Wednesday, 7 March 2018

Re: More diagnostics data from desktop


(cross-posting because ubuntu-devel is moderated and this may not reach
that list)

On 07/03/18 11:46, Jeremy Bicha wrote:
> What proposed collected data do you think should be considered
> personal data for GPDR purposes?

"What constitutes personal data?

"Any information related to a natural person or 'Data Subject', that can
be used to directly or indirectly identify the person. It can be
anything from a name, a photo, an email address, bank details, posts on
social networking websites, medical information, or a computer IP
address." [1]

And more specifically:

"(26) The principles of data protection should apply to any information
concerning an identified or identifiable natural person. Personal data
which have undergone pseudonymisation, which could be attributed to a
natural person by the use of additional information should be considered
to be information on an identifiable natural person. ..."

"(30) Natural persons may be associated with online identifiers provided
by their devices, applications, tools and protocols, such as internet
protocol addresses, cookie identifiers or other identifiers such as
radio frequency identification tags. This may leave traces which, in
particular when combined with unique identifiers and other information
received by the servers, may be used to create profiles of the natural
persons and identify them." [2]

Hence, if you _ever_ record an IP address, you are recording "personal
data" and must be able to demonstrate you are meeting the requirements
of the GDPR **even if you pseudonymise that data**. Given the proposal
extends to storing a full hardware specification it's very easy to see
how that could be used as "additional information" or "other identifiers".

Regarding consent:

"(32) Consent should be given by a clear affirmative act establishing a
freely given, specific, informed and unambiguous indication of the data
subject's agreement to the processing of personal data relating to him
or her, such as by a written statement, including by electronic means,
or an oral statement.

"This could include ticking a box when visiting an internet website,
choosing technical settings for information society services or another
statement or conduct which clearly indicates in this context the data
subject's acceptance of the proposed processing of his or her personal
data. Silence, pre-ticked boxes or inactivity should not therefore
constitute consent.

"Consent should cover all processing activities carried out for the same
purpose or purposes. When the processing has multiple purposes, consent
should be given for all of them. If the data subject's consent is to be
given following a request by electronic means, the request must be
clear, concise and not unnecessarily disruptive to the use of the
service for which it is provided." [2] (Split to highlight central section)

Given the discussion is about about large-scale systematic data
collection Ubuntu/Canonical should also be aware of:

"Does my business need to appoint a Data Protection Officer (DPO)?

"DPOs must be appointed in the case of: (a) public authorities, (b)
organizations that engage in large scale systematic monitoring, or (c)
organizations that engage in large scale processing of sensitive
personal data (Art. 37). If your organization doesn't fall into one of
these categories, then you do not need to appoint a DPO." [1]

Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
all data collection meets the requirements of the GDPR. This is a bigger
issue than most people realise.