On Sun, Oct 15, 2017 at 4:48 PM, Bruce O'Neel <bruce.oneel at pckswarms.ch>
wrote:

> Hi,
>
> Thanks to Stephan's pointer to the eugdpr.org website.  I've spent some
> time with this and have some comments below.
>
> First, the GDPR will apply if we let EU residents go to the Squeak
> websites.  Given the popularity of Squeak in the EU that means GDPR
> regardless of where we physically host it.
>
> Second I think we're going to run into a computer geek view of the world
> not agreeing with the EU view of the world.  Ie, you sent an email to a
> public mailing list with your full contact info that is archived forever.
> What words in that last sentence did you not understand?
>



>
> The things I think we have to comply with are:
>
> 1.  Consent.  The users have to know what they are giving us.  Cookie
> notifications on the main webpage and some sort of page that describes what
> we log for access like IP addresses, etc.  We also have to make clear how
> long info is stored.  So if the webserver keeps that last 30 days of IP
> address logs than that has to be clear.  We also have an age problem.  We
> will need parental consent if there are users under 16.  For the wiki,
> mailing lists etc we need to be clear what additional info is gathered.
> This is probably the easy one.
>
> 2.  Breach notification, Right to Access, and Right to be forgotten are
> going to be harder.
>
> The places where we collect more personal info than just IP address are
> for the Wiki, the Mailing lists, and the bug tracker.  In all three cases
> we would need to have enough info that:
>
> 1.  For breach notification we can actually notify folks.  We would need
> to collect email addresses in all cases for that to work.
>

Increasing the amount of personal data held by collecting additional email
address solely to advise of a breach seems counter productive to the GDPR's
spirit of data minimisation.

I can't imagine that normal traffic to public mail lists could be construed
to pose "high risk to the rights and freedoms of natural persons". So 34.1
 [1] might not apply, and a public mail list announcement may suffice
rather than a personalise notice.

[1] https://gdpr-info.eu/art-34-gdpr/



> 2.  For right to access we would have to be able to show ALL the info
> we've kept on a particular user.  All posts to the email lists, all swiki
> entries, etc.
>

This information is already publicly available.  Don't subjects implicitly
already have "access" ?



> 3.  And for right to be forgotten we would have to allow users to delete
> ALL the data we've captured.  All swiki entries, all archived email, etc.
> This is probably the hardest.
>

Balancing this is the "right to freedom of expression and information,
including processing for journalistic purposes" [2] and "archiving purposes
in the public interest" [3].

[2] https://gdpr-info.eu/art-85-gdpr/
[3] https://gdpr-info.eu/art-89-gdpr/

cheers -ben (ianal)


> For number 2, the right to access, would all be easiest if the wiki, email
> and bug trackers had a unified account, but, it probably would be ok if one
> had three accounts.  None the less you have to be able to see all your
> entries in all three.
>
> Number 3 is the trickiest especially with the mailing list archive.
> People's postings and signatures get copied into other threads and other's
> emails.   It might be hard to keep the archives in that case.  Getting this
> one right starts sounding like an AI research problem.
>




>
> Someone asked about the DPO (Data Protection Officer).  The way I read
> http://www.eugdpr.org/gdpr-faqs.html is no, we do not need this.
> There are other issues but I think these are the most important.
>
> NB:  I am not an expert, though I do spend some time professionally on
> this, and, will be spending more time in the future.  This advice is worth
> every centime you've paid for it as well.
>
> cheers
>
> bruce
>
>
>
>
> *13 October 2017 20:18 Peter Crowther <peter at ozzard.org
> <peter at ozzard.org>> wrote:*
>
> I'd also favour EU, but then *somebody* will have to ensure that we comply
> with GDPR for any personal information that we store - and I don't know who
> that would be.  Hence my question.
>
> I wouldn't recommend UK at the moment due to the regulatory turbulence of
> Brexit.
> - Peter
>
> On 13 October 2017 at 15:37, Tobias Pape <Das.Linux at gmx.de> wrote:
>
>>
>> > On 06.10.2017, at 10:35, Peter Crowther <Peter at ozzard.org> wrote:
>> >
>> > What personal information is stored, if any?
>> >
>>
>> What?
>>
>> > What regulatory environment do we wish to be in?
>>
>> Dunno. I'm just trying to keep things running.
>>
>> I'd favour EU, but that's actually none of my business…
>>
>>
>> >
>> > Cheers,
>> >
>> > - Peter
>> >
>> > On 4 October 2017 at 19:29, tim Rowledge <tim at rowledge.org> wrote:
>> > We have been informed that our sponsored servers are virtually certain
>> to go away at the end of the year. Rackspace has been providing space via
>> the Software Conservancy Foundation but are withdrawing and we cannot
>> afford their normal fees.
>> >
>> > So, tell us where we can get space and support to run squeak.org, the
>> swiki, etc.
>> >
>> > tim
>> > --
>> > tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> > All computers run at the same speed...with the power off.
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
> <>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20171015/f5687b28/attachment.html>