Hi Adrian(I'm including the data-protection team, perhaps they can expand on your question or comment on my feedback)
On 2022/03/31 22:08, Adrian Bunk wrote:
The discussion starting in [1] is about privacy in Debian with a focus on the GDPR of the European Union.
It started with the GDPR, in my country we have POPIA, in California there's CCPA, there are now over a dozen similar legislations (and I suspect more countries will be implementing them as time goes by). Fortunately they seem to mostly overlap, so complying to at least GDPR properly should make it a lot easier to comply in the other territories that we operate.
When I first read through a GDPR guideline, I was quite happy about it because for the most part, it forces websites to do things that I consider a bare minimum when it comes to the safety of users' data. Personally, I think it would be great if we exceed the expectations of these legislations around the world.
There seems to be a general agreement that privacy in Debian falls short of the legal minimum requirements at least in the EU. Even the exact scope of the problem is not clear. Question to all candidates: If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding GDPR compliance, and make the results of the review available to all developers?
I'm not sure bringing in the lawyer as a first step is optimal, they are expensive and will probably tell us a lot of things we already know. IMHO it's better to do some initial groundwork, compile a list of issues that we need help on, and then take that to the lawyer for further input.
I can also think of some examples where we processed user data that you didn't mention. As one example, we used to use the DebConf wiki quite a bit to organize events, and those all got turned into static pages. People who signed up and provided information (potentially contact details, where they were at certain dates, etc) couldn't have possibly known that the data they entered would've been later archived as publicly accessible read-only material later on, well at least not by us.
So, I would appreciate it if the data protection team could look into all of the issues we know of in Debian, but I'd also like there to be a process where people can file issues with the data protection team. I'll admit I had to search a bit to find the data-protection email address, it doesn't seem to prominently feature anywhere on our website. But it would be great if it was clear that someone could file a bug with a tag, or whether they should use the data-protection alias, so that it's possible to file and keep track of data protection issues that need to be resolved.
So, I think it's more important to take care of known issues and low hanging fruit before getting a lawyer involved. I also think it's a good idea to make it easy to file issues as they are found, and would like to know if the Data Protection team has any ideas or if they would consider implementing anything like the above.
-Jonathan