[Members] GDPR & XSF - Minutes

Jonas Wielicki jonas at wielicki.name
Mon Mar 26 16:17:06 UTC 2018


Hi Peter,

Thank you very much for chiming in. Any chance you can attend the meeting 
tomorrow? If not, maybe your expertise would be a valid reason to reschedule. 
Alternatively, we can try to work out arguments for the other points and you 
can provide input on-list or in a later meeting.


On Montag, 26. März 2018 18:09:16 CEST Peter Waher wrote:
> > winfried > I have a feeling that as long as we don't analyse data (content
> > AND metadata) on patterns that indicate categories from art. 9.1, 9.2,
> > GDPR is not applicable.

This quote is a bit unclear. In context, it was meant that Article 9.1 would 
not be applying. The GDPR itself (for personal data) of course still applies, 
but winfried was arguing that 9.1 does not apply if you don’t analyze the 
data.

> Not sure what this relates to, but GDPR is highly relevant to XMPP, since it
> relates to very sensitive personal data. If the servers analyze the data or
> not is not relevant (to the applicability of the GDPR or not). GDPR
> applies, since servers process personal data. Risks are furthermore
> estimated in the absence of safeguards. Proportional data protection
> mechanisms have to be in place based on what could happen, not on what was
> originally intended. Potentially very sensitive information bypass the
> servers. One of the things servers need to worry about, is how to make sure
> that data does not end up in places where it does not belong.

I tried to make a similar argument to that, becaues Art. 9.1 talks about 
"processing" and "processing" includes "storage" (which will be true for 
messages with MAM). So I’m not sure how "analysis" is required for 9.1 to 
apply.

This might mean that we need consent from users across federation boundaries, 
for things like MAM, if I’m not mistaken?


kind regards,
Jonas


More information about the Members mailing list