[gdpr-discuss] Undeleteable data

Daniel Stone daniel at fooishbar.org
Fri Apr 13 14:02:15 BST 2018 

Hi Moritz,

On 13 April 2018 at 13:17, Moritz Bartl <moritz at techcultivation.org> wrote:
> On 13.04.2018 13:07, Daniel Stone wrote:
>> The biggest stumbling block for us is probably Bugzilla and Mailman.
>> Deleting messages and profiles from those just isn't practical for us,
>> especially at any kind of scale. We could write a script to censor
>> those, but once it has been posted to either, then it's all over the
>> public internet anyway.
>
> In many countries it has already been the case that if someone requests
> personal data to be deleted, you have to make that happen. This does not
> mean you have to delete the data from all the _other_ places it already
> went out to, so the only thing we're talking about in the Mailman case
> is the archives: Posts themselves and potentially quotes, yes, as long
> as it is personal identifiable data. My understanding there is that it
> would be enough in most cases to remove the sender information, and the
> quoted name above quotes, not the quoted statements themselves.
>
> In almost all larger project that I've been involved in, we had such
> cases already: People mistakenly posting sensitive information to a
> list, or asking for removal later because they didn't understand their
> mail would be publicly archived. Few, yes, but still. Which meant
> exactly what you mentioned: the manual hacky way of censoring the
> archived post.

True. We have done it a couple of times, but those were quite extreme:
copyright violation (posting proprietary code), and extreme content
that would have been legally actionable for us.

> I don't see how the GDPR changes that. You cannot argue your way out of
> it, the obligation exists that you do need to remove such personal
> content on request, but: How often will it happen, really? There is no
> obligation to fully and cleanly automate it.

OK, it's good to have your opinion that we cannot route around this.
That is a very real change for us though, because of the claimed
universal jurisdiction regardless of the location of the
servers/processors (fd.o is not hosted in the EU, nor is it part of a
European legal entity).

I don't care about being obligated to have the process automated, but
quite the reverse: it's _extremely_ consuming. For Mailman archives,
this means hand-editing mboxes, HTML mails, and all of
author/date/thread indices. Even in advance of the GDPR, we get more
requests for this than we can practically service given our limited
admin time. Given a deluge of requests, we would be forced to either
not comply and face any legal consequences, or just stop offering
these services.

Cheers,
Daniel

More information about the gdpr-discuss mailing list