Wednesday 7 March 2018

Re: More diagnostics data from desktop

(Keeping the full comment since the replied email hasn't shown up in
the ubuntu-devel archives yet.)

On Wed, Mar 7, 2018 at 2:42 PM, J Fernyhough <j.fernyhough@gmail.com> wrote:
> (cross-posting because ubuntu-devel is moderated and this may not reach
> that list)
>
> On 07/03/18 11:46, Jeremy Bicha wrote:
>> What proposed collected data do you think should be considered
>> personal data for GPDR purposes?
>>
>
> "What constitutes personal data?
>
> "Any information related to a natural person or 'Data Subject', that can
> be used to directly or indirectly identify the person. It can be
> anything from a name, a photo, an email address, bank details, posts on
> social networking websites, medical information, or a computer IP
> address." [1]
>
> And more specifically:
>
> "(26) The principles of data protection should apply to any information
> concerning an identified or identifiable natural person. Personal data
> which have undergone pseudonymisation, which could be attributed to a
> natural person by the use of additional information should be considered
> to be information on an identifiable natural person. ..."
>
> "(30) Natural persons may be associated with online identifiers provided
> by their devices, applications, tools and protocols, such as internet
> protocol addresses, cookie identifiers or other identifiers such as
> radio frequency identification tags. This may leave traces which, in
> particular when combined with unique identifiers and other information
> received by the servers, may be used to create profiles of the natural
> persons and identify them." [2]
>
> Hence, if you _ever_ record an IP address, you are recording "personal
> data" and must be able to demonstrate you are meeting the requirements
> of the GDPR **even if you pseudonymise that data**. Given the proposal
> extends to storing a full hardware specification it's very easy to see
> how that could be used as "additional information" or "other identifiers".
>
>
> Regarding consent:
>
> "(32) Consent should be given by a clear affirmative act establishing a
> freely given, specific, informed and unambiguous indication of the data
> subject's agreement to the processing of personal data relating to him
> or her, such as by a written statement, including by electronic means,
> or an oral statement.
>
> "This could include ticking a box when visiting an internet website,
> choosing technical settings for information society services or another
> statement or conduct which clearly indicates in this context the data
> subject's acceptance of the proposed processing of his or her personal
> data. Silence, pre-ticked boxes or inactivity should not therefore
> constitute consent.
>
> "Consent should cover all processing activities carried out for the same
> purpose or purposes. When the processing has multiple purposes, consent
> should be given for all of them. If the data subject's consent is to be
> given following a request by electronic means, the request must be
> clear, concise and not unnecessarily disruptive to the use of the
> service for which it is provided." [2] (Split to highlight central section)
>
>
> Given the discussion is about about large-scale systematic data
> collection Ubuntu/Canonical should also be aware of:
>
> "Does my business need to appoint a Data Protection Officer (DPO)?
>
> "DPOs must be appointed in the case of: (a) public authorities, (b)
> organizations that engage in large scale systematic monitoring, or (c)
> organizations that engage in large scale processing of sensitive
> personal data (Art. 37). If your organization doesn't fall into one of
> these categories, then you do not need to appoint a DPO." [1]
>
>
> Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
> all data collection meets the requirements of the GDPR. This is a bigger
> issue than most people realise.
>
>
>
> References
>
> [1] https://www.eugdpr.org/gdpr-faqs.html
> [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Notably, in the very first email in this thread, Will Cooke
specifically said IP addresses will never be stored with this data. A
Launchpad account is not needed for apport to send crash data for
stable Ubuntu releases (it works a bit differently while an Ubuntu
release is still in development.)

In my opinion, the basic hardware data collection being proposed is
completely insufficient to identify people.

Thanks,
Jeremy Bicha

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel