The Liberty Alliance has published a paper called “Circles of Trust: The Implications of EU Data Protection and Privacy Law for Establishing a Legal Framework for Identity Federation” which is available for download here.
The paper was edited by Stephen Deadman and compiled by a very knowledgable panel of contributors including Luc Mathan, Christine Varney, Jeff Hodges, Paul Madsen, Joe Alhadeff, Piper Cole, and Stephanie Manning. It goes well beyond the Privacy and Security Best Practices paper released in 2003.
The paper situates the problems of privacy and data protection that arise when customer data is shared within the context of various European legal and normative initiatives (the thinking will be equally instructive to North Americans). At times I had the feeling the report raised almost as many questions as it answers – and that this was likely intentional. The legal complexities of this style of federation are significant, and they must all be considered.
The paper is a clarifying step forward for all of us who are working on federation solutions and deployments, whether they are based on Liberty profiles or other comparable technologies.
Now, perhaps I am just a man with a hammer who sees everything in the world as a nail, but the paper reinforced my thinking that the more our systems are built to guarantee that the user is the conscious agent of information release (rather than having this done on his behalf), the better privacy is served, and the simpler our lives become from a legal and policy point of view.