From: Peter Backes <rtc@helen.PLASMA.Xg8.DE>
To: David Lang <david@lang.hm>
Cc: "Philip Oakley" <philipoakley@iee.org>,
"Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Git Mailing List" <git@vger.kernel.org>
Subject: Re: GDPR compliance best practices?
Date: Tue, 12 Jun 2018 21:12:19 +0200 [thread overview]
Message-ID: <20180612191219.GA17935@helen.PLASMA.Xg8.DE> (raw)
In-Reply-To: <alpine.DEB.2.02.1806121152530.10486@nftneq.ynat.uz>
On Tue, Jun 12, 2018 at 11:56:13AM -0700, David Lang wrote:
> [quoting github]
>
> It's important to remember that the Right to Erasure only applies to
> personal data, not all data. It only applies to data a controller (GitHub,
> for example) is processing _solely_ on the basis of consent.
This is very obviously wrong. See Art. 17 GDPR. Consent is only one of
the explicitly mentioned grounds for deletion (it is (1) lit b, but
there's also a and c to f).
> And it only
> applies when there's not another legal reason to keep the data -- for
> instance, if the data is no longer necessary for the purpose for which it
> was collected.
This incorrect claim is completely inverting the logic of Art. 17.
The logic is clarly that if ANY of lit (a) to (f) is satisfied, the
data must be deleted.
It is not necessary for ALL of them to be satisfied.
In particular, if the data is no longer necessary for the purpose for
which it was collected, then THAT ALONE is grounds for erasure ((1)
lit. a). It does not matter at all whether processing was consent-based
or whether such consent was withdrawn.
> We do not process Git commit history on the basis of consent. We have a
> legitimate business purpose for collecting Git commit history: to maintain
> the integrity of the Git commit record. It remains necessary for its purpose
> for as long as a commit needs to be attributable to its committer.
Right, but this merely justifies storing the data, not publishing it,
or keeping it published, as I already explained at length.
> At GitHub, as part of our Privacy By Design work, we offer ways for users to
> set their own Git commit email data, so if an individual wants to remain
> anonymous or pseudonymous, he or she can do so.
Not only is this contradicting fundamentally what they just said in the
previous sentence, it is not a justification for ignoring the right to
erasure either. It is exactly the purpose of the right to erasure to
get the data erased *after* the fact.
> We also explain, in our
> [Privacy
> Statement](https://help.github.com/articles/github-privacy-statement), that
> we are not able to delete personal data from the Git commit history once it
> has been recorded.
Privacy Statements are not a justification under GDPR for processing
data or ignoring the right to erasure.
And oh yes they are able. Rewriting history is a possibility, though an
inconvenient one.
I have pointed towards more convenient solutions.
> I'll point out that not only did the Github lawyers need to sign off on this
> stance, but the Microsoft lawyers would have looked at it as well as part of
> their purchase of Github.
So? If a thousand lawyers claim 1+1=3, it becomes a mathematical truth?
Best wishes
Peter
--
Peter Backes, rtc@helen.PLASMA.Xg8.DE
next prev parent reply other threads:[~2018-06-12 19:12 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 19:15 GDPR compliance best practices? Peter Backes
2018-04-17 21:38 ` Ævar Arnfjörð Bjarmason
2018-04-17 23:25 ` Peter Backes
2018-06-03 9:27 ` Peter Backes
2018-06-03 10:45 ` Ævar Arnfjörð Bjarmason
2018-06-03 11:25 ` Peter Backes
2018-06-03 12:59 ` Ævar Arnfjörð Bjarmason
2018-06-03 14:18 ` Peter Backes
2018-06-03 15:28 ` Philip Oakley
2018-06-03 17:46 ` Peter Backes
2018-06-03 18:18 ` Theodore Y. Ts'o
2018-06-03 19:11 ` Peter Backes
2018-06-03 19:24 ` Peter Backes
2018-06-03 20:07 ` Theodore Y. Ts'o
2018-06-03 20:52 ` Peter Backes
2018-06-03 21:03 ` Theodore Y. Ts'o
2018-06-03 22:16 ` Peter Backes
2018-06-04 13:47 ` Theodore Y. Ts'o
2018-06-04 18:22 ` Peter Backes
2018-06-03 22:28 ` Philip Oakley
2018-06-03 23:01 ` Peter Backes
2018-06-04 12:24 ` Philip Oakley
2018-06-07 1:38 ` David Lang
2018-06-07 6:32 ` Peter Backes
2018-06-07 21:28 ` Philip Oakley
2018-06-07 22:34 ` Peter Backes
2018-06-07 22:38 ` David Lang
2018-06-07 23:21 ` Peter Backes
2018-06-07 23:53 ` David Lang
2018-06-08 6:16 ` Peter Backes
2018-06-08 7:42 ` David Lang
2018-06-08 11:58 ` Peter Backes
2018-06-08 18:51 ` David Lang
2018-06-12 18:56 ` David Lang
2018-06-12 19:12 ` Peter Backes [this message]
2018-06-12 19:16 ` Martin Fick
2018-06-13 14:12 ` Theodore Y. Ts'o
2018-06-13 14:48 ` Peter Backes
2018-06-08 2:53 ` Theodore Y. Ts'o
2018-06-08 6:26 ` Peter Backes
2018-06-08 8:13 ` Ævar Arnfjörð Bjarmason
2018-06-08 12:03 ` Peter Backes
2018-06-08 22:53 ` Ævar Arnfjörð Bjarmason
2018-06-08 14:45 ` Theodore Y. Ts'o
2018-06-08 16:02 ` Peter Backes
2018-06-08 22:09 ` Johannes Sixt
2018-06-09 22:50 ` Philip Oakley
2018-06-10 1:41 ` Theodore Y. Ts'o
2018-06-03 17:54 ` Philip Oakley
2018-06-03 19:48 ` Ævar Arnfjörð Bjarmason
2018-06-03 20:24 ` Peter Backes
2018-06-08 22:42 ` Jonathan Nieder
2018-06-08 23:00 ` Ævar Arnfjörð Bjarmason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180612191219.GA17935@helen.PLASMA.Xg8.DE \
--to=rtc@helen.plasma.xg8.de \
--cc=avarab@gmail.com \
--cc=david@lang.hm \
--cc=git@vger.kernel.org \
--cc=philipoakley@iee.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).