This email is about the EU GDPR (General Data Protection Regulation),
and any use of "data" below refers to personal data of people covered
by the GDPR.

Two years ago the outgoing DPL announced that our Data Protection Team
has a relationship with a GDPR lawyer.[1]

Out of curiousity I started looking at various aspects of GDPR
compliance in Debian, and what I saw in the Privacy Policy[2] made me
worry that the lawyer has not yet been involved enough in ensuring that
privacy in Debian reaches at least the minimum level defined by law.

What kind of consent is required and requested for infinite storing of
data in archives of public mailing lists?

What kind of consent is required and requested for infinite storing of
data in archives of private mailing lists?

Does this also apply to highly sensitive data revealing for example
sexual orientation or political opinions?

What about people who have never submitted any data themselves to
Debian, and have never in any other way consented that Debian stores
personal data about them?

How is the right to withdraw the consent to storing data implemented?

How are people being informed when data about them gets stored in the
archives of public mailing lists?

How are people being informed when data about them gets stored in the
archives of private mailing lists?

Who has access to data, and for what purposes might data be used?

Where is data being stored?

If data is being stored outside the EU, how is legal compliance ensured?

The rights are not stated, like the right to lodge complaints with a supervisory authority.

What natural or legal entity is the identity of Debian?

Debian is a joint controller of data handled by external subcontractors
like Outreachy on behalf of Debian.

Debian is a joint controller of data processed or stored by teams or
individual team members. Teams or team members of teams like for example
the Debian Community Team, the Debian Account Managers or the Debian
System Administration team are storing data on behalf of Debian that is currently not listed in the Privacy Policy.

Is such data currently being included when people request a copy of all
data about them from Debian?

What is the data retention period for such data?

Does Debconf have a privacy policy?
I didn't find one when searching on the webpage.

It is not even clear whether Debconf is legally a part of Debian or a
separate entity.

In addition to the embarrassment that privacy handling in Debian is not
even reaching the minimum bar defined by law, Debian risks both penalies
of up to 20 Million Euro and compensation claims when not complying with
the GDPR.

Properly defined policies and processes also make it easier to provide
the data when people request from Debian a copy of all data about them.

IANAL and it is more likely than not that not everything I wrote above
is not correct. This is something the Debian Data Protection Team should
review together with their GDPR lawyer, who will surely point out where
I might be wrong.

cu
Adrian

[1] https://lists.debian.org/debian-project/2020/06/msg00051.html
[2] https://www.debian.org/legal/privacy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian

On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:

Out of curiousity I started looking at various aspects of GDPR
compliance in Debian, and what I saw in the Privacy Policy[2] made me
worry that the lawyer has not yet been involved enough in ensuring that privacy in Debian reaches at least the minimum level defined by law.

Nope, nothing happened there since I last looked at it two years ago.

What kind of consent is required and requested for infinite storing of
data in archives of public mailing lists?

Well, included PII is the name and e-mail. I think that's written
somewere already. So consent, Art 6 (1) lit. a) GDPR, or contract, Art
6 (1) lit. b) GDPR.

What kind of consent is required and requested for infinite storing of
data in archives of private mailing lists?

Same as above.

Does this also apply to highly sensitive data revealing for example
sexual orientation or political opinions?

We don't process those data AFAIK. Can you please share where you see
us doing that?

What about people who have never submitted any data themselves to
Debian, and have never in any other way consented that Debian stores
personal data about them?

Where do you see this?

How is the right to withdraw the consent to storing data implemented?

Via e-mail somewhere.

How are people being informed when data about them gets stored in the archives of public mailing lists?
How are people being informed when data about them gets stored in the archives of private mailing lists?

By the virtue of them sending an e-mail to it. That's the same as the question: am I allowed to store e-mails sent to me personaly.

What natural or legal entity is the identity of Debian?

I believe this is SPI for most parts. SPI holds many contracts for
Debian. There is also a ticket open, because I believe SPI needs a EU representative as data controller, Art. 27 GDPR.

In addition to the embarrassment that privacy handling in Debian is not
even reaching the minimum bar defined by law, Debian risks both penalies
of up to 20 Million Euro and compensation claims when not complying with
the GDPR.

No, Debian does not, as Debian is not an entity.

What is also AFAIK missing:

Contracts with processors, like Fastly (for cdn.debian.org), all the
mirror providers (ftp.*.debian.org at least).

