17 Apr
2024
17 Apr
'24
1:29 a.m.
Hello,
When the courts decide... Sorry, that's an
unhelpful answer, but it is
accurate.
It was more a rhetorical question, but thanks anyways :)
It seems unlikely to be a problem in practice, but
yes, I think if
you had an XMPP server that you offered accounts on to friends, you'd
be very much skirting the GDPR.
True, which is an issue. And being registered under the ICO as a sole
trader isn't preferable either.
My purposes aren't commercial, or professional. Although you could
argue open source development is professional and thus using a home
server to store code is technically removing the exemption.
Remember, the law is intended to be
"reasonable"; lawyers have often
warned me over the years that technical folk tend to fall into the
trap of seeing the law as some kind of computer program, but it's
more like the specification for one, and there's therefore much
"intent" to be assumed.
Ugh... why can't everything be binary? :P
As far as the UK ICO is concerned, they're
useless, so I wouldn't
worry - I can't imagine they're organised enough to fine anyone.
No real point anyways, if the people you are storing data for are
friends, they are VERY unlikely to report you to the ICO.
You have to ask for consent for anything that you
don't have any other
legitimate reason. "legitimate interest", however, covers a lot. (And,
probably, a lot more than it should).
I assume this implies "read the legislation".
Wait, no. So if someone joins a chatroom, then for
that chatroom to
work XEP-0045 needs to be supported, and in order to support a
reasonable service you do indeed need to store at least some messages
for at least some time.
But would this hold up in court?
IRC never had backlog and that worked just fine, couldn't you argue
that XMPP could function without MAM?
This all might well need a privacy policy published,
and might need
an ICO registration if it's not for purely personal reasons.
If you aren't hosting public channels, I don't think it matters.
So if you're running a chatroom for you and your
friends/family to
chat, in the same way that you have a family groupchat on WhatsApp,
then I see no reason to need to register.
However you are also storing their account information, which is the
grey area here.
Yes and no.
The builder doesn't need to ask for consent for names and addresses,
but the building work itself is still optional. A chatrooom is indeed
an optional thing to have on a server - but if it's there, there are
some fundamental requirements in order to provide that service.
So as long as you can justify that the data is reasonable to store
without consent in order for the service to function to the full extent
the user wants, asking for consent is not required?
Ah... If you were using it in that way, then maybe it
would be a
service. But if it's simply ancillary to sending cat GIFs, then not
so much.
More grey area?
The ICO mentions loads, actually, but personal use
isn't one of them -
that's simply out of scope entirely for the GDPR.
The entire idea is to fall outside of the scope of GDPR :P
I guess the easiest thing to do is simply to register... but I am
unsure how that would work if you are exempt... pay anyways is fine?
Most home services are things like a personal blog,
and there's been
lots written about those. An XMPP server is something different, but
unless you're offering that as a service, I'm unconvinced it falls
into scope. (And if you are, I'm pretty sure it does).
Where you would personally think the definition of offering as a
commercial service would draw the line?
If it is used to simply relay messages between friends and family,
surely that is exempt? even if you are storing data on them.
The EU Stupid Cookie Law has been copied to UK law,
and isn't part of
the GDPR.
Sucky law.
Yippee, what a great time to be in the tech industry, one mess up and
you are in a heap of legal trouble.
Yes, but it's not the client's responsibility
since they are neither
the controller nor processor at this point.
But under these circumstances, how would the server ensure you have
agreed to their policy if the client indiscriminately downloads things
automatically?
Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian(a)icebound.dev