Re: Question to all candidates: GDPR compliance review
(I'm including the data-protection team, perhaps they can expand on your
question or comment on my feedback)
On 2022/03/31 22:08, Adrian Bunk wrote:
The discussion starting in  is about privacy in Debian with a focus
on the GDPR of the European Union.
It started with the GDPR, in my country we have POPIA, in California
there's CCPA, there are now over a dozen similar legislations (and I
suspect more countries will be implementing them as time goes by).
Fortunately they seem to mostly overlap, so complying to at least GDPR
properly should make it a lot easier to comply in the other territories
that we operate.
When I first read through a GDPR guideline, I was quite happy about it
because for the most part, it forces websites to do things that I
consider a bare minimum when it comes to the safety of users' data.
Personally, I think it would be great if we exceed the expectations of
these legislations around the world.
There seems to be a general agreement that privacy in Debian falls
short of the legal minimum requirements at least in the EU.
Even the exact scope of the problem is not clear.
Question to all candidates:
If elected, will you ask our Data Protection team and our GDPR lawyer to
jointly do a review of all handling of personal data in Debian regarding
GDPR compliance, and make the results of the review available to all
I'm not sure bringing in the lawyer as a first step is optimal, they are
expensive and will probably tell us a lot of things we already know.
IMHO it's better to do some initial groundwork, compile a list of issues
that we need help on, and then take that to the lawyer for further input.
I can also think of some examples where we processed user data that you
didn't mention. As one example, we used to use the DebConf wiki quite a
bit to organize events, and those all got turned into static pages.
People who signed up and provided information (potentially contact
details, where they were at certain dates, etc) couldn't have possibly
known that the data they entered would've been later archived as
publicly accessible read-only material later on, well at least not by us.
So, I would appreciate it if the data protection team could look into
all of the issues we know of in Debian, but I'd also like there to be a
process where people can file issues with the data protection team. I'll
admit I had to search a bit to find the data-protection email address,
it doesn't seem to prominently feature anywhere on our website. But it
would be great if it was clear that someone could file a bug with a tag,
or whether they should use the data-protection alias, so that it's
possible to file and keep track of data protection issues that need to
So, I think it's more important to take care of known issues and low
hanging fruit before getting a lawyer involved. I also think it's a good
idea to make it easy to file issues as they are found, and would like to
know if the Data Protection team has any ideas or if they would consider
implementing anything like the above.