Bastian

--
"Life and death are seldom logical."
"But attaining a desired goal always is."
-- McCoy and Spock, "The Galileo Seven", stardate 2821.7

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian

On 2022/03/12 17:23, Adrian Bunk wrote:

Is it SPI that is liable for penalies of up to 20 Million Euro and compensation claims, or is it individual team members who are personally liable for penalies of up to 20 Million Euro and compensation claims?

If this is unclear, the easiest way for anyone who wants to take legal
action is to target a natural person.

It's not 100% clear to me, but from what I understand having had some
informal conversations with experts in this field (we should ideally
speak get some more information from legal experts on this topic), it
would fall on individual members, unless a TO has en explicit contract
with someone.

It's one of a few important reasons why we need to look at incorporating Debian, I wanted to push for that during the last year, but during the
release and the last 1.5 GRs didn't seem like an ideal time for it. I'll
also provide some more details and thoughts on this on -vote over the
next week, but I believe this is something important to pursue for the
project regardless of who serves as DPL for the next term.

-Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 12, 2022 at 02:46:02PM +0100, Bastian Blank wrote:

Hi Adrian

Hi Bastian,

On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
...

Does this also apply to highly sensitive data revealing for example
sexual orientation or political opinions?

We don't process those data AFAIK. Can you please share where you see
us doing that?

What about people who have never submitted any data themselves to
Debian, and have never in any other way consented that Debian stores personal data about them?

Where do you see this?
...

How are people being informed when data about them gets stored in the archives of public mailing lists?
How are people being informed when data about them gets stored in the archives of private mailing lists?

By the virtue of them sending an e-mail to it. That's the same as the question: am I allowed to store e-mails sent to me personaly.

I started thinking about this topic a year ago during the RMS GR,
thinking about the legal implications if he was living in the EU.

The way Debian is handling storing personal data including political
opinions of RMS that were sent by other people would not be complicant
with the GDPR.

What natural or legal entity is the identity of Debian?

I believe this is SPI for most parts. SPI holds many contracts for
Debian. There is also a ticket open, because I believe SPI needs a EU representative as data controller, Art. 27 GDPR.

In addition to the embarrassment that privacy handling in Debian is not even reaching the minimum bar defined by law, Debian risks both penalies
of up to 20 Million Euro and compensation claims when not complying with the GDPR.

No, Debian does not, as Debian is not an entity.

Is it SPI that is liable for penalies of up to 20 Million Euro and
compensation claims, or is it individual team members who are personally
liable for penalies of up to 20 Million Euro and compensation claims?

If this is unclear, the easiest way for anyone who wants to take legal
action is to target a natural person.

...
Bastian

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jonathan Carter <jcc@debian.org> writes:

It's not 100% clear to me, but from what I understand having had some informal conversations with experts in this field (we should ideally
speak get some more information from legal experts on this topic), it
would fall on individual members, unless a TO has en explicit contract
with someone.

This is also my understanding from other open source governance work I've
done on other projects. Unless the organization is incorporated, I think
the liability falls on the individuals. Even if it is incorporated, it's fairly standard to carry directors and officers liability insurance
because they can still be potentially held personally liable.

(If you do open source work outside of the auspices of an organization
that carries insurance and you have assets to protect, it's worth
considering a personal umbrella policy.)

My understanding of US business law is that most lawyers would tell us
that what we're doing is ill-advised from a legal standpoint because we
may accidentally form a general partnership. You essentially never want
to have a general partnership because the members of the partnership have unlimited liability for the actions of the partnership (basically, each individual can be liable for anything the other individuals do as part of
the partnership). I'm not sure how large that risk is to Debian in
particular since we don't engage in commerce and therefore may not fall
under commercial business rules, but it's not a situation one wants to
come close to.

It's one of a few important reasons why we need to look at incorporating Debian, I wanted to push for that during the last year, but during the release and the last 1.5 GRs didn't seem like an ideal time for it. I'll
also provide some more details and thoughts on this on -vote over the
next week, but I believe this is something important to pursue for the project regardless of who serves as DPL for the next term.

I agree.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Russ Allbery <rra@debian.org> writes:

(If you do open source work outside of the auspices of an organization
that carries insurance and you have assets to protect, it's worth
considering a personal umbrella policy.)

Obviously it's not Russ's fault, but...

I hate that we live in such a world.

d

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)