The discussion starting in [1] is about privacy in Debian with a focus
on the GDPR of the European Union.

There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.

Even the exact scope of the problem is not clear.

Question to all candidates:

If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all developers?

Thanks
Adrian

[1] https://lists.debian.org/debian-project/2022/03/msg00008.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian,

On Thu, Mar 31, 2022 at 1:24 PM Adrian Bunk <bunk@debian.org> wrote:

The discussion starting in [1] is about privacy in Debian with a focus
on the GDPR of the European Union.

There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.

Even the exact scope of the problem is not clear.

Question to all candidates:

If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all developers?

Yes.

The release of any findings may be redacted, or may be a summary.
Recipients may be required to sign a confidentiality agreement coupled
with an indemnity in the event of a breach, and a release of claims,
or both.

In all cases, I reserve the right to act on the advice of counsel—but
with an explanation to you.

I will treat you the same way that I would wish to be treated if our
roles were reversed. I am committed to transparency when possible.

Kind regards,
Felix Lechner

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, 31 Mar 2022 23:08:41 +0300
Adrian Bunk <bunk@debian.org> wrote:

If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance,

Yes.

and make the results of the review available to all
developers?

I'm positive about it but not sure since I don't understand the negative
side effects of showing it to all. Transparency is important for us,
but sometimes "just all open" approach causes some trouble.


--
Hideki Yamane <henrich@iijmio-mail.jp>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian

(I'm including the data-protection team, perhaps they can expand on your question or comment on my feedback)

On 2022/03/31 22:08, Adrian Bunk wrote:

The discussion starting in [1] is about privacy in Debian with a focus
on the GDPR of the European Union.

It started with the GDPR, in my country we have POPIA, in California
there's CCPA, there are now over a dozen similar legislations (and I
suspect more countries will be implementing them as time goes by).
Fortunately they seem to mostly overlap, so complying to at least GDPR
properly should make it a lot easier to comply in the other territories
that we operate.

When I first read through a GDPR guideline, I was quite happy about it
because for the most part, it forces websites to do things that I
consider a bare minimum when it comes to the safety of users' data.
Personally, I think it would be great if we exceed the expectations of
these legislations around the world.

There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.

Even the exact scope of the problem is not clear.

Question to all candidates:

If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all developers?

I'm not sure bringing in the lawyer as a first step is optimal, they are expensive and will probably tell us a lot of things we already know.
IMHO it's better to do some initial groundwork, compile a list of issues
that we need help on, and then take that to the lawyer for further input.

I can also think of some examples where we processed user data that you
didn't mention. As one example, we used to use the DebConf wiki quite a
bit to organize events, and those all got turned into static pages.
People who signed up and provided information (potentially contact
details, where they were at certain dates, etc) couldn't have possibly
known that the data they entered would've been later archived as
publicly accessible read-only material later on, well at least not by us.

So, I would appreciate it if the data protection team could look into
all of the issues we know of in Debian, but I'd also like there to be a
process where people can file issues with the data protection team. I'll
admit I had to search a bit to find the data-protection email address,
it doesn't seem to prominently feature anywhere on our website. But it
would be great if it was clear that someone could file a bug with a tag,
or whether they should use the data-protection alias, so that it's
possible to file and keep track of data protection issues that need to
be resolved.

So, I think it's more important to take care of known issues and low
hanging fruit before getting a lawyer involved. I also think it's a good
idea to make it easy to file issues as they are found, and would like to
know if the Data Protection team has any ideas or if they would consider implementing anything like the above.

-Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

]] Adrian Bunk

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

I don't think that's something the DPL could commit to, even if they
wanted to. First of all, what you're asking for is not what the data protection team is there for, secondly, neither the DPL nor anyone else
has the ability to commit to anyone in Debian doing anything on any
particular timeline.

If that's what you're looking for, you're looking for a company with
staff, not a volunteer project.

Cheers,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

]] Jonathan Carter

So, I would appreciate it if the data protection team could look into
all of the issues we know of in Debian, but I'd also like there to be
a process where people can file issues with the data protection
team. I'll admit I had to search a bit to find the data-protection
email address, it doesn't seem to prominently feature anywhere on our website.

www.debian.org → Contact → privacy (not sure why the footer is missing
from the front page) and it's there, so while not _very_ prominently,
it's not very hidden either.

