[gdpr-discuss] [article] GDPR: Biggest pain points, now and later

Winfried Tilanus winfried at tilanus.com
Tue May 22 23:09:16 BST 2018 

On 22-05-18 13:21, Ben Cooksley wrote:
> On Tue, May 22, 2018 at 3:57 AM, Winfried Tilanus <winfried at tilanus.com> wrote:

Hi Ben,

>> Other questions are: is there a pressing need that is countering the GDPR.
>> With mailman for example freedom of speech (to right engage in a discussion
>> to be precise) easily interferes with the right to be forgotten. Freedom of
>> speech prevails. Git has the pressing need of maintaining code integrity and
>> traceability. The final decision will be up to a judge, but my bets are on
>> the need of maintaining the code. Something similar will be the case with
>> Bugzilla.
> 
> Is there anywhere where the order of priority for this is written?
> (preferably on the EU Commission or a national regulators website)
> 
>  From what I've understood thus far, if you get a request for removal
> you basically have to remove it (and given the costs of defending your
> position and the penalties if the court finds against you, the
> standing action is probably going to be to do a removal regardless of
> what the GDPR actually says)

I wish I could answer your question with a short link that ends al 
discussion. Unfortunately these 'pressing needs' are a hairy problem: it 
is one principle against an other (data protection against freedom of 
speech and data protection against the need of code integrity). There is 
no absolute order, it is always a JUDGEment from case to case. So yes, 
unfortunately the ultimate verdict will be costly. The only light I see 
there, is that the national data protection authorities act as a buffer 
between you and the court. Complaints have to go to them and not 
directly to court. And on the freedom of speech: that is one of areas 
where the national governments have some room to set their own rules, 
not making this easier.

Having said that, there is some case law about how far freedom of speech 
extends, and that is quite far. One of the most notable is (and thanks 
to Arnoud Engelfriet for pointing me to this one) item 61 of this 
http://curia.europa.eu/juris/document/document.jsf?docid=76075&doclang=EN 
verdict by the European Court of Justice:

"It follows from all of the above that activities such as those involved 
in the main proceedings, relating to data from documents which are in 
the public domain under national legislation, may be classified as 
‘journalistic activities’ if their object is the disclosure to the 
public of information, opinions or ideas, irrespective of the medium 
which is used to transmit them. They are not limited to media 
undertakings and may be undertaken for profit-making purposes."

Does a mailing list meet this definition? I don't know for sure but "if 
their object is the disclosure to the public of information, opinions or 
ideas" seems to be valid for a mailing list.

The Dutch law accompanying the GDPR puts all of chapter III out of order 
when the activities meet the definition above. I see KDE(.org) is 
German, so you should check the German laws that accompany the GDPR, but 
I expect there to be a similar clause in Germany too.

> KDE unfortunately is well and truly on the hook (being a European
> organisation) so there is no easy out for us.
> 
> Website registrations can be dealt with easily enough, and while
> inconvenient, mailing list archives can be expunged (which will break
> historical links, but if we leave the gap then people can just use the
> wayback machine to grab the pages) so i'm not too concerned with
> those.

Without expunging, you have to have good story about the need to keep 
the history available. But beside the freedom of speech (see above) in 
OS projects the need to document choices made in the past is quite big. 
I am pretty sure these will prevail in most cases when it is brought to 
court.

The right to be forgotten was introduced in a case of a Spanish man who 
was bankrupted several years ago but who had paid of his debts and was 
financial healthy for several years. But on Google his past was still 
hunting him and hindering his current business. So Google was ordered to 
remove references to the bankruptcy of this man.

But when an Italian criminal tried to use the same mechanism to hide 
past crimes and convictions, the need of warning the public for this 
criminal was regarded more important then his right to be forgotten. So 
when you Google this mans name, you still see his (long) criminal history.

So I would only honour requests to remove postings from your mailinglist 
if the postings are obviously not relevant for the discussion but 
harmful for the person who posted them, for example postings made in a 
intoxicated state or during a psychological crisis.

> The big problem I truly see is Git and Subversion (usernames, along
> with the accounts mapping file in it which has names and email
> addresses in it - changing those requires a full repository rewrite as
> well - which would probably take a long time with our repository).

Did you read the other postings this week about git? I am pretty sure 
they can be helpful here. Summary: "Git should not be seen as a 
changeable medium and therefore the rights of 'data subjects' (us) 
should be met in other ways. Fortunately git has some possibilities for 
that."

Winfried

-- 
privacy consultant e-health
+31.6.23303960
https://www.tilanus.com/

More information about the gdpr-discuss mailing list