[gdpr-discuss] [article] GDPR: Biggest pain points, now and later

[Ben Cooksley]

On Wed, May 23, 2018 at 10:09 AM, Winfried Tilanus <winfried at tilanus.com> wrote:
> On 22-05-18 13:21, Ben Cooksley wrote:
>>
>> On Tue, May 22, 2018 at 3:57 AM, Winfried Tilanus <winfried at tilanus.com>
>> wrote:
>
>
> Hi Ben,

Hi Winfried,

>
>>> Other questions are: is there a pressing need that is countering the
>>> GDPR.
>>> With mailman for example freedom of speech (to right engage in a
>>> discussion
>>> to be precise) easily interferes with the right to be forgotten. Freedom
>>> of
>>> speech prevails. Git has the pressing need of maintaining code integrity
>>> and
>>> traceability. The final decision will be up to a judge, but my bets are
>>> on
>>> the need of maintaining the code. Something similar will be the case with
>>> Bugzilla.
>>
>>
>> Is there anywhere where the order of priority for this is written?
>> (preferably on the EU Commission or a national regulators website)
>>
>>  From what I've understood thus far, if you get a request for removal
>> you basically have to remove it (and given the costs of defending your
>> position and the penalties if the court finds against you, the
>> standing action is probably going to be to do a removal regardless of
>> what the GDPR actually says)
>
>
> I wish I could answer your question with a short link that ends al
> discussion. Unfortunately these 'pressing needs' are a hairy problem: it is
> one principle against an other (data protection against freedom of speech
> and data protection against the need of code integrity). There is no
> absolute order, it is always a JUDGEment from case to case. So yes,
> unfortunately the ultimate verdict will be costly. The only light I see
> there, is that the national data protection authorities act as a buffer
> between you and the court. Complaints have to go to them and not directly to
> court. And on the freedom of speech: that is one of areas where the national
> governments have some room to set their own rules, not making this easier.

That's what I was expecting unfortunately :(

>
> Having said that, there is some case law about how far freedom of speech
> extends, and that is quite far. One of the most notable is (and thanks to
> Arnoud Engelfriet for pointing me to this one) item 61 of this
> http://curia.europa.eu/juris/document/document.jsf?docid=76075&doclang=EN
> verdict by the European Court of Justice:
>
> "It follows from all of the above that activities such as those involved in
> the main proceedings, relating to data from documents which are in the
> public domain under national legislation, may be classified as ‘journalistic
> activities’ if their object is the disclosure to the public of information,
> opinions or ideas, irrespective of the medium which is used to transmit
> them. They are not limited to media undertakings and may be undertaken for
> profit-making purposes."
>
> Does a mailing list meet this definition? I don't know for sure but "if
> their object is the disclosure to the public of information, opinions or
> ideas" seems to be valid for a mailing list.
>
> The Dutch law accompanying the GDPR puts all of chapter III out of order
> when the activities meet the definition above. I see KDE(.org) is German, so
> you should check the German laws that accompany the GDPR, but I expect there
> to be a similar clause in Germany too.

Unfortunately German law is all in German, so i'll have to find
someone to do that for me (language barriers really help...)

>
>> KDE unfortunately is well and truly on the hook (being a European
>> organisation) so there is no easy out for us.
>>
>> Website registrations can be dealt with easily enough, and while
>> inconvenient, mailing list archives can be expunged (which will break
>> historical links, but if we leave the gap then people can just use the
>> wayback machine to grab the pages) so i'm not too concerned with
>> those.
>
>
> Without expunging, you have to have good story about the need to keep the
> history available. But beside the freedom of speech (see above) in OS
> projects the need to document choices made in the past is quite big. I am
> pretty sure these will prevail in most cases when it is brought to court.
>
> The right to be forgotten was introduced in a case of a Spanish man who was
> bankrupted several years ago but who had paid of his debts and was financial
> healthy for several years. But on Google his past was still hunting him and
> hindering his current business. So Google was ordered to remove references
> to the bankruptcy of this man.
>
> But when an Italian criminal tried to use the same mechanism to hide past
> crimes and convictions, the need of warning the public for this criminal was
> regarded more important then his right to be forgotten. So when you Google
> this mans name, you still see his (long) criminal history.
>
> So I would only honour requests to remove postings from your mailinglist if
> the postings are obviously not relevant for the discussion but harmful for
> the person who posted them, for example postings made in a intoxicated state
> or during a psychological crisis.

Historically most of the requests we have had in the case of our
mailing lists are when people have submitted nonsense bugs.
The response from developers has usually left these people quite
embarrassed, and we've historically complied with these requests (as
there is no value in retaining them)

>
>> The big problem I truly see is Git and Subversion (usernames, along
>> with the accounts mapping file in it which has names and email
>> addresses in it - changing those requires a full repository rewrite as
>> well - which would probably take a long time with our repository).
>
>
> Did you read the other postings this week about git? I am pretty sure they
> can be helpful here. Summary: "Git should not be seen as a changeable medium
> and therefore the rights of 'data subjects' (us) should be met in other
> ways. Fortunately git has some possibilities for that."

Just seen that thread yes.

The position that Git is an unchangable medium (subject to mailmaps
for amendments) is one i'm quite happy to see.

>
> Winfried

Regards,
Ben

>
>
> --
> privacy consultant e-health
> +31.6.23303960
> https://www.tilanus.com/