But it would be great if it was clear that someone could file
a bug with a tag, or whether they should use the data-protection
alias, so that it's possible to file and keep track of data protection
issues that need to be resolved.

This isn't the role of the data protection team, though, any more than owner@bugs is responsible for fixing all the bugs in all the packages.
I'm quite happy to act as a redirector (as per the first part of the delegation) as well as advising service owners. I have below-zero
interest in auditing all our services and tracking everything relevant
to data privacy throughout Debian.

I can't speak for the other team members, but I have not seen them
express enthusiasm about this idea either.

Even if you got a team that would perform that tracking and auditing,
what good would it be? They wouldn't be able to compel any service
owners to fix their service.

Cheers,
--
Tollef Fog Heen, for himself
UNIX is user friendly, it's just picky about who its friends are

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 07:02:15PM +0200, Jonathan Carter wrote:

Hi Adrian

Hi Jonathan,

...
I'm not sure bringing in the lawyer as a first step is optimal, they are expensive and will probably tell us a lot of things we already know. IMHO it's better to do some initial groundwork, compile a list of issues that we need help on, and then take that to the lawyer for further input.

usually trying to solve legal issues without consulting a lawyer early
ends up being more expensive.

...
So, I would appreciate it if the data protection team could look into all of the issues we know of in Debian, but I'd also like there to be a process where people can file issues with the data protection team.
...
So, I think it's more important to take care of known issues and low hanging fruit before getting a lawyer involved. I also think it's a good idea to
make it easy to file issues as they are found, and would like to know if the Data Protection team has any ideas or if they would consider implementing anything like the above.

It might not have been intended, but to me this comes across like
stalling, trying to avoid addressing the big problems - we all know from
our BTS that "filing issues" does not necessarily imply that anything
will ever happen.

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

-Jonathan

cu
Adrian

[1] https://lists.debian.org/debian-project/2022/03/msg00008.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 07:40:02PM +0200, Tollef Fog Heen wrote:

...
This isn't the role of the data protection team, though, any more than owner@bugs is responsible for fixing all the bugs in all the packages.
I'm quite happy to act as a redirector (as per the first part of the delegation) as well as advising service owners. I have below-zero
interest in auditing all our services and tracking everything relevant
to data privacy throughout Debian.
...

Who will fulfill the request within the legal limit of one month if
a person sends an email to data-protection@debian.org asking whether
Debian is a (joint) controller of any data about this person, and
if yes requests a copy of all data?

If there is no reply within one month, the person can request an order
from the local supervisory authority (e.g. [1] is the online form for
such requests in my country of residence).

Cheers,

cu
Adrian

[1] https://tietosuoja.fi/en/find-out-whether-the-data-protection-ombudsman-can-help-you-rights

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

]] Adrian Bunk

Who will fulfill the request within the legal limit of one month if
a person sends an email to data-protection@debian.org asking whether
Debian is a (joint) controller of any data about this person, and
if yes requests a copy of all data?

To make this easier for services and users, we recommend that services
use contributes.debian.org and that they then request the data from the individual services and then point people at that.

Cheers,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 09:28:53PM +0300, Adrian Bunk wrote:

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

If you had really cared about engaging with the data protection team and
really believed the project was exposed to a lawsuit then the prudent
thing would have been to initially contact the data protection team and
DPL, rather than producing a long list of questions and stating that you
didn't believe we are compliant with GDPR obligations and mailing it
only to -project.

If you have specific, concrete, concerns then perhaps you can state
them, but it's hard to assume good faith when I don't see any sign that
you're trying to actually help here.

J.

--
] https://www.earth.li/~noodles/ [] Make friends. [
] PGP/GPG Key @ the.earth.li [] [
] via keyserver, web or email. [] [
] RSA: 4096/0x94FA372B2DA8B985 [] [

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 08:46:42PM +0200, Tollef Fog Heen wrote:

]] Adrian Bunk

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

I don't think that's something the DPL could commit to, even if they
wanted to. First of all, what you're asking for is not what the data protection team is there for, secondly, neither the DPL nor anyone else
has the ability to commit to anyone in Debian doing anything on any particular timeline.

If that's what you're looking for, you're looking for a company with
staff, not a volunteer project.

One option would be to outsource this work to our paid GDPR lawyer.

