GDPR

[turt2live]

This is all the issues for GDPR-related things.

• spec 'erase' param on /account/deactivate #297 - erase param on /deactivate
• Mechanisms for communicating erasure requests to bots and federated homeservers matrix-spec-proposals#3804 [WIP] MSC2438: Local and Federated User Erasure Requests matrix-spec-proposals#2438 - communicating erasure over federation
• spec M_CANNOT_LEAVE_SERVER_NOTICE_ROOM error matrix-spec-proposals#1254 - error codes for trying to leave the "server notices" room (feature introduced as part of GDPR, not strictly related)
• spec M_CONSENT_NOT_GIVEN error #287 - consent error
• [WIP] MSC1228: Removing MXIDs from events matrix-spec-proposals#1228 - removing mxids from events
• Auth for content repo (and enforcing GDPR erasure) matrix-spec-proposals#3796 - auth for media repo

[samuk]

I'm evaluating Matrix/Element for use by an NGO in Europe.

Is Matrix currently GDPR compliant when used with Element? Or do the issues above need resolving before it is GDPR compliant?

[pReya]

I'm evaluating Matrix/Element for use by an NGO in Europe.

Is Matrix currently GDPR compliant when used with Element? Or do the issues above need resolving before it is GDPR compliant?

This is very hard to answer currently in my opinion. You'd need a proper review by expert lawyers to give an answer. And even then you will probably get 2 different opinions based on who you ask.

In my (non-professional) opinion the answer is No. There are multiple problematic areas, e.g. deletion of federated content. From my amateur standpoint, it's questionable whether any truly federated messenger can be GDPR-compliant at all.

[Mikaela]

I have blogged about privacy concerns with Matrix previously which might interest you. I don't think I am qualified to judge whether it fills requirements of GDPR as I am not a lawyer.

Additionally bridges and their GDPR compatibility is another question that has been brought to question at least at matrix-org/matrix-appservice-irc#1326 (comment).