Firstly, as far as I'm aware, the EU and UK GDPRs are broadly identical, with the UK's differing only in a handful of bits talking about when processing became subject to the UK version instead of the EU version, and a heck of a lot of search and replace. I am not a lawyer, nor am Ia DPO, so the following should not be considered legal advice.

I would strongly argue that you joining a chatroom does not mean you fall under the ICO's remit, even if you store a copy of messages from others you see, and even if you paid for the purpose.

Here's another example: If you buy a magazine related to your profession (say, a computer programming journal), then they may publish a letters page. This is surely an equivalent situation.

Similarly, you don't have to inform the ICO that you occasionally get phone calls or receive a text message on your mobile - even if you *shock* store the phone numbers you received them from on your phone. Forever. The same reasoning has to apply for 1:1 messages you receive.

Now, if you offer others the ability to join your server, you're clearly offering a service and that puts you firmly into the GDPR, whether it's family or not.

Similarly, hosting a chatroom may also put you under the GDPR. You may need a privacy policy, and may need to obtain consent. However, I think this one is something of a grey area, and you might find there are legal arguments for an exemption there.

On Mon, 15 Apr 2024 at 21:45, Polarian <polarian@polarian.dev> wrote:
Hello Operators,

Notes:

- I am aware a lot of this will be IANAL, however I wanted to ask
  anyways to see others views on this.

- As the subject states, this is mainly concerning UK GDPR, however EU
  GDPR is pretty similar and therefore I am sure advice will carry over.

- One of the reasons I wanted to mailing list this, is that I feel it
  could be a pretty good reference for others which are planning to run
  XMPP servers within UK/EU, for personal use or for educational use,
  information on this doesn't seem to be widespread, and many people
  (including me) can't simply ask a lawyer for their interpretation.

- I self host my own server, and I run my own XMPP server on it for me
  and my friends. My server is closed registration.

The issue:

Under UK GDPR (not sure about the EU one) the only grounds for
exemption is "Residential use" (other than police and national
security, which are also exempt), quoting from the ICO:

"Domestic purposes – personal data processed in the course of a purely
personal or household activity, with no connection to a professional or
commercial activity, is outside the UK GDPR’s scope. This means that if
you only use personal data for such things as writing to friends and
family or taking pictures for your own enjoyment, you are not subject
to the UK GDPR." [1]

(For those who don't know who the ICO is, they are the British data
protection authority, see [2])

At first, at least in my case, this seems pretty easy. The data is
stored domestically, it is used with me and my friends for
communication, there shouldn't be any more to it... right?

But there is. I regularly connect and talk in many MUCs for open source
projects, such as Ignite Realtime (which this was initially discussed
until Guus suggested moving it to operators, thanks Guus :) ).

IP addresses, are considered identifiable information, logs will store
said information, this therefore means my server is storing
identifiable information on other servers, in this case, servers which
could be considered for commercial purposes.

It needs to be noticed commercial purposes doesn't necessarily mean
paid services, charities and non-profits are included within the
definition. Open source projects COULD be considered commercial
purposes because, although contributions are provided free of charge,
it is still a "donation" of sorts in the way of code.

The definition of "professional" does not seem to be clarified anywhere
on the ICO page, nor in their legal definitions [3]. It doesn't seem to
be within the UK GDPR legislation [4] (I will admit I did not read all
of this, I tried searching for keywords and found nothing, if someone
read it all and knows where this exception is clarified, please let me
know). Professional could mean a lot, but I will assume it is to do
with some sort of "work", which therefore would include open source
contributions.

This therefore could break the "no connection to professional or
commercial activity", to be honest the easiest thing to draw from this
is if it involves someone who is not family or friend (or yourself),
you are very likely to not be exempt.

For those who will suggest a zero storage solution, where the XMPP
server doesn't store any data, it still comes under GDPR due to
PROCESSING of data, simply processing it, even if you don't store it,
will have GDPR requirements.

Failure to pay when you are required to results in fines.

This is really cracking open a huge can of worms, it isn't so much of
"ah £45/yr is no big deal", once you are exempt you must follow all the
legal requirements of GDPR, and for a hobby? Is it worth it?

I am 100% sure, an XMPP server which does not federate, which is used
to communicate with friends would be exempt. But I have my doubts
whether a federated server can still use the same exemption clause.

Whether it is IANAL or not, what are your opinions on this?

(Note: This is also a big drawback to why, even though I have resources
to contribute, I can't simply setup a public instance to help out the
XMPP community... doing so has legal requirements)

Oh and this ignores the Communications Act, which your legal status
must be declared to your ISP (Subscriber, Communications Provider, or
Internet Service Provider), which definitions of each, are obscure. My
ISP leaves it up to me to decide which I fall under, and if they get
fined for it, I am expected to pay the fine.

This is a can of worms I have avoided for years now, on the hope that
my hobby is too small for anyone to care about. This is a separate
issue, GDPR is the topic of this thread :)

Take care,
--
Polarian
GPG signature: 0770E5312238C760
Jabber/XMPP: polarian@icebound.dev

[1]
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exemptions/a-guide-to-the-data-protection-exemptions/
[2] https://en.wikipedia.org/wiki/Information_Commissioner's_Office
[3]
https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-fees/
[4] https://www.legislation.gov.uk/ukpga/2018/12/contents