Cheers,

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022/04/01 20:28, Adrian Bunk wrote:

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

<snip>

[1]https://lists.debian.org/debian-project/2022/03/msg00008.html

That mail asks a bunch of very, very broad questions. My opinion is that
it's better to direct specific problems at the data protection team as
noodles suggested.

-Jonathan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 09:18:53PM +0200, Tollef Fog Heen wrote:

]] Adrian Bunk

Who will fulfill the request within the legal limit of one month if
a person sends an email to data-protection@debian.org asking whether
Debian is a (joint) controller of any data about this person, and
if yes requests a copy of all data?

To make this easier for services and users, we recommend that services
use contributes.debian.org and that they then request the data from the individual services and then point people at that.

Your "services" approach does not work for the non-trivial cases where
Debian might be a (joint) controller of personal data.

The Debian Community Team promises confidentiality regarding personal information they receive about other people,[1] which conflicts with the
legal obligation of informing the person about whom personal information
is being processed or stored.

Debian might be a joint controller if a member of the Debian Community
Team stores personal information about a person in a handwritten note
on paper (see [2] as an example of case law about handwritten notes)[3].

Will this handwritten note be available through contributors.debian.org?

If the personal information in the handwritten note did not come
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the note
when it is written?

Same questions, with "local file" instead of "handwritten note".

Same questions, with "stored on a Debian machine".

Discussing such questions with a lawyer early is usually cheaper and
less hassle than waiting until someone brings them up in a court case.

Cheers,

cu
Adrian

[1] https://wiki.debian.org/Teams/Community
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62017CJ0025&from=EN
[3] This court case was under the previous Directive from 1995, but the basic
definitions are unchanged in the GDPR legislation that replaced it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Adrian" == Adrian Bunk <bunk@debian.org> writes:

Adrian> Your "services" approach does not work for the non-trivial
Adrian> cases where Debian might be a (joint) controller of personal
Adrian> data.

Adrian> The Debian Community Team promises confidentiality regarding
Adrian> personal information they receive about other people,[1]
Adrian> which conflicts with the legal obligation of informing the
Adrian> person about whom personal information is being processed or
Adrian> stored.

Based on legal advice I received while acting as DPL, the above is not
correct.
Most of the information the community team process is not information we
would need to disclose in response to a GDPR subject access request.

Debian has already dealt with at least one subject access request that
dealt significantly with information held by DAM in its role as a
delegated team.
Some of that information was responsive; some of that information was
covered by exceptions.
The data protection team was looped into the process we and our lawyer
used in responding to the request.
The data protection team (and my successor as DPL) received copies of
the legal advice we received.


--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 1 Apr 2022 22:16:55 +0300
Adrian Bunk <bunk@debian.org> wrote:

One option would be to outsource this work to our paid GDPR lawyer.

Is there any option to cooperate with other FLOSS organizations?
They would have the same issue and we may be able to share it and
costs ;)


--
Hideki Yamane <henrich@iijmio-mail.jp>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 04:57:38PM -0600, Sam Hartman wrote:

"Adrian" == Adrian Bunk <bunk@debian.org> writes:

Adrian> Your "services" approach does not work for the non-trivial
Adrian> cases where Debian might be a (joint) controller of personal
Adrian> data.

Adrian> The Debian Community Team promises confidentiality regarding
Adrian> personal information they receive about other people,[1]
Adrian> which conflicts with the legal obligation of informing the
Adrian> person about whom personal information is being processed or
Adrian> stored.

Based on legal advice I received while acting as DPL, the above is not correct.
Most of the information the community team process is not information we would need to disclose in response to a GDPR subject access request.

Where does Debians Privacy Policy[1] describe this personal data where
Debian and the community team are joint controllers?

Where is the data stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?

Debian has already dealt with at least one subject access request that
dealt significantly with information held by DAM in its role as a
delegated team.

Where does Debians Privacy Policy[1] describe this personal data where
Debian and DAM are joint controllers?

Some of that information was responsive; some of that information was
covered by exceptions.

This covers only a part where Debian might be compliant with the law.

...

If the personal information in the handwritten note did not come
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the note
when it is written?

...

Exceptions might cover not having to disclose the contents of the data
in some cases, but I would still expect that the person has to be
informed that information exists.

See [2] for background in what context I started thinking about these issues.

...
The data protection team was looped into the process we and our lawyer
used in responding to the request.
The data protection team (and my successor as DPL) received copies of
the legal advice we received.

