# GDPR & XSF - Session 2 At x...@muc.xmpp.org - 2018/03/27 12:15CEST Attendees: winfried, Ge0rG, jonasw, pep.
Date of Next: 2018/04/06 13:15CEST Might be changed to include more interested parties https://gdpr-info.eu/ Questions Q1) 1. What consequences does the GDPR has for the Jabber network? 2. .. Jabber server operators? 3. .. what can/should do the XSF with that? Q2) What consequences does the GDPR has for the XSF running Jabber server? Q3) What consequences does the GDPR has for the work processes of the XSF itself (membership, voting, wiki etc)? Today's discussion was still focused on C2S, user consent in particular. ## Q1 ### Q1.1 #### What ground does the processing have C2S Lawyer Question 1 (LQ1): Does 9.1 automatically apply to all (not e2ee encrypted) user-sent content, or only if we are analyzing it for profiling/other purposes? winfried > Ok: art 6.1 is explicit permission, art 6.2 is implicit permission. Article 9.1 overrides article 6 and sets its grounds in article 9.2. So if the messages are of the categories in 9.1, then we must go for explicit permission from 9.2a, otherwise we can do 6.2 Related: 6.1a, 6.1b, 6.2, 9.1, 9.2a, 13.4, 13 For the C2S case, have the user sign an EULA when creating the account, with detailed information about processing to *require explicit consent*. This might not be sufficient for 9.1 though. See LQ1 and also Peter Waher's email that gives some explanation about art. 9.1: > It could be argued that storing very sensitive personal information, albeit > for a short time, unencrypted, visible to anyone with access to the backend > server (and perhaps more), does not constitute proportional data protection > measure, knowing how sensitive the information can be in some cases. It could > therefore also be argued, that the processing “reveals” this information to > unauthorized persons, by the way it is implemented. It could therefore be > argued, that such processing is contrary to what is required by article 9. Even with consent, "proportional means of protection" is required, so encryption (i.e., full-disk) might be necessary to check that box. (Article 35?) jonasw > pep., maybe add a note about "ubiquitous E2EE would save us from 9.1" - Server logs, covered by r49 S2S LQ2: Can (implicit) consent also apply to transfer to other controllers? Maybe related: 6.1f https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/ TODO: Read chapter 5 about transfer of personal data -- Maxime “pep” Buquet
signature.asc
Description: PGP signature
