Has anyone here looked into the impact of GDPR on volunteer services like the Chaos Computer Club or small teams (not legal organizations) running decentralized communication instances? Peter
On 12.04.2018 20:31, Peter Saint-Andre wrote:
Has anyone here looked into the impact of GDPR on volunteer services like the Chaos Computer Club or small teams (not legal organizations) running decentralized communication instances?
It doesn't matter if people get paid or not.
From your example, the CCC does not actually run that many services as an organization. It is mostly individuals (losely) affiliated with the CCC, or local member organizations like hackerspaces.
It is debatable whether the act of pointing a subdomain e.g. from ccc.de to some machine run by "someone else" already implies "control" over this service, but I would argue it doesn't, similar to how DENIC is not responsible for what I do on a .de domain. -- moritz
On 4/13/18 5:26 AM, Moritz Bartl wrote:
On 12.04.2018 20:31, Peter Saint-Andre wrote:
Has anyone here looked into the impact of GDPR on volunteer services like the Chaos Computer Club or small teams (not legal organizations) running decentralized communication instances?
It doesn't matter if people get paid or not.
Well, that's not very friendly from a civil-society perspective, is it? In the Jabber community we've had many people running small, volunteer messaging services for years. If those people now have a lot more work to do and are taking on potentially significant personal liability, why continue? Peter
On Fri, Apr 13, 2018, 10:28 AM Peter Saint-Andre <stpeter@mozilla.com> wrote:
On 4/13/18 5:26 AM, Moritz Bartl wrote:
On 12.04.2018 20:31, Peter Saint-Andre wrote:
Has anyone here looked into the impact of GDPR on volunteer services like the Chaos Computer Club or small teams (not legal organizations) running decentralized communication instances?
It doesn't matter if people get paid or not.
Well, that's not very friendly from a civil-society perspective, is it?
In the Jabber community we've had many people running small, volunteer messaging services for years. If those people now have a lot more work to do and are taking on potentially significant personal liability, why continue?
I think the EU answer is "if those people can't respect *fundamental* human rights like privacy, then that outweighs the other good those people are doing and they should not continue." I am not sure this is the right balancing of harms and benefits. But it also isn't obviously *wrong*, and it is going to be very hard to convince regulators and the general public that it is wrong. So (and forgive me if this discussion has already been had on the list) as software developers who care for freedom and independent services, the best thing we can do for those independent, small services is to build and release software that makes it reasonably possible to provide GDPR-compliant services. (e.g., one-click download of all data tracked by the service; deletion; minimal tracking by default; etc.) Good example of a community trying to do the right thing: https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/ I'd been under the impression Discourse was also doing something along these lines, though I'm not finding any evidence in a quick search. That's obviously not easy, and of course the closer you get to a micro-services world with diverse logging, the harder it gets. But lots of the basics we tend to get wrong; here's a good post on the subject: https://www.ctrl.blog/entry/gdpr-web-server-logs [Tangentially, that post addresses a concern from another email to this list, about DOS-by-download.] FWIW- Luis (IAAL, but IANYL and I am not an EU privacy law expert)
On Sat, Apr 14, 2018 at 3:59 PM Luis Villa <luis@lu.is> wrote:
I'd been under the impression Discourse was also doing something along these lines, though I'm not finding any evidence in a quick search.
https://meta.discourse.org/tags/gdpr is their discussion on the subject, FWIW.
On 23-04-18 18:37, Luis Villa wrote: Hi,
I'd been under the impression Discourse was also doing something along these lines, though I'm not finding any evidence in a quick search.
https://meta.discourse.org/tags/gdpr is their discussion on the subject, FWIW.
The GDPR is written with the objective to regulate big monolithic companies. So for small initiatives, volunteer organisations and distributed systems it feels like having to wear a coat of the wrong size. But having done GDPR compliance projects for several small volunteer organisations (some sitting on serious sensitive data), it surprises me how easy it is for them to adapt to the GDPR. And small open source / distributed projects have one big advantage over the big tech companies when implementing GDPR compliency: their business model flourishes with transparency, while the big tech companies fear it. And for XMPP: though at first sight the impact of the GDPR looked quite dramatic, now we are in the process of carefully analysing it, things become more and more trivial. See also https://wiki.xmpp.org/web/GDPR . I estimate we will have to write one extension to the protocol, patch 2-3 other extentions and write one EULA template to get all server operators in save water. The open character of XMPP makes it relatively easy to comply with the GDPR. Winfried -- privacy consultant e-health +31.6.23303960 https://www.tilanus.com/
On 4/13/18 5:26 AM, Moritz Bartl wrote:
On 12.04.2018 20:31, Peter Saint-Andre wrote:
Has anyone here looked into the impact of GDPR on volunteer services like the Chaos Computer Club or small teams (not legal organizations) running decentralized communication instances?
It doesn't matter if people get paid or not.
From your example, the CCC does not actually run that many services as an organization. It is mostly individuals (losely) affiliated with the CCC, or local member organizations like hackerspaces.
It is debatable whether the act of pointing a subdomain e.g. from ccc.de to some machine run by "someone else" already implies "control" over this service, but I would argue it doesn't, similar to how DENIC is not responsible for what I do on a .de domain.
Separate topic, separate thread. :-) I see those as different things. With domain registration, someone at CCC is the registered agent for ccc.de. It seems that such a person would be ultimately responsible for what happens at, say, the jabber.ccc.de service. Yet probably the folks at Automattic don't want to take ultimate responsibility for what gets posted or (via WooCommerce plugins, sold) at foobar.wordpress.com. Hmm... Peter
I see those as different things. With domain registration, someone at CCC is the registered agent for ccc.de. It seems that such a person would be ultimately responsible for what happens at, say, the jabber.ccc.de service. Yet probably the folks at Automattic don't want to take ultimate responsibility for what gets posted or (via WooCommerce plugins, sold) at foobar.wordpress.com.
Careful. There is a big legal difference between username.wordpress.com, where Automattic _is_ in fact operating the service behind that subdomain, and merely being in control of the DNS entries, with someone else operating the service behind that entry. This reminds me of the case of a friend some years ago. He owned (owns?) a domain that is pointing to web servers operated by Wikileaks, and got sued over some illegal content on that site. The court agreed that he was not in control of the content, and that it was _not_ proportionate for him to take down the whole domain (and *all* its content, most of which is legitimate/legal). And here we're even talking about the second-level domain, not a subdomain! We can include link shorteners and (sub)domain forwarding/dyndns services in this line of thinking to make it clear that there is a legal difference. So, you can own a domain, and not be responsible for the content of a (sub)domain. Remember, all this is evaluated on a case-by-case basis in civil law countries. -- moritz
participants (4)
-
Luis Villa -
Moritz Bartl -
Peter Saint-Andre -
Winfried Tilanus