[Mailman-Developers] GDPR

noskcaJ leahciM JACKSON at encompasserve.org
Thu Sep 7 08:31:45 EDT 2017 

GDPR  is  nearing  the  last  7  months  of  its  2  year   transitional
implementation  before  becoming  part of the law in EU countries (inc.,
despite Brexit, the UK),  affecting  0.5bn  citizens  together  with  US
enterprises  in under Privacy Shield (replacing Safe Harbour) as well as
enterprises in EEA member countries and, outside of the  EEA,  countries
whose  privacy laws have been assessed for adequacy.  Operators of lists
such as MM are as much called-to-account as are  the  vast  corporations
behind  popular  social media that currently absolve themselves as being
mere publishers.

Below is an initial impact assessment (vs.  MM 2.1.14) of high  priority
impacts  in  bullet-point  form  for immediate consideration based on my
current understanding.  Where changes are required,  they  are  required
for  continued use of MM in EU countries and in adequate countries (inc.
EU-US Privacy Shield) where one or more list members is an  identifiable
EU citizen.

1.  The term consent has a specific meaning within GDPR (i.e.  one of  a
    number  of  lawful  bases  on which personal data may be processed).
    The subscribe web flow and subscribe/confirm email exchanges  should
    be  edited  to  use  the  term "consent" rather than "confirm" where
    appropriate to make that consent explicit.

2.  The term restriction has a specific meaning within GDPR (in  general
    it  means  suspending any use (processing) or disclosure of personal
    data.  Nomail could usefully be renamed  as  "Restriction"  and  the
    Nomail  functionality  extended  made  to  operate  both  ways, i.e.
    restricting  members  from  posting  and  restricting   (suppresing)
    retrieval of a restricted member's details in a list of [subscribed]
    members.

3.  GDPR places strong record-keeping obligations on  data  controllers.
    It   implies   that  audit  trails  of  consent  be  maintained.   A
    per-subscriber report that shows how they were  subscribed,  keeping
    details  of  ip addresses of browser used if by web etc., log of all
    preference changes made  etc.   is  a  Should-Have  requirement.   A
    per-list-report   perhaps  showing  less  detail  (e.g.   method  of
    subscription and time  and  date  of  consent)  is  a  a  Could-Have
    requirement.

4.  GDPR provides that the right of erasure (that has coloquially become
    known  as  the "right to be forgotten) be provided upon request.  In
    addition ot unsubscribing from a list, a list subscriber  Should  be
    able  to  initiate  automated  erasure  from the site archive of all
    posts of and from a given subscriber.

    There seems no reason  for  erasure  to  be  moderated.   Using  the
    existing  password  authentication  or a confirm string, subscribers
    could be  provided  with  the  ability  themselves  to  erase  their
    personal  details  from  the  site,  including  all  archived posts,
    without administrative intervention or incurring the delays inherent
    with moderation.

    GDPR doesn't provide for selective erasure, for example in the  case
    of  a  non-factual,  inflamatory  or libelous post that a subscriber
    wishes to have removed; all-or-nothing will suffice  for  compliance
    with  GDPR.   Erasure  is  required  to  uphold  a  right  so  is  a
    Should-Have requirement.

5.  GDPR enshrines 7  principles  and  8,  legally-enforceable,  rights.
    While  "Privacy by Design and by Default" is not actually one of the
    principles it  is  a  mandatory  approach.   The  default  for  list
    settings should be to

      i)  to close lists, making posting to lists restricted to members;

     ii)  to hide or disguise identities in automatically-added elements
          of list members' posts (e.g.  in "From:");

    iii)  to hide or disguise identities inadvertently disclosed in list
          members'   posts   e.g.    from   quoting   others  etc.   (My
          interpretation is that no risk arises to the operator  of  the
          list  where  member  2 quoting text of member 1 where member 1
          intentionally included their contact details in  a  post,  for
          example  as  a phone number or as "me -at- here"; meaning that
          it  is  sufficient  to  suppres/disguise  headers  and   email
          addresses entered un-disguised by posters)

     iv)  either  to  disallow  retrieval  of  list  members  to  [even]
          subscribed members, or to hide/disguise addresses in retrieved
          lists;

      v)  to archive privately, requiring authentication and and keeping
          records  (logging)  of  to whom information on the archive was
          disclosed;

     vi)  on closed lists (the default), disallow the posting of HTML by
          which  otherwise  members might seek to obtain the identity of
          others through inclusion of web bugs/beacons.

More information about the Mailman-Developers mailing list