[Members] GDPR & XSF 6 - Minutes

Maxime Buquet pep at bouah.net
Wed Apr 18 21:09:37 UTC 2018


# GDPR & XSF 6

At xsf at muc.xmpp.org - 2018/04/17 10:30 UTC
Attendees: winfried, Ge0rG, jonasw, pep.

Date of Next: 2018/04/20 14:00 UTC

https://gdpr-info.eu/

Q1)
 1. What consequences does the GDPR has for the Jabber network?
 2. .. Jabber server operators?
 3. .. what can/should do the XSF with that?
Q2) What consequences does the GDPR has for the XSF running Jabber server?
Q3) What consequences does the GDPR has for the work processes of the XSF
itself (membership, voting, wiki etc)?

## Q1
### Q1.1

Some answers to LQ1:

> Does 9.1 (special category of personal data) automatically apply to all (not
> e2e encrypted) user-sent content, or only if we are analyzing it for
> profiling/other purposes? Does using e2e encryption change this?

Message content is similar to picture uploads. As long as we treat it as an
opaque blob and don't analyse it, art9 doesn't apply, (See r51).

Not sure how this plays with mod_firewall processing, spam filtering
etc.


#### d) List legal grounds for processing

Incoming S2S different from outgoing S2S?

> winfried > outgoing: the originating server operator is responsible for the
>   transfer
> Ge0rG > I don't think we can enforce any kind of remote server processing
>   restrictions at the protocol / logical level.
> winfried > no, that is something that needs to be legally enforced
> Ge0rG > it might be sane to assume all data sent over s2s as "third country"

> winfried > incoming: though you may have a different contract with your own
>   users (e.g. we publish everything) you *have* to assume incoming limits to
>   legitimate interest
> Ge0rG > MAM is covered by legitimate interest of the receiver, I'd say
> jonasw > even MAM forever?
> Ge0rG > how is MAM forever different from the receiver putting logs of the
>   chat up into the cloud?
> Ge0rG > MAM is controlled by the user(s client)


Technical TODO:
- Add a note to the MAM XEP about GDPR consent requirements.
- MAM XEP doesn't provide a way to differentiate between "explicitely set" and
  "enabled by default"
- Will MAM auto-purge if you disable? Get a mention of this in the XEP

TODO:
- See whether spam detection can be done without going outside of 6.1

-- 
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/members/attachments/20180418/a9476afd/attachment.sig>


More information about the Members mailing list