Are you saying that all handling of personal data in Debian is following
the law, or are you just trying to make me stop asking inconvenient
questions?

I am feeling stonewalled and stalled regarding any attempts of receiving
a review of handling of personal data in Debian, with a schedule that
would be appropriate for potential illegal activity.

I would like to emphasize and repeat [3,4]:
IANAL and it is more likely than not that some things I am writing are
not correct. What I want is to see the results of a proper review by
an actual lawyer.

If I fail to achieve visible progress on this topic inside Debian,
the obvious option for getting a second opinion is to make a formal
request for all personal data about me in Debian, followed by asking
my questions to the Finnish Data Protection Ombudsman.

If everything I am writing is just wrong, then I will be told just that
by the ombudsman.

--Sam

cu
Adrian

[1] https://www.debian.org/legal/privacy
[2] https://lists.debian.org/debian-project/2022/03/msg00010.html
[3] https://lists.debian.org/debian-project/2022/03/msg00008.html
[4] https://lists.debian.org/debian-vote/2022/03/msg00270.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 01, 2022 at 09:25:46PM +0200, Jonathan Carter wrote:

On 2022/04/01 20:28, Adrian Bunk wrote:

Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?

<snip>

[1]https://lists.debian.org/debian-project/2022/03/msg00008.html

That mail asks a bunch of very, very broad questions. My opinion is that
it's better to direct specific problems at the data protection team as noodles suggested.

Then let's start with some very specific questions based on the email
I just sent to Sam:

Where does our Privacy Policy[1] describe personal data where Debian and
the community team are joint controllers?
On what legal basis is the data processed?
Where is the data physically stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
How are people being informed when data about them is being stored?

Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?
On what legal basis is the data processed?
Where is the data physically stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
How are people being informed when data about them is being stored?

These are specific questions about items that are supposed to be
written in our Privacy Policy.

-Jonathan

cu
Adrian

[1] https://www.debian.org/legal/privacy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian,

On Fri, 2022-04-01 at 23:48 +0300, Adrian Bunk wrote:

Will this handwritten note be available through
contributors.debian.org?

If the personal information in the handwritten note did not come
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the
note when it is written?

Same questions, with "local file" instead of "handwritten note".

Same questions, with "stored on a Debian machine".

I am fairly confident you store personal data about me. Could you
please provide some information about it?

Do you publish a privacy policy?
What data do you store? (Please don't send a copy to the list; private
mail is okay.)
On what legal basis is the data processed?
Where is the data physically stored?
Who besides you has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
Why was I not informed that data about me is being stored?

Ansgar

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-04-02 10:55, Adrian Bunk wrote:

Where does our Privacy Policy[1] describe personal data where Debian and
the community team are joint controllers?

Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?

Has it been established yet that Debian fits the definition of a
controller as per Article 4 lit. 7 GDPR?

I can see DAM, or CT, or the DPL possibly being controllers. But
without some form of officially recognized organization, I don't see how
Debian could be one. "Debian" doesn't even have an address, you couldn't
even determine which data protection authority has jurisdiction.

This is just one of the things that, I think, would be a lot simpler if
Debian would register as an organization, hence my question [1] to the candidates.

[1] https://lists.debian.org/debian-vote/2022/03/msg00135.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 02, 2022 at 12:21:24PM +0200, Christian Kastner wrote:

On 2022-04-02 10:55, Adrian Bunk wrote:

Where does our Privacy Policy[1] describe personal data where Debian and the community team are joint controllers?

Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?

Has it been established yet that Debian fits the definition of a
controller as per Article 4 lit. 7 GDPR?

I can see DAM, or CT, or the DPL possibly being controllers.

What is the identity of DAM or CT?
Likely each individual team members is a controller.

If a person has suffered material or non-material damage as a result of
a GDPR infringement, each controller or processor can be held liable for compensation of the entire damage (Article 82(4)).

But
without some form of officially recognized organization, I don't see how Debian could be one. "Debian" doesn't even have an address, you couldn't
even determine which data protection authority has jurisdiction.

What is "The Debian Project" in the Privacy Policy[2]?

Providing the identity and the contact details of the controller is
mandatory for processing of personal data (Articles 13(1)(a) and 14(1)(a)), failure to do so is subject to administrative fines of up to 20 Million Euro (Article 83(5)(b)).

This is just one of the things that, I think, would be a lot simpler if Debian would register as an organization, hence my question [1] to the candidates.
...

