The discussion starting in [1] is about privacy in Debian with a focus
on the GDPR of the European Union.
There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.
Even the exact scope of the problem is not clear.
Question to all candidates:
If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all developers?
If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance,
and make the results of the review available to all
developers?
The discussion starting in [1] is about privacy in Debian with a focus
on the GDPR of the European Union.
There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.
Even the exact scope of the problem is not clear.
Question to all candidates:
If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all developers?
Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?
So, I would appreciate it if the data protection team could look into
all of the issues we know of in Debian, but I'd also like there to be
a process where people can file issues with the data protection
team. I'll admit I had to search a bit to find the data-protection
email address, it doesn't seem to prominently feature anywhere on our website.
But it would be great if it was clear that someone could file
a bug with a tag, or whether they should use the data-protection
alias, so that it's possible to file and keep track of data protection
issues that need to be resolved.
Hi Adrian
...
I'm not sure bringing in the lawyer as a first step is optimal, they are expensive and will probably tell us a lot of things we already know. IMHO it's better to do some initial groundwork, compile a list of issues that we need help on, and then take that to the lawyer for further input.
...
So, I would appreciate it if the data protection team could look into all of the issues we know of in Debian, but I'd also like there to be a process where people can file issues with the data protection team.
...
So, I think it's more important to take care of known issues and low hanging fruit before getting a lawyer involved. I also think it's a good idea to
make it easy to file issues as they are found, and would like to know if the Data Protection team has any ideas or if they would consider implementing anything like the above.
-Jonathan
...
This isn't the role of the data protection team, though, any more than owner@bugs is responsible for fixing all the bugs in all the packages.
I'm quite happy to act as a redirector (as per the first part of the delegation) as well as advising service owners. I have below-zero
interest in auditing all our services and tracking everything relevant
to data privacy throughout Debian.
...
Cheers,
Who will fulfill the request within the legal limit of one month if
a person sends an email to data-protection@debian.org asking whether
Debian is a (joint) controller of any data about this person, and
if yes requests a copy of all data?
Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?
]] Adrian Bunk
Would you commit to something more specific, like that our Data
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?
I don't think that's something the DPL could commit to, even if they
wanted to. First of all, what you're asking for is not what the data protection team is there for, secondly, neither the DPL nor anyone else
has the ability to commit to anyone in Debian doing anything on any particular timeline.
If that's what you're looking for, you're looking for a company with
staff, not a volunteer project.
Cheers,
Would you commit to something more specific, like that our Data<snip>
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?
[1]https://lists.debian.org/debian-project/2022/03/msg00008.html
]] Adrian Bunk
Who will fulfill the request within the legal limit of one month if
a person sends an email to data-protection@debian.org asking whether
Debian is a (joint) controller of any data about this person, and
if yes requests a copy of all data?
To make this easier for services and users, we recommend that services
use contributes.debian.org and that they then request the data from the individual services and then point people at that.
Cheers,
Adrian> Your "services" approach does not work for the non-trivial"Adrian" == Adrian Bunk <bunk@debian.org> writes:
One option would be to outsource this work to our paid GDPR lawyer.
Adrian> Your "services" approach does not work for the non-trivial"Adrian" == Adrian Bunk <bunk@debian.org> writes:
Adrian> cases where Debian might be a (joint) controller of personal
Adrian> data.
Adrian> The Debian Community Team promises confidentiality regarding
Adrian> personal information they receive about other people,[1]
Adrian> which conflicts with the legal obligation of informing the
Adrian> person about whom personal information is being processed or
Adrian> stored.
Based on legal advice I received while acting as DPL, the above is not correct.
Most of the information the community team process is not information we would need to disclose in response to a GDPR subject access request.
Debian has already dealt with at least one subject access request that
dealt significantly with information held by DAM in its role as a
delegated team.
Some of that information was responsive; some of that information was
covered by exceptions.
...
If the personal information in the handwritten note did not come...
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the note
when it is written?
...
The data protection team was looped into the process we and our lawyer
used in responding to the request.
The data protection team (and my successor as DPL) received copies of
the legal advice we received.
--Sam
On 2022/04/01 20:28, Adrian Bunk wrote:
Would you commit to something more specific, like that our Data<snip>
Protection team will reply to debian-project within 3 months discussing
all issues mentioned in the discussion at [1] so far, and with their
reply having been proof-read by our GDPR lawyer?
