[gdpr-discuss] Undeleteable data

[Moritz Bartl]

On 13.04.2018 13:07, Daniel Stone wrote:
> The biggest stumbling block for us is probably Bugzilla and Mailman.
> Deleting messages and profiles from those just isn't practical for us,
> especially at any kind of scale. We could write a script to censor
> those, but once it has been posted to either, then it's all over the
> public internet anyway.

In many countries it has already been the case that if someone requests
personal data to be deleted, you have to make that happen. This does not
mean you have to delete the data from all the _other_ places it already
went out to, so the only thing we're talking about in the Mailman case
is the archives: Posts themselves and potentially quotes, yes, as long
as it is personal identifiable data. My understanding there is that it
would be enough in most cases to remove the sender information, and the
quoted name above quotes, not the quoted statements themselves.

In almost all larger project that I've been involved in, we had such
cases already: People mistakenly posting sensitive information to a
list, or asking for removal later because they didn't understand their
mail would be publicly archived. Few, yes, but still. Which meant
exactly what you mentioned: the manual hacky way of censoring the
archived post.

I don't see how the GDPR changes that. You cannot argue your way out of
it, the obligation exists that you do need to remove such personal
content on request, but: How often will it happen, really? There is no
obligation to fully and cleanly automate it.

-- moritz