This is likely required and desirable, as was also discussed in the
thread starting with [3].

cu
Adrian

[1] Here in Finland the threshold for gift tax is 5000 Euro.
[2] https://www.debian.org/legal/privacy
[3] https://lists.debian.org/debian-project/2022/03/msg00008.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Adrian,

Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk:

this email has two parts:
A short question where I would appreciate a "yes" or "no" answer from
all candidates, and a longer explanation what and why I am asking.

Question:

If elected, will you commit to have a lawyer specialized in that area
review policies and practices around handling of personal data in Debian
for GDPR compliance, and report the result of the review to all project members by the end of 2024?

No.

Explanation:

Explanation for my "No". You wanted a binary answer and you got it. I
doubt a binary answer to a complex question that needs a long
explanation is appropriate.

One might discuss whether or not Debian should aim at being better than average in the area of privacy, but compliance with the law is the
minimum everyone can expect.

Unlawful actions can have consequences, organizations and
individuals might be subject to fines up to 20 Million Euro
as well as compensation for material and non-material damage,
and in some countries also prosecution under criminal law.

Many parts of Debians Privacy Policy look questionable.

For example the rights are not stated, and in addition to this being a
formal problem there is also the question whether for example the Debian
Data Protection team does fulfil the right to request only where
required by law or whether all people around the world are treated
the same.

I need to admit I do not understand this example.

The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.

I'm not aware that those personal data are stored. If this is really
the case you have a point.

I also suspect that the Debian Account Manager and Community Teams
might be abusing people by illegally processing data outside of what
is being permitted by the Privacy Policy.

I've reviewed the "State of the Data Protection team" talk from
DebConf22[1]. I understand that you can address those suspicions
with this team.

I would be glad to hear from a qualified person that I am wrong and that
all handling of personal data by these teams is lawful.

If I understand you correctly you want to know my opinion whether Debian
should pay some lawyer specialized in data privacy to inspect "all
handling of personal data", right?

There is also a personal side for me:

I am feeling quite unsafe in Debian due to not knowing what data people
in positions of power in Debian who dislike me might have about me, and
I want to request all data about me in Debian. This is also a prerequisite for exercising the right of rectification of inaccurate personal data if
any data turns out to be incorrect.

While I may be somewhat naive, I'm unaware of any positions within
Debian that hold the power to harm others. IMHO, the most troubling
aspect is your feeling that there are individuals who dislike you. If
you really feel unsafe about this situation IMHO the first step should
be to talk to some individual you are trusting inside Debian.

I would wish that Debian itself can ensure that all handling of personal
data is lawful, and that GDPR requests are being fulfilled without
problems - like everywhere else.

I'm not particularly well-versed in GDPR issues, but I would imagine
that there must be a justified suspicion before seeking legal counsel.

Other places with DDs also have laws protecting personal data
(at least California, China, Brazil, South Africa, Singapore).

I am asking specifically about GDPR since that affects me directly, but either during the GDPR review or afterwards it would of course be good
to also obtain legal advice whether there are additional requirements
in other jurisdictions.

To qualify my previously stated 'no' I'd rather say:

No, except you come up with some more specific example (feel free to do
this in private and if you like in our common mother language).
Alternatively, the urgency of the issue might be highlighted by several
other developers to bring my attention to the severity of the problem.

Kind regards
Andreas.

[1] https://debconf22.debconf.org/talks/39-state-of-the-data-protection-team/

--
https://fam-tille.de

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------Bf0J76QIG6dIH00cI0Qhcnq6
Content-Type: multipart/alternative;
boundary="------------ac5zvnPSbzbZVdxAZ42IgtJG"

