Firstly, there's a distinction to be made between "exempt" and "out of scope". You ideally want to be out of scope. If you're in scope but exempt, then you're still subject to the GDPR in every respect, just formally exempt.
So, for example, law enforcement is exempt - but they still need to be subject to the GDPR and register etc. Nothing we do is likely do be exempt. But, if you or I say "exempt" we should assume we really mean "out of scope".
Secondly, the GDPR doesn't (as is popularly understood) require consent for all data; it requires a "legal basis" for all data processing, and one of those legal bases can be "legitimate interest", which in turn covers things like "I need this to provide the service", or "I need this to have decent security", or "I just kind of wanted to do this and I have more lawyers than you do".
It's only things that are truly optional that you need consent for.
Hello,
> When the courts decide... Sorry, that's an unhelpful answer, but it is
> accurate.
It was more a rhetorical question, but thanks anyways :)
> It seems unlikely to be a problem in practice, but yes, I think if
> you had an XMPP server that you offered accounts on to friends, you'd
> be very much skirting the GDPR.
True, which is an issue. And being registered under the ICO as a sole
trader isn't preferable either.
My purposes aren't commercial, or professional. Although you could
argue open source development is professional and thus using a home
server to store code is technically removing the exemption.
So, as per above, open source is likely not considered "purely professional", so if you provide a service based around open source, it may become subject to the GDPR. You are, however, unlikely to need explicit consent for any of it. I think even quite detailed data collection would be covered by "legitimate interest" as being required to ensure security, and if anyone argues wave xz in front of them.
> Remember, the law is intended to be "reasonable"; lawyers have often
> warned me over the years that technical folk tend to fall into the
> trap of seeing the law as some kind of computer program, but it's
> more like the specification for one, and there's therefore much
> "intent" to be assumed.
Ugh... why can't everything be binary? :P
Yeah, except imagine bugs in contracts.
> As far as the UK ICO is concerned, they're useless, so I wouldn't
> worry - I can't imagine they're organised enough to fine anyone.
No real point anyways, if the people you are storing data for are
friends, they are VERY unlikely to report you to the ICO.
... while they're friends, at least.
> You have to ask for consent for anything that you don't have any other
> legitimate reason. "legitimate interest", however, covers a lot. (And,
> probably, a lot more than it should).
I assume this implies "read the legislation".
> Wait, no. So if someone joins a chatroom, then for that chatroom to
> work XEP-0045 needs to be supported, and in order to support a
> reasonable service you do indeed need to store at least some messages
> for at least some time.
But would this hold up in court?
IRC never had backlog and that worked just fine, couldn't you argue
that XMPP could function without MAM?
If you're ever in court over this, I'll testify as an expert witness on why some form of backlog is important.
> This all might well need a privacy policy published, and might need
> an ICO registration if it's not for purely personal reasons.
If you aren't hosting public channels, I don't think it matters.
Right, so, I asked an actual DPO about this. (Being explicit, I'll attribute *every* statement the DPO made to the DPO, so you know what's the professional advice, but of course this is not taking all your circumstances into account and therefore don't legally rely on this)
You don't need an actual DPO, by the way. But if the channel is for an open source project, then DPO says a basic privacy policy (somewhere) and an ICO registration would be probably needed. But unless you're doing extended analytics, then DPO says you don't need to worry over consent.
> So if you're running a chatroom for you and your friends/family to
> chat, in the same way that you have a family groupchat on WhatsApp,
> then I see no reason to need to register.
However you are also storing their account information, which is the
grey area here.
If you don't have their account information to some degree, you cannot send them the chatroom's messages; this feels very legitimate interest to me.
> Yes and no.
>
> The builder doesn't need to ask for consent for names and addresses,
> but the building work itself is still optional. A chatrooom is indeed
> an optional thing to have on a server - but if it's there, there are
> some fundamental requirements in order to provide that service.
So as long as you can justify that the data is reasonable to store
without consent in order for the service to function to the full extent
the user wants, asking for consent is not required?
Yes, but also to the extent where the service is secure, etc, so slightly beyond what you're saying here.
> Ah... If you were using it in that way, then maybe it would be a
> service. But if it's simply ancillary to sending cat GIFs, then not
> so much.
More grey area?
Not really - it's more around the intent than technical detail.
> The ICO mentions loads, actually, but personal use isn't one of them -
> that's simply out of scope entirely for the GDPR.
The entire idea is to fall outside of the scope of GDPR :P
I guess the easiest thing to do is simply to register... but I am
unsure how that would work if you are exempt... pay anyways is fine?
Not quite - DPO says that the easiest thing to do is call the UK ICO helpdesk. They'll actually walk you through it all.
> Most home services are things like a personal blog, and there's been
> lots written about those. An XMPP server is something different, but
> unless you're offering that as a service, I'm unconvinced it falls
> into scope. (And if you are, I'm pretty sure it does).
Where you would personally think the definition of offering as a
commercial service would draw the line?
That's not the definition, though, the phrasing used is "purely personal".
If it is used to simply relay messages between friends and family,
surely that is exempt? even if you are storing data on them.
I didn't ask the DPO about this case, but yes, I think as long as you can reasonably claim it to be "purely personal", then you're out of scope.
> The EU Stupid Cookie Law has been copied to UK law, and isn't part of
> the GDPR.
>
> Sucky law.
Yippee, what a great time to be in the tech industry, one mess up and
you are in a heap of legal trouble.
> Yes, but it's not the client's responsibility since they are neither
> the controller nor processor at this point.
But under these circumstances, how would the server ensure you have
agreed to their policy if the client indiscriminately downloads things
automatically?
You don't need to explicitly agree to a privacy policy; one just needs to be available, and you can assume that continued use of the service means the privacy policy is acceptable. You probably do need to tell people it's changed when it does.
The only time you'd need to involve technical measures here is if you had consent requirements for optional features.
Dave.