Hi, this email has two parts: A short question where I would appreciate a "yes" or "no" answer from all candidates, and a longer explanation what and why I am asking.
Question: If elected, will you commit to have a lawyer specialized in that area review policies and practices around handling of personal data in Debian for GDPR compliance, and report the result of the review to all project members by the end of 2024? Explanation: One might discuss whether or not Debian should aim at being better than average in the area of privacy, but compliance with the law is the minimum everyone can expect. Unlawful actions can have consequences, organizations and individuals might be subject to fines up to 20 Million Euro as well as compensation for material and non-material damage, and in some countries also prosecution under criminal law. Many parts of Debians Privacy Policy look questionable. For example the rights are not stated, and in addition to this being a formal problem there is also the question whether for example the Debian Data Protection team does fulfil the right to request only where required by law or whether all people around the world are treated the same. The attempts in the Privacy Policy for blanket eternal storage of data might not pass a legal review, especially when this might contain sensitive data like sexual orientation or political opinions. I also suspect that the Debian Account Manager and Community Teams might be abusing people by illegally processing data outside of what is being permitted by the Privacy Policy. I would be glad to hear from a qualified person that I am wrong and that all handling of personal data by these teams is lawful. There is also a personal side for me: I am feeling quite unsafe in Debian due to not knowing what data people in positions of power in Debian who dislike me might have about me, and I want to request all data about me in Debian. This is also a prerequisite for exercising the right of rectification of inaccurate personal data if any data turns out to be incorrect. I would wish that Debian itself can ensure that all handling of personal data is lawful, and that GDPR requests are being fulfilled without problems - like everywhere else. Other places with DDs also have laws protecting personal data (at least California, China, Brazil, South Africa, Singapore). I am asking specifically about GDPR since that affects me directly, but either during the GDPR review or afterwards it would of course be good to also obtain legal advice whether there are additional requirements in other jurisdictions. Thanks Adrian
