GDPR concerns

[Mikaela]

From our Matrix room.

• > I said earlier PTIO's "privacy" "policy" uses American terms such as "PII", which are not applicable to Europeans. Also:
• > no identity / contact details of the controller
• > no legal bases
• > no information about international transfers
• > no knowledge about any (?) of the data subject rights to have control of their personal data
• > no data retention periods

[Mikaela]

I need to read the policy in question to comment more in-depth to it. @blacklight447-ptio said to be looking for more experienced legal advice. This is just my first thoughts:

I said earlier PTIO's "privacy" "policy" uses American terms such as "PII", which are not applicable to Europeans.

I think the solution is to talk about personal data instead of personally identifiable information.

• find-link

no identity / contact details of the controller

• https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-information-should-i-receive-when-i-provide-my-personal-data_en

no legal bases

I think that in plainer language this is why the data is asked and what it's used for It's more than that. It tells the data subject what rights apply, for most cases. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/#why

no information about international transfers

depends on service, I think this is tied to the previous and should probably explain Matrix and Activitypub federation and are there other federated services that shout data around?

no knowledge about any (?) of the data subject rights to have control of their personal data

depends on service I think this is more about who controls the data and where it's collected to. Your legitimate interest to submit data to some third country is under article 49 derogations. \n Here I referred to articles 16 to 21 (IIRC)., the only one I can say directly is that Discourse admin is required for anonymization and I guess this could also link to upstreams like Discourse.

no data retention periods

I think it might depend on the service and in case of Matrix is forever for now? For Matrix, they are as long as you redact the message. The privacy statement only applies to the homeserver operator, not others who receive the message. (note: in case of Synapse the message is never redacted)

Case Matrix:

• https://github.com/matrix-org/matrix-doc/issues/447
• When we redact events, any mxc content they refer to should be redacted too (SYN-216) matrix-org/synapse#1263
• We need to actually censor redactions from the DB (SYN-284) matrix-org/synapse#1287

I guess the privacy policy should mention those

Official GDPR site: https://ec.europa.eu/info/law/law-topic/data-protection/reform

edited in: emphatised parts are comments from original source

[blacklight447]

I'll try to do some researching for this tomorrow, this is a very important topic. I mean as privacytools.io, we of all people should be gdpr complaint by example.

[Mikaela]

also, when we have the privacy policy on site, I think we should include a direct link from there to GitHub history

[blacklight447]

Yes

[ghost]

We published a guide on GDPR: How to identify incomplete privacy policies?. Maybe, this article helps to get a basic overview.

[blacklight447]

I have made a small todo list to get the work started:

Step one: assign dedicated individual to focus on gdpr(I think it will be me, this will not mean i will be a DPO but just the one who will be leading the work to make us gdpr compliant.)

Step two: start listing all systems that collect personal data.

Step three:determine data collected in each system.

Step four: really determine if we are a data controller or processor (or both) and see what our sub processors are.

This should give us a good baseline of knowledge that is required to move forward: we then know what , where and exactly how we collect data, and figure out what our exact role under gdpr will be. From that point on, we can find out the exact legal basis of all info we collect and move forward.

[blacklight447]

A user in our matrix chat added this to the discussion as well:

Since we have this issue now, probably should add:

the right to complain to a supervisory authority
preventing minors (which could be < 13–16 years old, depending on local laws in an EU member state) from using an unmoderated chat service without guardian supervision (element-hq/riot-meta#190)
listing subprocessors, if applicable. (really, this just goes for whom data may be shared with. hosting providers. the current policy is very vague or even outright lying about this.)
If it's in the US: Does the service provider assure to work within the EU–US Privacy Shield framework, which is already contested as is?

[blacklight447]

https://matrix.to/#/!tYmNuaXMRnHEZWdDqp:privacytools.io/$1569009213105359qHSbl:matrix.org?via=privacytools.io&via=matrix.org&via=librem.one

[jonaharagon]

Here is—what I believe is—a "GDPR compliant" privacy statement that encompasses all of my operations as the administrator of privacytools.io: https://aragon.ventures/privacy/

Technically speaking my services as the administrator of this site and services are being provided via this company, so that statement is the de facto privacytools.io privacy statement, and we can use it as such.

However, Linda @ Matrix would prefer per-service statements, so we might prefer to use this as a template that we can make minor modifications to, to cater to each individual site. Especially because the statement above has a few sections that are not necessarily applicable: For example, I use Cloudflare's services on some websites I host, however I do not use them with any PTIO sites, so that statement would not apply.

[Mikaela]

Linda continues

https://forum.privacytools.io/tos

may be in conflict with with age requirement (13 vs 16)

heck, even https://aragon.ventures/privacy/ doesn't say the minimum age requirement (like COPPA in the US). chat.privacytools.io is set to 16

---

I'm still falling apart by reading PTIO's privacy statements, despite the updates. I don't think issue privacytoolsIO/privacytools.io#1319 should be closed yet. x.x

[Mikaela]

I don't think https://github.com/privacytoolsIO/privacytools.io/issues/1319#issuecomment-539289784 addressed international transfers adequately, except for the Matrix homeserver (which was copied from Matrix.org, and I think the international transfers are mentioned there adequately.)

[Mikaela]

oh, that remark about 13 years old. I didn't see, there's also https://forum.privacytools.io/privacy where it does mention COPPA and 13 years. But despite that update (Oct 8, 2019), the GDPR says 13–16 years old.

• Linda falls apart, no data controller listed while claiming Aragon Ventures LLC is a third party

[Mikaela]

third party in the context of GDPR is someone else but the data controller or data subject

PTIO non-profit association when? uwu

https://github.com/privacytoolsIO/privacytools.io/issues/899#issuecomment-521476281

[Mikaela]

It will be fine when the data controller can be clarified. It could be Jonah as a private person too.
Also, legal bases. Jonah is aware of most of the issues too. I'm concerned he'll run out of steam eventually or has already ran out.

[Mikaela]

Addressing https://forum.privacytools.io/t/the-privacy-tools-forum-and-privacy-policy-is-not-privacy-friendly/2155?u=mikaela I noticed that no one has checked the boxes here at GitHub, could someone handle that?

Personally I need to get to sleep sometime soon.