[Operators] GDPR & XSF 2 - Minutes

Maxime Buquet pep at bouah.net
Tue Mar 27 14:45:52 UTC 2018


# GDPR & XSF - Session 2

At xsf at muc.xmpp.org - 2018/03/27 12:15CEST
Attendees: winfried, Ge0rG, jonasw, pep.

Date of Next: 2018/04/06 13:15CEST
Might be changed to include more interested parties

https://gdpr-info.eu/

Questions

Q1)
 1. What consequences does the GDPR has for the Jabber network?
 2. .. Jabber server operators?
 3. .. what can/should do the XSF with that?

Q2) What consequences does the GDPR has for the XSF running Jabber server?

Q3) What consequences does the GDPR has for the work processes of the XSF
itself (membership, voting, wiki etc)?


Today's discussion was still focused on C2S, user consent in particular.


## Q1
### Q1.1

#### What ground does the processing have

C2S

Lawyer Question 1 (LQ1): Does 9.1 automatically apply to all (not e2ee
encrypted) user-sent content, or only if we are analyzing it for
profiling/other purposes?

winfried > Ok: art 6.1 is explicit permission, art 6.2 is implicit permission.
Article 9.1 overrides article 6 and sets its grounds in article 9.2. So if the
messages are of the categories in 9.1, then we must go for explicit
permission from 9.2a, otherwise we can do 6.2

Related: 6.1a, 6.1b, 6.2, 9.1, 9.2a, 13.4, 13

For the C2S case, have the user sign an EULA when creating the account, with
detailed information about processing to *require explicit consent*.

This might not be sufficient for 9.1 though.
See LQ1 and also Peter Waher's email that gives some explanation about art.
9.1:

> It could be argued that storing very sensitive personal information, albeit
> for a short time, unencrypted, visible to anyone with access to the backend
> server (and perhaps more), does not constitute proportional data protection
> measure, knowing how sensitive the information can be in some cases. It could
> therefore also be argued, that the processing “reveals” this information to
> unauthorized persons, by the way it is implemented. It could therefore be
> argued, that such processing is contrary to what is required by article 9.


Even with consent, "proportional means of protection" is required, so
encryption (i.e., full-disk) might be necessary to check that box.
(Article 35?)

jonasw > pep., maybe add a note about "ubiquitous E2EE would save us from 9.1"


- Server logs, covered by r49

S2S

LQ2: Can (implicit) consent also apply to transfer to other controllers?

Maybe related: 6.1f
https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/

TODO: Read chapter 5 about transfer of personal data


-- 
Maxime “pep” Buquet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20180327/5bf2e113/attachment.sig>


More information about the Operators mailing list