RE: Is git compliant with GDPR?

["Randall S. Becker" <rsbecker@nexbridge.com>]

On July 2, 2020 12:28 PM, Jason Pyeron wrote:
> Subject: RE: Is git compliant with GDPR?
> > -----Original Message-----
> > From: Jakub Trzebiatowski
> > Sent: Thursday, July 2, 2020 11:58 AM
> >
> First: I am not a lawyer, and even if I were, I (nor anyone else on this list)
> would not be your lawyer - get a lawyer.
> 
> Second: This thread is likely borderline off topic because for Git and GPDR to
> meet, it would be in the context of SaaS or your internal organization. There
> is almost nothing pure Git about these issues, see below. Discussion for the
> sake of it follows.
> 
> >
> > I've been using git for years, but I've never before taken part in the
> > discussion on the mailing list. I have a simple question, which
> > probably isn't easy to answer.
> >
> > Is git compliant with GDPR, the EU data protection law?
> >
> > Before I'm able to commit with git, I'm asked for my first and last
> > name. That is personal data.
> >
> > GDPR, Article 4, point (1):
> > ‘personal data’ means any information relating to an identified or
> > identifiable natural person (‘data subject’); [...]
> >
> > That data is handled by the git utility. It's sent to other parties
> > operating remote git servers (as a result of my commands, but as far
> > as I know that's not relevant). It sounds like it's being processed.
> 
> Git is like a hard drive or database in your organization. It does not do
> anything else than store the information.
> 
> Exception 1: IF you configure it to do so.
> 
> Exception 2: You are using a SaaS provider (e.g. github.com, gitlab.com, etc.)
> 
> Note: this is no different than any other SCM (e.g. CVS, Subversion, file
> shares, etc.).
> 
> >
> > GDPR, Article 4, point (2):
> > ‘processing’ means any operation or set of operations which is
> > performed on personal data or on sets of personal data, whether or not
> > by automated means, such as collection, recording, organisation,
> > structuring, storage, adaptation or alteration, retrieval,
> > consultation, use, disclosure by transmission, dissemination or
> > otherwise making available, alignment or combination, restriction,
> > erasure or destruction;
> >
> > This data is processed with a compatible computer owned by the end
> > user for the purpose of identification of git commits. It's sent to
> > other parties only when specific commands are given. All this was
> > defined by git authors/contributors (from all around the world).
> >
> 
> Again, like any database, you can query it for its contents. What you put in it
> is what it has. If you put personal data in, then it is there.
> 
> Where can data reside in Git?
> 
> 1. The blobs - e.g. your source code
> 
> 2. The commit messages.
> 
> #2 is your most likely candidate of GDPR related activities.
> 
> Do you use the developers names and email addresses in the message?
> Almost certainly.
> 
> Note: this is no different than any other SCM (e.g. CVS, Subversion, file
> shares, etc.).
> 
> > GDPR, Article 4, point (7):
> > ‘controller’ means the natural or legal person, public authority,
> > agency or other body which, alone or jointly with others, determines
> > the purposes and means of the processing of personal data; [...]
> >
> > Git authors can be considered joint controllers.
> >
> 
> The Git distributed model means that COPIES of all of the data are on each
> Git server and developer environment. You (and I mean your organization)
> must address this in your IT plans.
> 
> Note: this is no different than many other SCMs although some others SCM
> technologies only have the most recent version locally..
> 
> > If we'd assume the above interpretations, there would be many, many
> > consequences.
> >
> > I'm not a lawyer, and I have no idea if this interpretation is
> > reasonable. I don't even know if I'd like it to be. But here are some
> > facts: GDPR does focus on protecting the end user. Possibly, it's the
> > most strict data protection law in the world. It doesn't care how
> > difficult it is to adjust the organisation for compliance and it
> > doesn't care where the controller is located, as long as it processes
> > personal data of EU citizens (if I understand it correctly).
> >
> > Are there any lawyers in the git community? Could The Linux Foundation
> > help with legal support? It's a very non-trivial issue. It's non
> > obvious how local software relates to GDPR, and it's even more
> > difficult with Free/Open Source software with many, many authors. But
> > if the aforementioned interpretation was assumed, the git authors
> > could be held responsible for non-compliance.
> 
> 
> I have copied our Policy SME, maybe he will have opinions.

I am not speaking for the Git Foundation here, nor am I a lawyer; However, to use some practices from some of my customers who have this concern, the team members are directed to use tokenized names and email addresses that can be resolved by their security teams during an audit. Obviously the team members recognize the tokens so they know who is making what change. This means that externally, any names/emails that might get pushed upstream are non-identifying.

The problem with this approach is that it is not global. As a result, if you want to contribute to a public project you have to self-identify, which may imply consent under GDPR. This is for the protection of the project itself as a project cannot take code from anonymous sources. If you are unwilling to share that information, do not contribute to a project.

Randall

-- Brief whoami:
 NonStop developer since approximately 211288444200000000
 UNIX developer since approximately 421664400
-- In my real life, I talk too much.