[gdpr-discuss] [article] GDPR: Biggest pain points, now and later

Winfried Tilanus winfried at tilanus.com
Mon May 21 16:57:42 BST 2018 

On 05/17/2018 10:39 AM, Daniel Stone wrote:

Hi Daniel,

First of all: my excuses for the delay in my answer, it is a quite busy 
time for me right now (ahem).

> However, it's well documented on this list what the issues are.

My reaction may have been a bit grumpy: right now I spent quite a lot of 
my time debunking all kind of more or less silly myths about the GDPR. A 
post on this list with only a link to a blog that is totally irrelevant 
is the last thing we need and a waste of my time. But if there are 
problems, I love to spend some of my time to help OS projects where I can.

> Many
> of the tools used in open-source development have distributed PII far
> and wide, and do not have good mechanisms to deal with it.

Yes, I recognize that pattern: many OS projects use different 
tools/services to do their work. Each of them has to be considered on 
its own. But also in many cases those tools reside under the 
responsibility of somebody else. GitHub for example is a data controller 
on its own. As OS project you don't have to deal with the (potential) 
GDPR issues GitHub may have.

> Scrubbing
> Bugzilla is difficult. Mailman requires a massive amount of text
> parsing, as it distributes PII through the headers as well as mail
> bodies: stripping information from there involves scraping through
> files in three formats, decoding MIME, and even then basic tools like
> grep are insufficient, because the PII might be split across line
> breaks with quote marks in between.
> 
> No-one has yet come up with a solution for GIt, which is fundamentally
> intractable.

My first question is: is the GDPR applicable? For OS projects the rule 
will be (roughly) if the data processing is done within the EU OR if you 
explicitly offer services to EU citizens it is. Otherwise: not.

Other questions are: is there a pressing need that is countering the 
GDPR. With mailman for example freedom of speech (to right engage in a 
discussion to be precise) easily interferes with the right to be 
forgotten. Freedom of speech prevails. Git has the pressing need of 
maintaining code integrity and traceability. The final decision will be 
up to a judge, but my bets are on the need of maintaining the code. 
Something similar will be the case with Bugzilla.

Also when people obviously publish themselves some information about 
themselves, the bar is much lower then when you for example observe 
(browsing)behaviour.

All these things need to be judged from case to case, but in the 
examples you name, many of the exceptions in the GDPR pop up.

> Many of these platforms (including mine - freedesktop.org) have
> historically been understaffed on the admin and tooling side.

I took a quick glance at your activities on freedesktop.org and my first 
impression is that you are not even under the jurisdiction of the GDPR: 
The legal entity behind freedesktop.org (SPI) is US based AND nowhere on 
you site I see signs of explicitly offering services to EU citizens. 
That EU citizens make use of your services is not relevant, you are not 
explicitly targeting them. So you appear to be outside the GDPR 
jurisdiction.

If you (or somebody else) have activities you are in doubt about, please 
post to this list, so we can have a look at it.

> So yes, if we had all been doing a much better job then there would be
> no problem. But that's plainly not the case today; if there was no
> problem, then there would be no need for this list.

There certainly are problems (dealing with some of them in the context 
of XMPP at the XSF right now), but IMHO a big part of the problem is the 
panic. So one of the tasks of a list like this (and there are other 
tasks too) will be to reduce the problem to its real size and avoid panic.

> Sweeping 'there is no burden' statements do not help those of us
> tasked with the burden of picking up the pieces (many of us doing so
> in our own spare time). I joined the list in the hope of practical
> advice and solutions to the very real problems myself and others face;
> if it's just to be lectured at by people in a far less bad position,
> then the list is of no value to me.

Would it have value to you if it becomes clear on this list that you are 
of the hook?

Don't get me wrong: the GDPR does pose problems in a number of cases and 
I am willing to help people who feel the burden of it. But lets not 
panic and avoid that we invest our valuable time in solving issues that 
are not there.

CU!

Winfried

-- 
privacy consultant e-health
+31.6.23303960
https://www.tilanus.com/

More information about the gdpr-discuss mailing list