--------------ac5zvnPSbzbZVdxAZ42IgtJG
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQpPbiAwNS8wNC8yNCAwMzoxMSwgQWRyaWFuIEJ1bmsgd3JvdGU6DQo+IEhpLA0KPg0KPiB0 aGlzIGVtYWlsIGhhcyB0d28gcGFydHM6DQo+IEEgc2hvcnQgcXVlc3Rpb24gd2hlcmUgSSB3 b3VsZCBhcHByZWNpYXRlIGEgInllcyIgb3IgIm5vIiBhbnN3ZXIgZnJvbQ0KPiBhbGwgY2Fu ZGlkYXRlcywgYW5kIGEgbG9uZ2VyIGV4cGxhbmF0aW9uIHdoYXQgYW5kIHdoeSBJIGFtIGFz a2luZy4NCj4NCj4NCj4gUXVlc3Rpb246DQo+DQo+IElmIGVsZWN0ZWQsIHdpbGwgeW91IGNv bW1pdCB0byBoYXZlIGEgbGF3eWVyIHNwZWNpYWxpemVkIGluIHRoYXQgYXJlYQ0KPiByZXZp ZXcgcG9saWNpZXMgYW5kIHByYWN0aWNlcyBhcm91bmQgaGFuZGxpbmcgb2YgcGVyc29uYWwg ZGF0YSBpbiBEZWJpYW4NCj4gZm9yIEdEUFIgY29tcGxpYW5jZSwgYW5kIHJlcG9ydCB0aGUg cmVzdWx0IG9mIHRoZSByZXZpZXcgdG8gYWxsIHByb2plY3QNCj4gbWVtYmVycyBieSB0aGUg ZW5kIG9mIDIwMjQ/DQo+DQpNYXliZS4NCg0KSSBkbyB0aGluayB3ZSBtaWdodCBuZWVkIHNv bWUgcmV2aWV3IGluIHRoaXMgcmVnYXJkLCBidXQgcmlnaHQgbm93IEkgZG8gDQpub3QgaGF2 ZSBhbGwgdGhlIGRldGFpbHMgYWJvdXQgR0RQUiwgc28gSSBjYW4ndCBiZSBzdXJlIGFuZCBz YXkgeWVzLg0KDQo=
--------------ac5zvnPSbzbZVdxAZ42IgtJG
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 05/04/24 03:11, Adrian Bunk wrote:<br>
</div>
<blockquote type="cite" cite="mid:Zg8efSbeFHd95zcc@localhost">
<pre wrap="" class="moz-quote-pre">Hi,

this email has two parts:
A short question where I would appreciate a "yes" or "no" answer from
all candidates, and a longer explanation what and why I am asking.


Question:

If elected, will you commit to have a lawyer specialized in that area
review policies and practices around handling of personal data in Debian
for GDPR compliance, and report the result of the review to all project members by the end of 2024?

</pre>
</blockquote>
Maybe.<br>
<p>I do think we might need some review in this regard, but right
now I do not have all the details about GDPR, so I can't be sure
and say yes.<br>
</p>
</body>
</html>

--------------ac5zvnPSbzbZVdxAZ42IgtJG--

--------------Bf0J76QIG6dIH00cI0Qhcnq6--

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEcd3Fxr6GmkZB13n+x+ob4VdN7V0FAmYQO6YFAwAAAAAACgkQx+ob4VdN7V3V Twv/Qq7hB3llrcWXslEoC1Yr4IR9o00g8WfBNVpnX2KTcekIGEccv92FO66yjZ8vMFEn9DSLwUjy w2KCaS+hzSFlwwxpy3PX/f/qnVAKpYhm/Z9TfSlVFwZIjRLHB5uquwmfQ5Mz4qorD9S7JHFXNOiB yNcLdGtSbWQ7M01sL6dequkU55hiS8ig8Ca57IrhSflQvn9X57aqhsfSM7Y3i8/t4nWnR9sesmpw 1oZXUPh3PURtvvBPS8ACa3GFADURn6q5n4NCgmRnM2+9hs/NL0UtnDMgu76KZMoGCS6TvHp+pN70 psbByNHbCdevGZr+TFc0XSApUFgU4X7FINATVQFUCIDB5jouiTfd6INv8Cxg/XjwQCF+CNJKImL4 ATUDuLSEDlcgasLoygVRmBxY6BJH/S/2p944h2L5cBMdkBzls1VCChOC05K1+yK7cFDHj1N8R0EY sznFrVYwEKBDeHE6f6O2rvJiCLGur6n99WZeqewBG+/4qDPRAhj6j3bVT0Zf
=8g2C
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 05, 2024 at 04:38:57PM +0200, Andreas Tille wrote:

Hi Adrian,

Hi Andreas,

Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk:
...

Many parts of Debians Privacy Policy look questionable.

For example the rights are not stated, and in addition to this being a formal problem there is also the question whether for example the Debian Data Protection team does fulfil the right to request only where
required by law or whether all people around the world are treated
the same.

