location Constraints #245

PrivacyCDN opened this issue Feb 5, 2016 · 2 comments
Labels
extension Idea that may be suitable for an extension spec or UMA Request For Enhancement RSctrl Related to enabling the RS to exert/retain control over resource access shoebox Related to consent/personal data receipt API ideas trust Business-legal-technical (BLT) trust

Comments

@PrivacyCDN
Copy link

Potential Location Contraints

This issue came to mind in the course of a discussion around issue 239 in the workgroup call of 2016/02/04, but is unrelated to that issue. The simple use case would be where a resource owner is a citizen of a country that has data localization regulations that bar the collection, use or disclosure of citizen data in all or some other countries. For example, European data controllers may not transfer European citizens' data to countries that have not been approved for such transfers.

If Bob is the Resource Owner and he wants to grant access to his personal information, stored on a Resource Server in his own country, to a Requesting Party (Alice) located in another country, the Authorizing Server may be required to deny access because Alice is in a country that is not approved to collect personally identifiable information from Bob's country, irrespective of Bob's expressed consent.

Another case might be where a medical researcher wants to share health data with a colleague in another location. Is this disclosure allowed by the medical researcher's institution and does the researcher have to seek consent from the patient in advance of the disclosure?

Factors to consider:

  • Is the type of resource such that location constraints may apply (i.e. is it personally identifiable information)
  • The location of the Resource Server
    • Physical location in the case of government regulations - what constraints apply to cross border data transfers
    • Logical location in the case of policies related to scope - what constraints apply to data transfers within entities (Local), within federations (medium scope), or just generally.
  • The location of the Requesting Party - Is the requesting party in a physical or logical location that places constraints granting access.
@xmlgrrl xmlgrrl added RSctrl Related to enabling the RS to exert/retain control over resource access trust Business-legal-technical (BLT) trust V2.0 shoebox Related to consent/personal data receipt API ideas labels Jan 4, 2017
@xmlgrrl
Copy link

xmlgrrl commented Jan 4, 2017

This is a classic RSctrl question. I've added shoebox because of the potential implications.

@xmlgrrl xmlgrrl removed the V2.0 label Feb 1, 2017
@xmlgrrl xmlgrrl added the extension Idea that may be suitable for an extension spec or UMA Request For Enhancement label Mar 8, 2017
@xmlgrrl
Copy link

xmlgrrl commented Sep 24, 2020

Andi and I wonder: Is this "just" a case of implemented AS policy sophistication, and not a spec change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension Idea that may be suitable for an extension spec or UMA Request For Enhancement RSctrl Related to enabling the RS to exert/retain control over resource access shoebox Related to consent/personal data receipt API ideas trust Business-legal-technical (BLT) trust
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xmlgrrl @PrivacyCDN