Version 29 Jul 2013

DLA Piper draft (29 Jul 2013, for discussion purposes only)

1. Legal

1.1. (Peter) more clarification why standard contractual clauses (SCC) approach (and not consent)

1.2. (Peter) SCC Annex 2, I(b) "It [i.e, the "data exporter"/Home Organisation] has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses."

1.3. (Peter)Annex 2, III(a) liability

1.4. (Olivier) Do the SP need to indicate its jurisdiction (in its metadata)

1.5. (Brook) the sentence on page 2 "The European Commission has so far recognised the following countries as providing adequate protection: Andorra, Argentina, Australia,..." caused confusion in the Australian colleagues. The EC's adequacy decision covers only transfer of the passenger (PNR) records to the Australian Customs Service.


2.1. (Nicole) removal of GEANT’s role?

2.2. (Nicole)What is legally strong enough to signal HO’s commitment to the iCoC?

2.3. (Peter) Is it a strong enough signal of commitment to the CoC that the HO decides to release attributes to the CoC-SP

3. Technical

3.1. (inCommon) Consolidate the Code of Conduct spec in a single document

3.2. (inCommon) Standardize the Code of Conduct language that the SP must include in its Privacy Statement.

3.3. (inCommon) Avoid the use of <md:RequestedAttribute> elements in metadata to operationalize the Code of Conduct category. Consider using the attribute bundle approach instead.

3.4. (TomS) combine CoC and R&S entity categories in a way they can co-exist. An SP can assert both EC-with-bundle and CoC with RequestedAttributes. IdP decides which one of the two to use

3.5. (TomS): EC-support attribute for CoC-IdPs?