2 Jul
2025
2 Jul
'25
6:49 a.m.
Hello Mario,
thank you very much for your feedback.
Le dimanche 29 juin 2025, 15:27:51 heure d’été d’Europe centrale Mario
Sabatino a écrit :
Hello Goffi, thank you for the proposal.
While reviewing the protoXEP, I noticed that it currently does not
include any reference to:
- the legal basis for data processing, as required under Article 6 of
the GDPR (this is a key element for any service operating in or serving
users from the EU);
- the categories of personal data processed by the service;
Is there a standardised way to indicate the category of data processed in a
machine-readable format?
- metadata processing information;
- explicit consent of the user to data processing.
I would suggest introducing a field, similar to the one described in
§3.6 for the Terms of Service, to link to the Privacy Policy. If the
service provider does not supply this link, the XMPP client SHOULD
explicitly inform the user with a disclaimer, indicating that the
Privacy Policy has not been disclosed by the service. Conversely, if the
link is present, the client SHOULD make it visible to the user by
displaying the corresponding URI in an easily accessible manner.
Moreover, if the Privacy Policy has been declared by the service
provider, there SHOULD be a field that allows the user to explicitly
give consent to data processing, in compliance with applicable data
protection regulations.
Shouldn't the consent be given during service subscription? There are 2 main
use cases here: XMPP server, and gateways or similar.
I was envisioning this specification as purely informational, I'm not sure if
it's the right place to ask for consent, and I'm not sure how it should be
requested (also regarding UX).
For servers or gateways if in-band registration is used, this can be a field
used at this moment, and client can show a nicely formatted data policy.
For gateways which work without registration, maybe use should be rejected as
long as consent is not given.
I see how this can quickly become cumbersome and really bad UX, but if it's a
legal requirement, we have so handle it somehow.
You've raised an important point, independently of this data policy
specification: how do we handle consent request with any XMPP service?
Kind regards
Mario
Best,
Goffi