[Mailman-Users] [Mailman-cabal] GDPR

[Ángel]

On 2018-05-13 at 05:39 +0900, Stephen J. Turnbull wrote:
> It would be a much more annoying matter if they claimed the right to
> be deleted from third party posts that quoted and identified them,
> though.  If there is a "right to be forgotten" that impinges on
> mailing list archives, that seems plausible to me, though who knows
> what the High Court would rule.

I see a few points here.

First of all, and I think it hasn't been mentioned yet is the Right to
access, ie. of letting people know which data you have about them.

I would consider that listing all post by email address X would fulfill
it, plus a search feature (*) in case they want to search by other
terms, like looking for posts with their name in it.

(*) It is my understanding that just providing the mbox and expecting
them to grep through it just as the sysadmin would have to do would be
sufficient (OTOH if you had an advanced system for completely tracking a
guy, and provide him just a crude interface that's probably not ok). 

Having to find out "anything and everything" where the user was
mentioned may imho require what the GDPR calls "a disproportionate
effort", and could even result into some liability for not finding some
instance.
Whereas providing the tools with which it can be done, takes that issue
back to the requestor, by providing the tools by which they can do it.


As such, wrt redacting archives my view is that they should provide all
the urls to the content they want removed (which they should have been
able to easily found per above).
They provide a list of urls for consideration, only those need to be
looked at. I would assume they are ok with other mentions to them if
they didn't provide them.
If I detected that there was a follow-up top-posting email containing
the original content I would probably also truncate it, but strictly as
a courtesy matter and with no guarantees that I would do that.
If they failed to find themselves, why would I need to dig through the
archives, not even knowing what I am looking for? There are too many
ways to refer to someone, the email address, different names and
abbreviations (and misspellings!), which would not even be unique, plus
all kind of references (just suppose that the people to which Julian
referred claimed that his email contains PII about them!).

Requests to remove on-topic inline replies would be quite a different
matter, as they involve removing or altering messages by other people,
which could significantly modify the meaning of what third users say by
changing the context of the rest of the thread (which isn't necessarily
well-defined in a machine readable way). Plus, changing that may
infringe some protected speech rights by the subsequent poster (ouch!).
Not to mention the multiple jurisdictions typically found on the user
base many mailing lists.

I would expect reasonable requests not to be a problem, though (eg. just
removing an address from a mail signature).




As an actionable for the mailman project, I think it could facilitate
the implementation of §59:
> Modalities should be provided for facilitating the exercise of the
> data subject's rights under this Regulation, including mechanisms to
> request and, if applicable, obtain, free of charge, in particular,
> access to and rectification or erasure of personal data and the
> exercise of the right to object. The controller should also provide
> means for requests to be made electronically, especially where
> personal data are processed by electronic means. The controller should
> be obliged to respond to requests from the data subject without undue
> delay and at the latest within one month and to give reasons where the
> controller does not intend to comply with any such requests.
> 
The user could be browsing a mailing list archive (as noted above) that
provides a link to "report content to remove" (automatically verifying
the reporter provided email address), which can then be automatically
removed (if it's his own email message and configured that way by the
list admin) or goes into a queue for admin reviewing (where it can be
easily hidden) or replied.
NB: this process is more ample than mere "Right to be forgotten"
requests, as that would also work for copyright infringement, virus,
etc.


Best regards

Ángel

-- 
Just another non-lawyer looking for his way through the GDPR.