Page 1 of 2

Open Source and General Data Protection Regulation (GDPR)

Posted: Fri May 25, 2018 9:57 am
by khz
From 25.05.2018 there will be a new EU law for the protection of citizens.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

The GDPR also applies to open source projects (software) based in the EU - and also to projects based outside the EU that work together with projects based in the EU - which also have to comply with the new law because they do not belong to private individuals?
Is that true?

If it concerns us (GNU/Linux/Software) we could/should exchange experiences, gather information,... and find a way.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Sun May 27, 2018 8:16 am
by khz
http://www.audio4linux.de is (temporarily) offline. :-(
The Guitarix forum is currently also offline.

EDIT:
Sorry about scaremongering.
a4l.de is online again and apparently the temporary offline status had nothing to do with it.

:-)

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Wed May 30, 2018 8:11 pm
by CrocoDuck
This is quite interesting. I have been reading some documentation about GDPR, both official and various opinions. My impression is that it is not a danger for Open Source projects. It is essentially mandating that all online service providers to human users grant an explicit set of rights to the users in relation to the personal data they collect.

Now, I couldn't go through properly, but I think that phpBB based forums (as this one) already check most of the marks. In case few are not, I think there would be the grounds (for few things maybe) to hold phpBB liable, not Linux Musicians (or any other forum maintainer), as they are providing the technology. But I am no lawyer, so I have no idea, really.

An example of possibly unmarked box for this forum could be the fact that every single track of an user has to be erasable on the user request. So, as an EU resident now, I have the right to ask Linux Musicians to delete -all- the stuff that relates to me here. Also all posts. And Linux Musicians would have a certain time limit to comply. Again, I am not lawyer, but if this is a technical issue adding a note in our signature that says "This post is licensed under whatever-license" should perhaps fix it? At that point the posts would be published work, protected by a license, not personal data on a website.

Anyway, I don't think it is out of the reach of Open Source projects to comply with GDPR, there are already few initiatives, for example: https://www.opengdpr.org/.

The copyright reform being discussed in the EU now is gonna be much more trouble if becomes law, as that would -impose- content filtering on every website in search of copyright infringements. See here:

https://savecodeshare.eu/
https://edri.org/eu-member-states-agree ... t-uploads/
https://saveyourinternet.eu/

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Wed May 30, 2018 10:30 pm
by khz
I don't want to spread a mood/panic!
Understanding/reflecting only.

@copyright reform
Traditional Internet providers, cloud providers and traditional online marketplaces will not be covered. Websites such as online encyclopedias, scientific archives or open source development platforms that offer access to protected content for non-commercial purposes are also excluded.

https://www.heise.de/newsticker/meldung/Copyright-Reform-EU-Staaten-einigen-sich-auf-Upload-Filter-und-Leistungsschutzrecht-4059219.html (German)

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Thu May 31, 2018 2:10 pm
by CrocoDuck
khz wrote:I don't want to spread a mood/panic!
Understanding/reflecting only.


Good call!

khz wrote:@copyright reform

Traditional Internet providers, cloud providers and traditional online marketplaces will not be covered. Websites such as online encyclopedias, scientific archives or open source development platforms that offer access to protected content for non-commercial purposes are also excluded.


https://www.heise.de/newsticker/meldung ... 59219.html (German)


Nice one. I will try to get more info about it in English.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Thu May 31, 2018 4:16 pm
by raboof
CrocoDuck wrote:My impression is that it is not a danger for Open Source projects.


I agree I'm not too alarmed by it.

It is true, however, that the additional rules pose a risk for people hosting things online, and this puts 'community' projects like most Open Source initiatives at a disadvantage. After all, those typically don't have a legal team to reduce the risk of accidentally running afoul of any of the rules.

CrocoDuck wrote:I think there would be the grounds (for few things maybe) to hold phpBB liable, not Linux Musicians (or any other forum maintainer), as they are providing the technology. But I am no lawyer, so I have no idea, really.


Hmm, if that were true I would call that a "risk to open source", since it would mean it's suddenly dangerous to publish your forum software online because other people may use it and violate the GDPR with it. I don't think it works like that though. I do agree in case of a dispute I could claim "I used the widely used phpBB software so I could reasonably assume the relevant boxes to be checked", as long as I did everything in my power to fix it once it became clear that it didn't.

CrocoDuck wrote:An example of possibly unmarked box for this forum could be the fact that every single track of an user has to be erasable on the user request. So, as an EU resident now, I have the right to ask Linux Musicians to delete -all- the stuff that relates to me here.


One complication here that legally, I don't think there is such a thing as 'Linux Musicians' as a legal entity. As far as I understand, the GDPR may apply to individuals as well, but not for 'household activities'. I guess it is a bit of a stretch to call maintaining this forum a 'household activity' (though maybe?), so people would have to come after me or the moderation team personally.

CrocoDuck wrote:Also all posts. And Linux Musicians would have a certain time limit to comply. Again, I am not lawyer, but if this is a technical issue adding a note in our signature that says "This post is licensed under whatever-license" should perhaps fix it? At that point the posts would be published work, protected by a license, not personal data on a website.


Actually when someone requests his account to be deleted, I always ask whether it is OK to keep his/her posts: phpBB allows deleting users either with or without their posts. So I think we're already OK here as well.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Thu May 31, 2018 4:39 pm
by Jack Winter
How about the right to be forgotten? What if someone important asks to have all his contributions to some project deleted? Note that I haven't read any of the legal texts at all, so may be completely confused..

