From: Dr. S. <drs...@gm...> - 2018-03-15 18:20:32
|
It's great that Tiki can be deployed with compliance with these laws, but it looks like the only reason were subject to them is that we host data in Germany. Our legal structure is Canadian (if I remember correctly) so if we were ever found to be in violation the worst they could likely do is go after our hosting company. Now that being said, most of the items seem reasonable anyhow, but if there was ever a technical issue (say with intertiki) etc, I suppose we could migrate hosts. Another consideration is that I would be in favour of violating these laws. Specifically in the disclosure of personal information to European athorities. I would personally be displeased if a Canadian company gave any of my private information to a foreign nation, even if a warrant for search and seizure was issued. So in that respect, if we choose to respect the privacy of our users it would mean we could not comply with European inspection. That being said, it would be good to clearly identify what nations or organizations were going to share user information with. Does that include the EU if they ask for it? Does that include North Korea if they ask for it? Under what conditions will our user data be shared with Canadian authorities? (user data DOES include the hashed password, email, name, any logs, IP addresses, etc. Brendan > On Mar 15, 2018, at 8:13 AM, Torsten Fabricius <to...@ti...> wrote: > > Thank you very much to bring this topic up including valuable information. > > I am concerned with the ver ysame topic in two non-profit-orgas. > > I will deeply think into that and try to get some time to help contributing on the issues for Tiki. > > Best regards, > Torsten > >> On 03/15/2018 11:09 AM, Jean-Marc Libs wrote: >> >> Hi guys, >> >> I met a local opensurce lawyer and we discussed the EU data protection law in relation to Tiki >> >> Nothing to do related to our mailboxes or mail redirects @tiki.org since it's among ourselves. >> Nothing to do for the mailing-lists and sf.net accounts since it's sf.net's business, not ours. >> About our websites >> >> Personal data collection >> >> One interesting info is, before the new law, the rule in France was, we were supposed to inform the CNIL (Commission Nationale de l'Informatique et des Libertés) state organssation about any listings we kept with personal information on them, and for what purpose we used them, and we had to comply about a number of privacy-related rules. >> Now it's at the EU level, we are still supposed to comply with the EU data protection law, but we do not volunteer info to them any more. Instead, we keep track of proof that we comply in case they ask to control us. >> >> Now, what do we need to do in order to comply? >> >> Our websites need to have a Terms & Conditions' (T & C) page (Mentions légales if we want to translate in French which we don't). That's supposed to explain what we do with personal data we collect. Well, in our case it's personal info people volunteer. >> When people create an account (registration), we need to tell them the purpose of this data collection, meaning what we will do with the info they provide. Also they need to accept this and we need to keep track that they accepted. >> We probably don't need to collect this track that they accepted for old accounts, as long as we keep proof that these accounts were created before. >> >> Concretely, I understand we need to explain in short form on the registration page and in long form in the T & C page that the info people provide in their user account is visible on the Tiki sites but we don't sell it of give it away to other organisations or companies. Plus, we need some checkbox which is mandatory and configured as "immutable" or some similar thing which prevents users from changing it afterwards. >> Same for the data people provide in the Consultants list. >> People need to be able to correct and edit their personal info >> Nothing to change here, we already do that >> People need to be able to delete their account, meaning all their user info. We can still keep track of their edits in page histories and posts and such through their nickname. >> I wonder if we can actually do this since we use intertiki logins??? We can let them do it on tiki.org, but will the deletion propagate on other sites? >> Cookies >> >> About how we should handle cookies… she tells me the lobbyists and lawmakers are still fighting it out discussing the matter and the actual new EU law which need to be implemented before 25 May 2018 is still lacking this section. >> She will tell me when it's published. Apparently, cookies are not the most prioritary part. >> >> For what it's worth, the current law which still applies says that cookies we need for the purpose of our own technical reasons are OK and unconcerned with the obligation to inform people. Only third party cookies need approval. >> >> In other words, unless we have other third-party services with cookies (kaltura ?) if we did not have Google Analytics, we would not need to have this cookie compliance banner on the tiki.org sites at all (not even for piwik.tiki.org because it's data we keep for ourselves). >> But then we would not be able to dogfood the compliance banner. >> >> Anyway, I suggest we wait for the section about cookies in the new law. >> >> Conclusion >> >> >> Right now I see some action points >> >> Add a checkbox on the registration (account creation) and the consultants tracker >> Write a T & C page >> Write a one-line summary of the T & C, or link to it on the registration template and the consultants template >> Figure out a way of letting people delete their account (or maybe a form for asking for said deletion and we can ask why they want to?) >> >> And a delayed action point >> >> Wait for the section about cookies in the new law. >> >> Opinions? Questions? Volunteers? >> >> Cheers, >> Jean-Marc "Jyhem" Libs >> >> >> >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> _______________________________________________ >> TikiWiki-devel mailing list >> Tik...@li... >> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > TikiWiki-devel mailing list > Tik...@li... > https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel |