On 05/17/2018 10:39 AM, Daniel Stone wrote:
Hi Daniel,
First of all: my excuses for the delay in my answer, it is a quite busy time for me right now (ahem).
However, it's well documented on this list what the issues are.
My reaction may have been a bit grumpy: right now I spent quite a lot of my time debunking all kind of more or less silly myths about the GDPR. A post on this list with only a link to a blog that is totally irrelevant is the last thing we need and a waste of my time. But if there are problems, I love to spend some of my time to help OS projects where I can.
Many of the tools used in open-source development have distributed PII far and wide, and do not have good mechanisms to deal with it.
Yes, I recognize that pattern: many OS projects use different tools/services to do their work. Each of them has to be considered on its own. But also in many cases those tools reside under the responsibility of somebody else. GitHub for example is a data controller on its own. As OS project you don't have to deal with the (potential) GDPR issues GitHub may have.
Scrubbing Bugzilla is difficult. Mailman requires a massive amount of text parsing, as it distributes PII through the headers as well as mail bodies: stripping information from there involves scraping through files in three formats, decoding MIME, and even then basic tools like grep are insufficient, because the PII might be split across line breaks with quote marks in between.
No-one has yet come up with a solution for GIt, which is fundamentally intractable.
My first question is: is the GDPR applicable? For OS projects the rule will be (roughly) if the data processing is done within the EU OR if you explicitly offer services to EU citizens it is. Otherwise: not.
Other questions are: is there a pressing need that is countering the GDPR. With mailman for example freedom of speech (to right engage in a discussion to be precise) easily interferes with the right to be forgotten. Freedom of speech prevails. Git has the pressing need of maintaining code integrity and traceability. The final decision will be up to a judge, but my bets are on the need of maintaining the code. Something similar will be the case with Bugzilla.
Also when people obviously publish themselves some information about themselves, the bar is much lower then when you for example observe (browsing)behaviour.
All these things need to be judged from case to case, but in the examples you name, many of the exceptions in the GDPR pop up.
Many of these platforms (including mine - freedesktop.org) have historically been understaffed on the admin and tooling side.
I took a quick glance at your activities on freedesktop.org and my first impression is that you are not even under the jurisdiction of the GDPR: The legal entity behind freedesktop.org (SPI) is US based AND nowhere on you site I see signs of explicitly offering services to EU citizens. That EU citizens make use of your services is not relevant, you are not explicitly targeting them. So you appear to be outside the GDPR jurisdiction.
If you (or somebody else) have activities you are in doubt about, please post to this list, so we can have a look at it.
So yes, if we had all been doing a much better job then there would be no problem. But that's plainly not the case today; if there was no problem, then there would be no need for this list.
There certainly are problems (dealing with some of them in the context of XMPP at the XSF right now), but IMHO a big part of the problem is the panic. So one of the tasks of a list like this (and there are other tasks too) will be to reduce the problem to its real size and avoid panic.
Sweeping 'there is no burden' statements do not help those of us tasked with the burden of picking up the pieces (many of us doing so in our own spare time). I joined the list in the hope of practical advice and solutions to the very real problems myself and others face; if it's just to be lectured at by people in a far less bad position, then the list is of no value to me.
Would it have value to you if it becomes clear on this list that you are of the hook?
Don't get me wrong: the GDPR does pose problems in a number of cases and I am willing to help people who feel the burden of it. But lets not panic and avoid that we invest our valuable time in solving issues that are not there.
CU!
Winfried