[Members] GDPR & XSF 11 / 12 - Minutes

Maxime Buquet pep at bouah.net
Tue May 15 10:17:37 UTC 2018

Hi members, operators,

Sorry for the delay, here are the minutes for the meeting 11. 12 was
cancelled as both Ge0rG and myself were excused.

# GDPR & XSF 11 / 12

At xsf at muc.xmpp.org - 2018/05/04 11:00 UTC
Attendees: winfried, Ge0rG, jonasw, pep.

Date of Next: 2018/05/15 (today) 10:30 UTC


 1. What consequences does the GDPR has for the Jabber network?
 2. .. Jabber server operators?
 3. .. what can/should do the XSF with that?
Q2) What consequences does the GDPR has for the XSF running Jabber server?
Q3) What consequences does the GDPR has for the work processes of the XSF
itself (membership, voting, wiki etc)?

## Q1
### Q1.1
#### Q1.1e

We might want to mention private pubsub alongside MAM.

### Q1.2

Is MAM 6.1a (explicit consent) or 6.1b (necessary for the performance of contract)?
- if 6.1a, the server operator has to comply with art. 7 (burden of proof)
- no strong consensus if local MAM falls under 6.1b

Technical TODO: A way to allow for both 6.1b (no ticking box), and 6.1a
(ticking box, blocking of services, etc.) workflows seems required. EULA XEP?

For policy template:
> by using this server to communicate with third parties you agree that data
> will be passed to third parties

Questions regarding data deletion (and probably export):
> jonasw> do we need to add deletion to the protocol for sure? AFAIK it would
>   be sufficient to have a way for operators to conveniently delete data.
> pep.> jonasw, as a first step maybe. On "big" deployments, handling that
>   might be demanding?
> jonasw> problem is, how to find all your data scattered across all different
>   services?
> pep.> do we have to handle that?
> jonasw> dunno
> Ge0rG> interesting point
> Ge0rG> the same for pubsub
> jonasw> my understanding would be that each domain is its own operator and
>   you'd have to ask them for you data

TODO?: List data types and their means of export, in ways that allow
  reuploading to other servers.
Technical TODO: Provide an xmpp "client" as an export tool?
TODO: Look into 227/283 for data export, if going the s2s way

## Q1.3

Should changes required for GDPR compliance be mentioned directly into the
XEPs we want to modify, or should they be mentioned in another XEP proper to
GDPR, as discussed in standards@ thread[0]. Do we want local law requirements
to appear in protocol specifications.

Is the question of deletion

[0]: https://mail.jabber.org/pipermail/standards/2018-April/034827.html

Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/members/attachments/20180515/8bf8f1d3/attachment.sig>

More information about the Members mailing list