(Keeping the full comment since the replied email hasn't shown up in the ubuntu-devel archives yet.)
On Wed, Mar 7, 2018 at 2:42 PM, J Fernyhough <j.fernyho...@gmail.com> wrote: > (cross-posting because ubuntu-devel is moderated and this may not reach > that list) > > On 07/03/18 11:46, Jeremy Bicha wrote: >> What proposed collected data do you think should be considered >> personal data for GPDR purposes? >> > > "What constitutes personal data? > > "Any information related to a natural person or ‘Data Subject’, that can > be used to directly or indirectly identify the person. It can be > anything from a name, a photo, an email address, bank details, posts on > social networking websites, medical information, or a computer IP > address." [1] > > And more specifically: > > "(26) The principles of data protection should apply to any information > concerning an identified or identifiable natural person. Personal data > which have undergone pseudonymisation, which could be attributed to a > natural person by the use of additional information should be considered > to be information on an identifiable natural person. ..." > > "(30) Natural persons may be associated with online identifiers provided > by their devices, applications, tools and protocols, such as internet > protocol addresses, cookie identifiers or other identifiers such as > radio frequency identification tags. This may leave traces which, in > particular when combined with unique identifiers and other information > received by the servers, may be used to create profiles of the natural > persons and identify them." [2] > > Hence, if you _ever_ record an IP address, you are recording "personal > data" and must be able to demonstrate you are meeting the requirements > of the GDPR **even if you pseudonymise that data**. Given the proposal > extends to storing a full hardware specification it's very easy to see > how that could be used as "additional information" or "other identifiers". > > > Regarding consent: > > "(32) Consent should be given by a clear affirmative act establishing a > freely given, specific, informed and unambiguous indication of the data > subject's agreement to the processing of personal data relating to him > or her, such as by a written statement, including by electronic means, > or an oral statement. > > "This could include ticking a box when visiting an internet website, > choosing technical settings for information society services or another > statement or conduct which clearly indicates in this context the data > subject's acceptance of the proposed processing of his or her personal > data. Silence, pre-ticked boxes or inactivity should not therefore > constitute consent. > > "Consent should cover all processing activities carried out for the same > purpose or purposes. When the processing has multiple purposes, consent > should be given for all of them. If the data subject's consent is to be > given following a request by electronic means, the request must be > clear, concise and not unnecessarily disruptive to the use of the > service for which it is provided." [2] (Split to highlight central section) > > > Given the discussion is about about large-scale systematic data > collection Ubuntu/Canonical should also be aware of: > > "Does my business need to appoint a Data Protection Officer (DPO)? > > "DPOs must be appointed in the case of: (a) public authorities, (b) > organizations that engage in large scale systematic monitoring, or (c) > organizations that engage in large scale processing of sensitive > personal data (Art. 37). If your organization doesn’t fall into one of > these categories, then you do not need to appoint a DPO." [1] > > > Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and > all data collection meets the requirements of the GDPR. This is a bigger > issue than most people realise. > > > > References > > [1] https://www.eugdpr.org/gdpr-faqs.html > [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 Notably, in the very first email in this thread, Will Cooke specifically said IP addresses will never be stored with this data. A Launchpad account is not needed for apport to send crash data for stable Ubuntu releases (it works a bit differently while an Ubuntu release is still in development.) In my opinion, the basic hardware data collection being proposed is completely insufficient to identify people. Thanks, Jeremy Bicha -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
