[Standards] Proposed XMPP Extension: Best practices for GDPR compliant deployment of XMPP

Winfried Tilanus winfried at tilanus.com
Fri May 25 07:13:59 UTC 2018

On 22-05-18 21:51, Peter Saint-Andre wrote:


> Thanks to Winfried for putting this together; it will be a helpful > document once it's all filled in.

> I do wonder how careful the XSF needs to be about making recommendations
> that could be construed as legal advice (despite including all of the
> appropriate provisos).

I understand the reluctance of the XSF to give legal advice. Beside that 
it may or may not be the task of the XSF, there is a real liability risk 
involved in giving it. I personally don't mind putting my own head in 
the line of fire there, but I can imagine the XSF wants to stay away 
from that. (Awaiting a formal council/board decision here).

The problem is I can't talk about the GDPR (even as example) without 
entering the realm of legal advice. So beside giving legal advice (with 
disclaimers, waivers etc..) I see only one other option: create an 
informal XEP with a general strategy for privacy governance. Topics 
would be like: 'determine your jurisdiction', 'determine 
responsibilities', 'make an overview of your data processing', 'check 
storage retention defaults (pay extention to XEP-XXXX and XEP-YYYY' etc.
Beside that informative XEP, I (or a group of people willing to do so) 
publish an own document discussing XMPP & the GDPR in detail.


privacy consultant e-health

More information about the Standards mailing list