[gdpr-discuss] [article] GDPR: Biggest pain points, now and later

[Ben Cooksley]

On Tue, May 22, 2018 at 3:57 AM, Winfried Tilanus <winfried at tilanus.com> wrote:
> On 05/17/2018 10:39 AM, Daniel Stone wrote:
>
> Hi Daniel,

Hi Winfried,

>
> First of all: my excuses for the delay in my answer, it is a quite busy time
> for me right now (ahem).
>
>> However, it's well documented on this list what the issues are.
>
>
> My reaction may have been a bit grumpy: right now I spent quite a lot of my
> time debunking all kind of more or less silly myths about the GDPR. A post
> on this list with only a link to a blog that is totally irrelevant is the
> last thing we need and a waste of my time. But if there are problems, I love
> to spend some of my time to help OS projects where I can.
>
>> Many
>> of the tools used in open-source development have distributed PII far
>> and wide, and do not have good mechanisms to deal with it.
>
>
> Yes, I recognize that pattern: many OS projects use different tools/services
> to do their work. Each of them has to be considered on its own. But also in
> many cases those tools reside under the responsibility of somebody else.
> GitHub for example is a data controller on its own. As OS project you don't
> have to deal with the (potential) GDPR issues GitHub may have.
>
>> Scrubbing
>> Bugzilla is difficult. Mailman requires a massive amount of text
>> parsing, as it distributes PII through the headers as well as mail
>> bodies: stripping information from there involves scraping through
>> files in three formats, decoding MIME, and even then basic tools like
>> grep are insufficient, because the PII might be split across line
>> breaks with quote marks in between.
>>
>> No-one has yet come up with a solution for GIt, which is fundamentally
>> intractable.
>
>
> My first question is: is the GDPR applicable? For OS projects the rule will
> be (roughly) if the data processing is done within the EU OR if you
> explicitly offer services to EU citizens it is. Otherwise: not.
>
> Other questions are: is there a pressing need that is countering the GDPR.
> With mailman for example freedom of speech (to right engage in a discussion
> to be precise) easily interferes with the right to be forgotten. Freedom of
> speech prevails. Git has the pressing need of maintaining code integrity and
> traceability. The final decision will be up to a judge, but my bets are on
> the need of maintaining the code. Something similar will be the case with
> Bugzilla.

Is there anywhere where the order of priority for this is written?
(preferably on the EU Commission or a national regulators website)

>From what I've understood thus far, if you get a request for removal
you basically have to remove it (and given the costs of defending your
position and the penalties if the court finds against you, the
standing action is probably going to be to do a removal regardless of
what the GDPR actually says)

>
> Also when people obviously publish themselves some information about
> themselves, the bar is much lower then when you for example observe
> (browsing)behaviour.
>
> All these things need to be judged from case to case, but in the examples
> you name, many of the exceptions in the GDPR pop up.
>
>> Many of these platforms (including mine - freedesktop.org) have
>> historically been understaffed on the admin and tooling side.
>
>
> I took a quick glance at your activities on freedesktop.org and my first
> impression is that you are not even under the jurisdiction of the GDPR: The
> legal entity behind freedesktop.org (SPI) is US based AND nowhere on you
> site I see signs of explicitly offering services to EU citizens. That EU
> citizens make use of your services is not relevant, you are not explicitly
> targeting them. So you appear to be outside the GDPR jurisdiction.
>
> If you (or somebody else) have activities you are in doubt about, please
> post to this list, so we can have a look at it.
>
>> So yes, if we had all been doing a much better job then there would be
>> no problem. But that's plainly not the case today; if there was no
>> problem, then there would be no need for this list.
>
>
> There certainly are problems (dealing with some of them in the context of
> XMPP at the XSF right now), but IMHO a big part of the problem is the panic.
> So one of the tasks of a list like this (and there are other tasks too) will
> be to reduce the problem to its real size and avoid panic.
>
>> Sweeping 'there is no burden' statements do not help those of us
>> tasked with the burden of picking up the pieces (many of us doing so
>> in our own spare time). I joined the list in the hope of practical
>> advice and solutions to the very real problems myself and others face;
>> if it's just to be lectured at by people in a far less bad position,
>> then the list is of no value to me.
>
>
> Would it have value to you if it becomes clear on this list that you are of
> the hook?
>
> Don't get me wrong: the GDPR does pose problems in a number of cases and I
> am willing to help people who feel the burden of it. But lets not panic and
> avoid that we invest our valuable time in solving issues that are not there.

KDE unfortunately is well and truly on the hook (being a European
organisation) so there is no easy out for us.

Website registrations can be dealt with easily enough, and while
inconvenient, mailing list archives can be expunged (which will break
historical links, but if we leave the gap then people can just use the
wayback machine to grab the pages) so i'm not too concerned with
those.

The big problem I truly see is Git and Subversion (usernames, along
with the accounts mapping file in it which has names and email
addresses in it - changing those requires a full repository rewrite as
well - which would probably take a long time with our repository).

>
> CU!
>
> Winfried

Cheers,
Ben Cooksley
KDE Sysadmin

>
> --
> privacy consultant e-health
> +31.6.23303960
> https://www.tilanus.com/
>
> _______________________________________________
> gdpr-discuss mailing list
> gdpr-discuss at earth.li
> https://www.earth.li/mailman/listinfo/gdpr-discuss