Re: Question to all candidates: GDPR compliance review

To: debian-vote@lists.debian.org
Subject: Re: Question to all candidates: GDPR compliance review
From: Andreas Tille <andreas@an3as.eu>
Date: Fri, 5 Apr 2024 16:38:57 +0200
Message-id: <[🔎] ZhANAYax2OvHo7RC@an3as.eu>
In-reply-to: <[🔎] Zg8efSbeFHd95zcc@localhost>
References: <[🔎] Zg8efSbeFHd95zcc@localhost>

Hi Adrian,

Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk:
> this email has two parts:
> A short question where I would appreciate a "yes" or "no" answer from 
> all candidates, and a longer explanation what and why I am asking.
> 
> 
> Question:
> 
> If elected, will you commit to have a lawyer specialized in that area
> review policies and practices around handling of personal data in Debian 
> for GDPR compliance, and report the result of the review to all project 
> members by the end of 2024?

No. 
 
> Explanation:

Explanation for my "No".  You wanted a binary answer and you got it.  I
doubt a binary answer to a complex question that needs a long
explanation is appropriate.
 
> One might discuss whether or not Debian should aim at being better than 
> average in the area of privacy, but compliance with the law is the 
> minimum everyone can expect.
> 
> Unlawful actions can have consequences, organizations and 
> individuals might be subject to fines up to 20 Million Euro
> as well as compensation for material and non-material damage,
> and in some countries also prosecution under criminal law.
> 
> 
> Many parts of Debians Privacy Policy look questionable.
> 
> For example the rights are not stated, and in addition to this being a 
> formal problem there is also the question whether for example the Debian 
> Data Protection team does fulfil the right to request only where 
> required by law or whether all people around the world are treated
> the same.

I need to admit I do not understand this example.
 
> The attempts in the Privacy Policy for blanket eternal storage
> of data might not pass a legal review, especially when this might
> contain sensitive data like sexual orientation or political opinions.

I'm not aware that those personal data are stored.  If this is really
the case you have a point.

> I also suspect that the Debian Account Manager and Community Teams
> might be abusing people by illegally processing data outside of what
> is being permitted by the Privacy Policy.

I've reviewed the "State of the Data Protection team" talk from
DebConf22[1].  I understand that you can address those suspicions
with this team.

> I would be glad to hear from a qualified person that I am wrong and that 
> all handling of personal data by these teams is lawful.

If I understand you correctly you want to know my opinion whether Debian
should pay some lawyer specialized in data privacy to inspect "all
handling of personal data", right?
 
> There is also a personal side for me:
> 
> I am feeling quite unsafe in Debian due to not knowing what data people 
> in positions of power in Debian who dislike me might have about me, and 
> I want to request all data about me in Debian. This is also a prerequisite
> for exercising the right of rectification of inaccurate personal data if 
> any data turns out to be incorrect.

While I may be somewhat naive, I'm unaware of any positions within
Debian that hold the power to harm others.  IMHO, the most troubling
aspect is your feeling that there are individuals who dislike you. If
you really feel unsafe about this situation IMHO the first step should
be to talk to some individual you are trusting inside Debian.

> I would wish that Debian itself can ensure that all handling of personal 
> data is lawful, and that GDPR requests are being fulfilled without 
> problems - like everywhere else.

I'm not particularly well-versed in GDPR issues, but I would imagine
that there must be a justified suspicion before seeking legal counsel.
 
> Other places with DDs also have laws protecting personal data
> (at least California, China, Brazil, South Africa, Singapore).
> 
> I am asking specifically about GDPR since that affects me directly, but 
> either during the GDPR review or afterwards it would of course be good 
> to also obtain legal advice whether there are additional requirements
> in other jurisdictions.

To qualify my previously stated 'no' I'd rather say:

No, except you come up with some more specific example (feel free to do
this in private and if you like in our common mother language).
Alternatively, the urgency of the issue might be highlighted by several
other developers to bring my attention to the severity of the problem.

Kind regards
    Andreas.

[1] https://debconf22.debconf.org/talks/39-state-of-the-data-protection-team/

-- 
https://fam-tille.de

Reply to:

Follow-Ups:
- Re: Question to all candidates: GDPR compliance review
  - From: Adrian Bunk <bunk@debian.org>

References:
- Question to all candidates: GDPR compliance review
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Re: Q to Andreas: weaknesses and challenges outside packaging?
Next by Date: Re: Question to all voters: Is team upload in some example case OK? (Was: Question to all candidates: What are your technical goals)
Previous by thread: Question to all candidates: GDPR compliance review
Next by thread: Re: Question to all candidates: GDPR compliance review
Index(es):
- Date
- Thread