Re: (Lack of) GDPR compliance in Debian

To: debian-project@lists.debian.org
Subject: Re: (Lack of) GDPR compliance in Debian
From: Russ Allbery <rra@debian.org>
Date: Sat, 12 Mar 2022 08:45:21 -0800
Message-id: <[🔎] 8735jnf7by.fsf@hope.eyrie.org>
In-reply-to: <[🔎] be53b93a-de60-1d1b-2556-2d6ed5d92c6b@debian.org> (Jonathan Carter's message of "Sat, 12 Mar 2022 17:44:39 +0200")
References: <[🔎] 20220311232703.GC4190@localhost> <[🔎] YiykGg6+tpWNme5W@shell.thinkmo.de> <[🔎] 20220312152306.GD4190@localhost> <[🔎] be53b93a-de60-1d1b-2556-2d6ed5d92c6b@debian.org>

Jonathan Carter <jcc@debian.org> writes:

> It's not 100% clear to me, but from what I understand having had some
> informal conversations with experts in this field (we should ideally
> speak get some more information from legal experts on this topic), it
> would fall on individual members, unless a TO has en explicit contract
> with someone.

This is also my understanding from other open source governance work I've
done on other projects.  Unless the organization is incorporated, I think
the liability falls on the individuals.  Even if it is incorporated, it's
fairly standard to carry directors and officers liability insurance
because they can still be potentially held personally liable.

(If you do open source work outside of the auspices of an organization
that carries insurance and you have assets to protect, it's worth
considering a personal umbrella policy.)

My understanding of US business law is that most lawyers would tell us
that what we're doing is ill-advised from a legal standpoint because we
may accidentally form a general partnership.  You essentially never want
to have a general partnership because the members of the partnership have
unlimited liability for the actions of the partnership (basically, each
individual can be liable for anything the other individuals do as part of
the partnership).  I'm not sure how large that risk is to Debian in
particular since we don't engage in commerce and therefore may not fall
under commercial business rules, but it's not a situation one wants to
come close to.

> It's one of a few important reasons why we need to look at incorporating
> Debian, I wanted to push for that during the last year, but during the
> release and the last 1.5 GRs didn't seem like an ideal time for it. I'll
> also provide some more details and thoughts on this on -vote over the
> next week, but I believe this is something important to pursue for the
> project regardless of who serves as DPL for the next term.

I agree.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: (Lack of) GDPR compliance in Debian
  - From: David Bremner <david@tethera.net>

References:
- (Lack of) GDPR compliance in Debian
  - From: Adrian Bunk <bunk@debian.org>
- Re: (Lack of) GDPR compliance in Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: (Lack of) GDPR compliance in Debian
  - From: Adrian Bunk <bunk@debian.org>
- Re: (Lack of) GDPR compliance in Debian
  - From: Jonathan Carter <jcc@debian.org>

Prev by Date: Re: (Lack of) GDPR compliance in Debian
Next by Date: Re: (Lack of) GDPR compliance in Debian
Previous by thread: Re: (Lack of) GDPR compliance in Debian
Next by thread: Re: (Lack of) GDPR compliance in Debian
Index(es):
- Date
- Thread