[gdpr-discuss] [article] GDPR: Biggest pain points, now and later
Winfried Tilanus
winfried at tilanus.com
Mon May 21 16:57:42 BST 2018
On 05/17/2018 10:39 AM, Daniel Stone wrote:
Hi Daniel,
First of all: my excuses for the delay in my answer, it is a quite busy
time for me right now (ahem).
> However, it's well documented on this list what the issues are.
My reaction may have been a bit grumpy: right now I spent quite a lot of
my time debunking all kind of more or less silly myths about the GDPR. A
post on this list with only a link to a blog that is totally irrelevant
is the last thing we need and a waste of my time. But if there are
problems, I love to spend some of my time to help OS projects where I can.
> Many
> of the tools used in open-source development have distributed PII far
> and wide, and do not have good mechanisms to deal with it.
Yes, I recognize that pattern: many OS projects use different
tools/services to do their work. Each of them has to be considered on
its own. But also in many cases those tools reside under the
responsibility of somebody else. GitHub for example is a data controller
on its own. As OS project you don't have to deal with the (potential)
GDPR issues GitHub may have.
> Scrubbing
> Bugzilla is difficult. Mailman requires a massive amount of text
> parsing, as it distributes PII through the headers as well as mail
> bodies: stripping information from there involves scraping through
> files in three formats, decoding MIME, and even then basic tools like
> grep are insufficient, because the PII might be split across line
> breaks with quote marks in between.
>
> No-one has yet come up with a solution for GIt, which is fundamentally
> intractable.
My first question is: is the GDPR applicable? For OS projects the rule
will be (roughly) if the data processing is done within the EU OR if you
explicitly offer services to EU citizens it is. Otherwise: not.
Other questions are: is there a pressing need that is countering the
GDPR. With mailman for example freedom of speech (to right engage in a
discussion to be precise) easily interferes with the right to be
forgotten. Freedom of speech prevails. Git has the pressing need of
maintaining code integrity and traceability. The final decision will be
up to a judge, but my bets are on the need of maintaining the code.
Something similar will be the case with Bugzilla.
Also when people obviously publish themselves some information about
themselves, the bar is much lower then when you for example observe
(browsing)behaviour.
All these things need to be judged from case to case, but in the
examples you name, many of the exceptions in the GDPR pop up.
> Many of these platforms (including mine - freedesktop.org) have
> historically been understaffed on the admin and tooling side.
I took a quick glance at your activities on freedesktop.org and my first
impression is that you are not even under the jurisdiction of the GDPR:
The legal entity behind freedesktop.org (SPI) is US based AND nowhere on
you site I see signs of explicitly offering services to EU citizens.
That EU citizens make use of your services is not relevant, you are not
explicitly targeting them. So you appear to be outside the GDPR
jurisdiction.
If you (or somebody else) have activities you are in doubt about, please
post to this list, so we can have a look at it.
> So yes, if we had all been doing a much better job then there would be
> no problem. But that's plainly not the case today; if there was no
> problem, then there would be no need for this list.
There certainly are problems (dealing with some of them in the context
of XMPP at the XSF right now), but IMHO a big part of the problem is the
panic. So one of the tasks of a list like this (and there are other
tasks too) will be to reduce the problem to its real size and avoid panic.
> Sweeping 'there is no burden' statements do not help those of us
> tasked with the burden of picking up the pieces (many of us doing so
> in our own spare time). I joined the list in the hope of practical
> advice and solutions to the very real problems myself and others face;
> if it's just to be lectured at by people in a far less bad position,
> then the list is of no value to me.
Would it have value to you if it becomes clear on this list that you are
of the hook?
Don't get me wrong: the GDPR does pose problems in a number of cases and
I am willing to help people who feel the burden of it. But lets not
panic and avoid that we invest our valuable time in solving issues that
are not there.
CU!
Winfried
--
privacy consultant e-health
+31.6.23303960
https://www.tilanus.com/
More information about the gdpr-discuss
mailing list