This email is about the EU GDPR (General Data Protection Regulation), and any use of "data" below refers to personal data of people covered by the GDPR.
Two years ago the outgoing DPL announced that our Data Protection Team has a relationship with a GDPR lawyer.[1] Out of curiousity I started looking at various aspects of GDPR compliance in Debian, and what I saw in the Privacy Policy[2] made me worry that the lawyer has not yet been involved enough in ensuring that privacy in Debian reaches at least the minimum level defined by law. What kind of consent is required and requested for infinite storing of data in archives of public mailing lists? What kind of consent is required and requested for infinite storing of data in archives of private mailing lists? Does this also apply to highly sensitive data revealing for example sexual orientation or political opinions? What about people who have never submitted any data themselves to Debian, and have never in any other way consented that Debian stores personal data about them? How is the right to withdraw the consent to storing data implemented? How are people being informed when data about them gets stored in the archives of public mailing lists? How are people being informed when data about them gets stored in the archives of private mailing lists? Who has access to data, and for what purposes might data be used? Where is data being stored? If data is being stored outside the EU, how is legal compliance ensured? The rights are not stated, like the right to lodge complaints with a supervisory authority. What natural or legal entity is the identity of Debian? Debian is a joint controller of data handled by external subcontractors like Outreachy on behalf of Debian. Debian is a joint controller of data processed or stored by teams or individual team members. Teams or team members of teams like for example the Debian Community Team, the Debian Account Managers or the Debian System Administration team are storing data on behalf of Debian that is currently not listed in the Privacy Policy. Is such data currently being included when people request a copy of all data about them from Debian? What is the data retention period for such data? Does Debconf have a privacy policy? I didn't find one when searching on the webpage. It is not even clear whether Debconf is legally a part of Debian or a separate entity. In addition to the embarrassment that privacy handling in Debian is not even reaching the minimum bar defined by law, Debian risks both penalies of up to 20 Million Euro and compensation claims when not complying with the GDPR. Properly defined policies and processes also make it easier to provide the data when people request from Debian a copy of all data about them. IANAL and it is more likely than not that not everything I wrote above is not correct. This is something the Debian Data Protection Team should review together with their GDPR lawyer, who will surely point out where I might be wrong. cu Adrian [1] https://lists.debian.org/debian-project/2020/06/msg00051.html [2] https://www.debian.org/legal/privacy