I need to admit I do not understand this example.

the Privacy Policy lacks explicit statements of the rights like
You have the right to request a copy of all personal data.
that are legally required.

An explicit statement would also make it clear whether or not Debian
might extend such rights to people not covered by the GDPR.

The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.

I'm not aware that those personal data are stored. If this is really
the case you have a point.

During the RMS GR I was often thinking "assume RMS was living in the EU".

The archives of debian-vote contain plenty of sensitive data like
political opinions of RMS where it is questionable that they could
be stored forever if the GDPR applied.

And who in Debian would have been responsible of informing him that
sensitive personal data about him is being stored by Debian that was
provided by third parties?

...

I would be glad to hear from a qualified person that I am wrong and that all handling of personal data by these teams is lawful.

If I understand you correctly you want to know my opinion whether Debian should pay some lawyer specialized in data privacy to inspect "all
handling of personal data", right?

Yes.

There is also a personal side for me:

I am feeling quite unsafe in Debian due to not knowing what data people
in positions of power in Debian who dislike me might have about me, and
I want to request all data about me in Debian. This is also a prerequisite for exercising the right of rectification of inaccurate personal data if any data turns out to be incorrect.

While I may be somewhat naive, I'm unaware of any positions within
Debian that hold the power to harm others. IMHO, the most troubling
aspect is your feeling that there are individuals who dislike you. If
you really feel unsafe about this situation IMHO the first step should
be to talk to some individual you are trusting inside Debian.
...

If I send an email requesting all data Debian has about me to data-protection@debian.org, will I receive a complete reply within the
expected time, including all data members of delegations like the
Debian Account Managers and the Community Team might have?

Kind regards
Andreas.
...

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

this email has two parts:
A short question where I would appreciate a "yes" or "no" answer from
all candidates, and a longer explanation what and why I am asking.


Question:

If elected, will you commit to have a lawyer specialized in that area
review policies and practices around handling of personal data in Debian
for GDPR compliance, and report the result of the review to all project
members by the end of 2024?



Explanation:

One might discuss whether or not Debian should aim at being better than
average in the area of privacy, but compliance with the law is the
minimum everyone can expect.

Unlawful actions can have consequences, organizations and
individuals might be subject to fines up to 20 Million Euro
as well as compensation for material and non-material damage,
and in some countries also prosecution under criminal law.


Many parts of Debians Privacy Policy look questionable.

For example the rights are not stated, and in addition to this being a
formal problem there is also the question whether for example the Debian
Data Protection team does fulfil the right to request only where
required by law or whether all people around the world are treated
the same.

The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.


I also suspect that the Debian Account Manager and Community Teams
might be abusing people by illegally processing data outside of what
is being permitted by the Privacy Policy.

I would be glad to hear from a qualified person that I am wrong and that
all handling of personal data by these teams is lawful.


There is also a personal side for me:

I am feeling quite unsafe in Debian due to not knowing what data people
in positions of power in Debian who dislike me might have about me, and
I want to request all data about me in Debian. This is also a prerequisite
for exercising the right of rectification of inaccurate personal data if
any data turns out to be incorrect.

I would wish that Debian itself can ensure that all handling of personal
data is lawful, and that GDPR requests are being fulfilled without
problems - like everywhere else.


Other places with DDs also have laws protecting personal data
(at least California, China, Brazil, South Africa, Singapore).

I am asking specifically about GDPR since that affects me directly, but
either during the GDPR review or afterwards it would of course be good
to also obtain legal advice whether there are additional requirements
in other jurisdictions.


Thanks
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Adrian" == Adrian Bunk <bunk@debian.org> writes:

Adrian> If I send an email requesting all data Debian has about me to
Adrian> data-protection@debian.org, will I receive a complete reply within the
Adrian> expected time, including all data members of delegations like the
Adrian> Debian Account Managers and the Community Team might have?

Someone did exactly that while I was DPL. They received a response
within the GPR's allowed time giving them all data Debian held regarding
them that was not covered by an exception to the GDPR. They also
received a list of exceptions to the GDPR that might apply to data that
was not turned over. This was all handled in a manner consistent with
the advice received from a lawyer specializing in GDPR issues that was ultimately paid for by SPI.

As you might imagine, there are GDPR exceptions that apply to some
classes of data that DAM routinely processes.
I cannot speak to the community team as the community team did not exist
at the time of this request.

--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)