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Thu May 31, 2018 5:49 pm
by khz
CrocoDuck wrote:So, as an EU resident now, I have the right to ask Linux Musicians to delete -all- the stuff that relates to me here. Also all posts. And Linux Musicians would have a certain time limit to comply.

All data (user & posts) can be deleted, the only exceptions are user quotes. With one mouse click. IMHO
There are several GDPR data protection generators on the net.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Thu May 31, 2018 8:39 pm
by Jack Winter
My point wasn't about this board, it was more about open source projects in general.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Fri Jun 01, 2018 10:37 am
by CrocoDuck
Jack Winter wrote:How about the right to be forgotten? What if someone important asks to have all his contributions to some project deleted? Note that I haven't read any of the legal texts at all, so may be completely confused..


As confirmed above, my legal understanding of the world is very limited... which is a shame really. But here how I see it:

I think you are referring to contributions to software projects made by, say, GitHub (or any other service) users to an open source software project hosted in there. If they have the right to be forgotten on GitHub, which is a platform that collects data that are personal according to the very broad definition given by GDPR, then all their contributions to software projects should be deleted as well. I don't think this is true.

In fact, when a developer contributes to a software project, he publishes work into it conforming to the copyright and license of the software project. So, his/her contributions are published work, covered by a well defined license and copyright to which the author abides to, and hence fall outside the scope of GDPR, that is about collected data of users in service providers databases.

The only way the problem could exist, I believe, is in contributions to unlicensed work, but these essentially do not exist, as they are an hazard to contributors anyway.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Fri Jun 01, 2018 2:35 pm
by khz
42low wrote:
khz wrote:All data (user & posts) can be deleted

Is it that easy Khz?

Only the spam users will be completely deleted.
Otherwise, only the user account will be deleted, making his existing posts anonymous.
The fact that a user has been deleted has so far occurred 1 time in 10 years of LM. IMHO
But I am not an active moderator. In the irc you would say IDLE.
CrocoDuck wrote:In fact, when a developer contributes to a software project, he publishes work into it conforming to the copyright and license of the software project. So, his/her contributions are published work, covered by a well defined license and copyright to which the author abides to, and hence fall outside the scope of GDPR, that is about collected data of users in service providers databases.

I agree.
The trend is towards open source (e.g. dockers, containers). Companies recognize the advantages of open source and make their code available, use and participate in it and offer, platform independent, interfaces.
So it would be illogical to complicate the development of open source. IMHO

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Fri Jun 01, 2018 3:52 pm
by khz
Good point.
I have no idea. That's why the thread.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Sat Jun 02, 2018 1:57 pm
by khz
A thought to the forums in general (My knowledge is small!, some regulations will still adapt with time by judgments):
For small forums the effort for the implementation of the GDPR could be quite high, which could lead to some problems.

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Sat Jun 02, 2018 3:43 pm
by CrocoDuck
42low wrote:Like i already said (some additional more clear explanation):
This "small forum" is that simple that it doesn't have a lot of hidden gathering scripts at it. I otherwise a lot of "information gathering scriptsÎ… were behind this (analising, advertising, etc) then it would be a lot off problems.

I really think it's not that high. If i know phpbb there's not that much information gathered. Not more than what's needed for regular registration, and next to that no privacy sensitive information at all. Not everything is "bad". If you buy online your order has to be registered. If you pay your bankaccountnr is getting registered. That's all within acceptable ranges.
I think the most positive aspect i think is that this negligible amount off information isn't shared (unasked!) with third parties at all, so there's nothing to "cover". If there were 30+ hidden gathering scripts behind it i would be afraid. Not now.

I don't believe "they are" going to hunt for the small fish. I think this all is setup because the big fish earn huge profits with your privacy and keep crossing boundaries again and again with it (like financial and medical information and so on) to get richer and richer.
What is this forum actually gathering (and sharing) for privacy sensitive information that would be reprehensible? Nothing.
This forum is no big fish.

Hope it's some more clear now.


I essentially agree. However, few additional points:

According to GDPR, it seems that it is personal information any kind of information that can be traced back to an individual. So, my nickname (CrocoDuck) is personal information, as it can be traced back to my real name and surname, and many other details, as they appear in my blog below. So, I have the right, under GDPR, to ask, for example, for complete removal of that information from Linux Musicians at any point if I wish. Which I don't, of course. This was just to clarify how broad is the definition of personal data according to GDPR. If I was a bit wiser, CrocoDuck would have been an anonymous nickname...

As for hunting the small fishes, yes: I believe GDPR was made to have Facebook, Twitter... all the big guys behaving correctly. I don't think the EU really cares about us (the small fishes). However, a random legal action could cause disruption. Lets assume, for example, that there was another forum called Windoze Musicians that really really disliked us. Then, they could file a lawsuit against us to attempt getting rid of us (yeah, a bit of a stretch, but these tactics have been used at times. Essentially, this is how patents are used, but this is another story).

Re: Open Source and General Data Protection Regulation (GDPR)

Posted: Sat Jun 02, 2018 5:02 pm
by khz
- For small forums (1 - x person(s)) even a small fine can have bad effects
- Guitarix and forum.sonic-potions.com/plugins/Maintenance/closed.php Forum is currently not online.

Article 6, paragraph 1 (f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

legitimate interests
https://gdpr-info.eu/art-6-gdpr/