[EuroPython] Publication of speakers' data on the web site

[Charlie Clark]

Am 09.04.2011, 16:10 Uhr, schrieb Giovanni Bajo <rasky at develer.com>:

> I disagree. The form linked above clearly explains what it is going to
> be published and what it is not. Moreover, if you submit the form once,
> you are brought to the exact page that *will* become public, but still
> in a private form; you can review everything and amend at any time.

The pop-up requrires javascript to work. As it stands they are two  
slightly contradictory statements. I would suggest you clarify in the  
obligatory opt-in field exactly what data will be published on the  
website. To be honest, as the form is not secure neither statement is of  
any great relevance from a data protection perspective: all public data is  
being transferred in the clear. Would it be possible to have the forms  
secured?

>> but then the site
>> is also using Google Analytics which also breaches this
> Again, I disagree. We don't send Google Analytics any private data that
> we are aware of. If you mind to elaborate on where our privacy policy
> seems to disallow Google Analytics usage, we can amend the text to allow
> it (and/or explicitly mention that it is being used). Plus, it's
> possible to globally opt out from GA as you might know.

IP addresses are considered as personal information. In general, in  
Europe, only opting-in to the collection of personal data is permissible  
and, as such, the US preference for opting-out is not sufficient.

>> and it's also not
>> sure which data is handed over to Janrain for the single sign-on: their
>> website doesn't really inspire trust that personal data will be treated  
>> as
>> such.
> We don't hand anything to Janrain; it's exactly the other way round,
> because Janrain gives us the personal information extracted from the
> website used for login. You can read more about Janrain privacy policy
> on their website. Plus, you are not required to use it, you can go
> through a standard form if you prefer.

As with Google Analytics the details of the service should be in the  
privacy statement.

>> I'm more than a little intrigued to see cookies for the site for a
>> conference in 2011 set to expire in 2021.
> This can be something that we overlooked. I'll get back to you.
> BTW, I didn't appreciate your tone. We are volunteers working in our
> spare time to service the community. We surely do mistakes like anybody
> else, especially on complex legal matters, but you will not help the
> event or its partecipants just by citing EU directive numbers or naming
> violations without providing details nor proposing solutions.

Sorry if you don't like my tone. I'm only trying to raise awareness of the  
current legal situation. As you are aware neither your status as a  
volunteer nor ignorance of the law is not likely to be much of the defence  
in the, admittedly very unlikely event, of a legal challenge.

<legal-stuff>
The EU directive was not particularly well-drafted and explicitly forbids  
the use of cookies on a website without the explicit consent of the user  
in advance. Cookies that "are essential for the technical provision of a  
service" may be exempted from this. Although the law is supposed to enter  
into force by 25th May 2011 it must be implemented in each individual  
nation state and the EU Commission normally gives countries at least three  
years before initiating procedures. However, the jurisdiction on this is  
not clear for such a patently international process: what happens when the  
law is in force in country X and not in country Y. Because the law is so  
poorly drafted it is likely to open the door at least to test cases and at  
worst to serial injunctions leaving it up to the courts to decide exactly  
how to interpret it.
</legal-stuff>

I hope this helps clarify my comments.

Charlie
-- 
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Helmholtzstr. 20
Düsseldorf
D- 40215
Tel: +49-211-600-3657
Mobile: +49-178-782-6226