(cross-posting because ubuntu-devel is moderated and this may not reach that list)
On 07/03/18 11:46, Jeremy Bicha wrote: > What proposed collected data do you think should be considered > personal data for GPDR purposes? > "What constitutes personal data? "Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address." [1] And more specifically: "(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. ..." "(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them." [2] Hence, if you _ever_ record an IP address, you are recording "personal data" and must be able to demonstrate you are meeting the requirements of the GDPR **even if you pseudonymise that data**. Given the proposal extends to storing a full hardware specification it's very easy to see how that could be used as "additional information" or "other identifiers". Regarding consent: "(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. "This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. "Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided." [2] (Split to highlight central section) Given the discussion is about about large-scale systematic data collection Ubuntu/Canonical should also be aware of: "Does my business need to appoint a Data Protection Officer (DPO)? "DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO." [1] Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and all data collection meets the requirements of the GDPR. This is a bigger issue than most people realise. References [1] https://www.eugdpr.org/gdpr-faqs.html [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
signature.asc
Description: OpenPGP digital signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss