Can we define party by accountability, not ownership?

[dmarti]

It is possible for the same "company" that is ultimately owned by the same stockholders to be more than one party for purposes of being accountable for user data.

There are situations where the same company's web properties in different countries do have common ownership, but users in one jurisdiction are party to a EULA with one subsidiary and users in another jurisdiction have a EULA with a different entity.

From a user point of view the top level owner does not matter as much as whatever legal requirements the "party" is subject to for how their data is used.

---

Preview | Diff

[sandandsnow]

For discussion: While I like the idea behind this suggestion, i.e. to move away from ownership of companies, closer to the concept of a data controller (via accountability), which is a commonly used term in privacy and data protection frameworks. However, I still see problems with extending the definition of first party to a set of legal entities. Please remind me, what is the reasoning behind having a definition of first party that includes more than one legal entity?

[jyasskin]

We discussed this on Aug 4, without @dmarti present, and I think we concluded that we could simplify to having a single legal entity. We lost that conclusion in subsequent discussions, but it's probably still correct.

The move to "accountability" is probably right in text that talks about multiple parties, especially multiple first-parties. I see 1 example of that in the current document?