I'm going to put to general issues with the GDPR here, and refer back to
them:
Firstly, there's a distinction to be made between "exempt" and "out of
scope". You ideally want to be out of scope. If you're in scope but exempt,
then you're still subject to the GDPR in every respect, just formally
exempt.
So, for example, law enforcement is exempt - but they still need to be
subject to the GDPR and register etc. Nothing we do is likely do be exempt.
But, if you or I say "exempt" we should assume we really mean "out of
scope".
Secondly, the GDPR doesn't (as is popularly understood) require consent for
all data; it requires a "legal basis" for all data processing, and one of
those legal bases can be "legitimate interest", which in turn covers things
like "I need this to provide the service", or "I need this to have decent
security", or "I just kind of wanted to do this and I have more lawyers
than you do".
It's only things that are truly optional that you need consent for.
On Wed, 17 Apr 2024 at 00:31, Polarian <polarian(a)polarian.dev> wrote:
Hello,
When the courts decide... Sorry, that's an
unhelpful answer, but it is
accurate.
It was more a rhetorical question, but thanks anyways :)
It seems unlikely to be a problem in practice,
but yes, I think if
you had an XMPP server that you offered accounts on to friends, you'd
be very much skirting the GDPR.
True, which is an issue. And being registered under the ICO as a sole
trader isn't preferable either.
My purposes aren't commercial, or professional. Although you could
argue open source development is professional and thus using a home
server to store code is technically removing the exemption.
So, as per above, open source is likely not considered "purely
professional", so if you provide a service based around open source, it may
become subject to the GDPR. You are, however, unlikely to need explicit
consent for any of it. I think even quite detailed data collection would be
covered by "legitimate interest" as being required to ensure security, and
if anyone argues wave xz in front of them.
Remember, the
law is intended to be "reasonable"; lawyers have often
warned me over the years that technical folk tend to fall into the
trap of seeing the law as some kind of computer program, but it's
more like the specification for one, and there's therefore much
"intent" to be assumed.
Ugh... why can't everything be binary? :P
Yeah, except imagine bugs in contracts.
As far as the
UK ICO is concerned, they're useless, so I wouldn't
worry - I can't imagine they're organised enough to fine anyone.
No real point anyways, if the people you are storing data for are
friends, they are VERY unlikely to report you to the ICO.
... while they're friends, at least.
You have to
ask for consent for anything that you don't have any other
legitimate reason. "legitimate interest", however, covers a lot. (And,
probably, a lot more than it should).
I assume this implies "read the legislation".
Wait, no. So if someone joins a chatroom, then
for that chatroom to
work XEP-0045 needs to be supported, and in order to support a
reasonable service you do indeed need to store at least some messages
for at least some time.
But would this hold up in court?
IRC never had backlog and that worked just fine, couldn't you argue
that XMPP could function without MAM?
If you're ever in court over this, I'll testify as an expert witness on
why
some form of backlog is important.
This all might
well need a privacy policy published, and might need
an ICO registration if it's not for purely personal reasons.
If you aren't hosting public channels, I don't think it matters.
Right, so, I asked an actual DPO about this. (Being explicit, I'll
attribute *every* statement the DPO made to the DPO, so you know what's the
professional advice, but of course this is not taking all your
circumstances into account and therefore don't legally rely on this)
You don't need an actual DPO, by the way. But if the channel is for an open
source project, then DPO says a basic privacy policy (somewhere) and an ICO
registration would be probably needed. But unless you're doing extended
analytics, then DPO says you don't need to worry over consent.
So if
you're running a chatroom for you and your friends/family to
chat, in the same way that you have a family groupchat on WhatsApp,
then I see no reason to need to register.
However you are also storing their account information, which is the
grey area here.
If you don't have their account information to some degree, you cannot send
them the chatroom's messages; this feels very legitimate interest to me.
Yes and no.
The builder doesn't need to ask for consent for names and addresses,
but the building work itself is still optional. A chatrooom is indeed
an optional thing to have on a server - but if it's there, there are
some fundamental requirements in order to provide that service.
So as long as you can justify that the data is reasonable to store
without consent in order for the service to function to the full extent
the user wants, asking for consent is not required?
Yes, but also to the extent where the service is secure, etc, so slightly
beyond what you're saying here.
Ah... If you were using it in that way, then
maybe it would be a
service. But if it's simply ancillary to sending cat GIFs, then not
so much.
More grey area?
Not really - it's more around the intent than technical detail.
The ICO
mentions loads, actually, but personal use isn't one of them -
that's simply out of scope entirely for the GDPR.
The entire idea is to fall outside of the scope of GDPR :P
I guess the easiest thing to do is simply to register... but I am
unsure how that would work if you are exempt... pay anyways is fine?
Not quite - DPO says that the easiest thing to do is call the UK ICO
helpdesk. They'll actually walk you through it all.
Most home
services are things like a personal blog, and there's been
lots written about those. An XMPP server is something different, but
unless you're offering that as a service, I'm unconvinced it falls
into scope. (And if you are, I'm pretty sure it does).
Where you would personally think the definition of offering as a
commercial service would draw the line?
That's not the definition, though, the phrasing used is "purely
personal".
If it is used to simply relay messages between friends
and family,
surely that is exempt? even if you are storing data on them.
I didn't ask the DPO about this case, but yes, I think as long as you can
reasonably claim it to be "purely personal", then you're out of scope.
The EU Stupid
Cookie Law has been copied to UK law, and isn't part of
the GDPR.
Sucky law.
Yippee, what a great time to be in the tech industry, one mess up and
you are in a heap of legal trouble.
Yes, but it's not the client's
responsibility since they are neither
the controller nor processor at this point.
But under these circumstances, how would the server ensure you have
agreed to their policy if the client indiscriminately downloads things
automatically?
You don't need to explicitly agree to a privacy policy; one just needs to
be available, and you can assume that continued use of the service means
the privacy policy is acceptable. You probably do need to tell people it's
changed when it does.
The only time you'd need to involve technical measures here is if you had
consent requirements for optional features.
Dave.