[1]https://lists.debian.org/debian-project/2022/03/msg00008.html
That mail asks a bunch of very, very broad questions. My opinion is that
it's better to direct specific problems at the data protection team as noodles suggested.
-Jonathan
Will this handwritten note be available through
contributors.debian.org?
If the personal information in the handwritten note did not come
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the
note when it is written?
Same questions, with "local file" instead of "handwritten note".
Same questions, with "stored on a Debian machine".
Where does our Privacy Policy[1] describe personal data where Debian and
the community team are joint controllers?
Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?
On 2022-04-02 10:55, Adrian Bunk wrote:
Where does our Privacy Policy[1] describe personal data where Debian and the community team are joint controllers?
Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?
Has it been established yet that Debian fits the definition of a
controller as per Article 4 lit. 7 GDPR?
I can see DAM, or CT, or the DPL possibly being controllers.
But
without some form of officially recognized organization, I don't see how Debian could be one. "Debian" doesn't even have an address, you couldn't
even determine which data protection authority has jurisdiction.
This is just one of the things that, I think, would be a lot simpler if Debian would register as an organization, hence my question [1] to the candidates.
...
this email has two parts:
A short question where I would appreciate a "yes" or "no" answer from
all candidates, and a longer explanation what and why I am asking.
Question:
If elected, will you commit to have a lawyer specialized in that area
review policies and practices around handling of personal data in Debian
for GDPR compliance, and report the result of the review to all project members by the end of 2024?
Explanation:
One might discuss whether or not Debian should aim at being better than average in the area of privacy, but compliance with the law is the
minimum everyone can expect.
Unlawful actions can have consequences, organizations and
individuals might be subject to fines up to 20 Million Euro
as well as compensation for material and non-material damage,
and in some countries also prosecution under criminal law.
Many parts of Debians Privacy Policy look questionable.
For example the rights are not stated, and in addition to this being a
formal problem there is also the question whether for example the Debian
Data Protection team does fulfil the right to request only where
required by law or whether all people around the world are treated
the same.
The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.
I also suspect that the Debian Account Manager and Community Teams
might be abusing people by illegally processing data outside of what
is being permitted by the Privacy Policy.
I would be glad to hear from a qualified person that I am wrong and that
all handling of personal data by these teams is lawful.
There is also a personal side for me:
I am feeling quite unsafe in Debian due to not knowing what data people
in positions of power in Debian who dislike me might have about me, and
I want to request all data about me in Debian. This is also a prerequisite for exercising the right of rectification of inaccurate personal data if
any data turns out to be incorrect.
I would wish that Debian itself can ensure that all handling of personal
data is lawful, and that GDPR requests are being fulfilled without
problems - like everywhere else.
Other places with DDs also have laws protecting personal data
(at least California, China, Brazil, South Africa, Singapore).
I am asking specifically about GDPR since that affects me directly, but either during the GDPR review or afterwards it would of course be good
to also obtain legal advice whether there are additional requirements
in other jurisdictions.
Hi Adrian,
Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk:
...
Many parts of Debians Privacy Policy look questionable.
For example the rights are not stated, and in addition to this being a formal problem there is also the question whether for example the Debian Data Protection team does fulfil the right to request only where
required by law or whether all people around the world are treated
the same.
I need to admit I do not understand this example.
The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.
I'm not aware that those personal data are stored. If this is really
the case you have a point.
...
I would be glad to hear from a qualified person that I am wrong and that all handling of personal data by these teams is lawful.
If I understand you correctly you want to know my opinion whether Debian should pay some lawyer specialized in data privacy to inspect "all
handling of personal data", right?
There is also a personal side for me:
I am feeling quite unsafe in Debian due to not knowing what data people
in positions of power in Debian who dislike me might have about me, and
I want to request all data about me in Debian. This is also a prerequisite for exercising the right of rectification of inaccurate personal data if any data turns out to be incorrect.
While I may be somewhat naive, I'm unaware of any positions within
Debian that hold the power to harm others. IMHO, the most troubling
aspect is your feeling that there are individuals who dislike you. If
you really feel unsafe about this situation IMHO the first step should
be to talk to some individual you are trusting inside Debian.
...
Kind regards
Andreas.
...
Adrian> If I send an email requesting all data Debian has about me to"Adrian" == Adrian Bunk <bunk@debian.org> writes:
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 53:59:42 |
Calls: | 6,712 |
Files: | 12,243 |
Messages: | 5,355,325 |