[Mailman-Developers] GDPR

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Mon Sep 18 04:19:51 EDT 2017 

noskcaJ leahciM writes:

 > It's the law.  Some of us have to deal with it; like it or not.

 > GDPR merely calls for explicit consent (where appropriate).  E.g.

 > A picture is worth a thousand words:

None of this is helpful to me; as far as I can tell it's not
responsive to what I wrote or asked.

 > You sound angry.

Yup.  You do not display an understanding of what I wrote, and presume
that *I* misunderstand the need and oppose your program.  I do
understand privacy, and although my values differ from the EU's, I do
not oppose dealing with GDPR "someday".  The questions are "when" and
"with what resources" and "what is an accurate specification of what
needs to be done".  Your answers are "soon" and "it's easy" and "don't
worry about it", and I don't think any of those are valid or useful.

 > Stephen, look at it another way.

I'm already looking at it that way, and telling you it will be
expensive to deal with it properly in Mailman, and in similar
applications.  Mailman currently likely does not have the resources to
do so in the next two years.

 > You can, however, have regard to law regulating use of personal
 > data.

Once again, I don't think that is a useful way to think about software
development (don't we all just love DOD-STD-2167A?), and I suspect my
feelings are pretty representative of OSS volunteer developers.

I assure you (and everybody else who worries about GDPR) that we
*will* have regard for *our* (European) *users'* *needs* vs. the law,
and *their* *preferences* vs. privacy that may not be defined by law.

The mere existence of a law?  "Frankly, my dear, I don't give a damn."

We'll do what we do, and do it well, when the time comes that we
believe it serves our users better than alternative tasks do.  For
example, better installation procedures and Mailman 2to3 migration
automation are *definitely* going to come before GDPR mitigation.
Without those, there won't be very many users in Europe (or anywhere)
to care about GDPR.  Almost certainly, better authentication for the
core will come before, too.  Otherwise we won't be able to protect
from some important threats to privacy, and this is something we've
been thinking about for quite a while.  And so on.

So until GDPR's turn comes, "patches, real legal advice, and money
welcome."

I REALLY would like to hear from a EU information rights lawyer who's
active in the personal data privacy field, or somebody facing imminent
application of the law at their Mailman site who can get precise
information about how regulators are going to interpret these laws,
from lawyers or regulators.

Steve


-- 
Associate Professor              Division of Policy and Planning Science
http://turnbull/sk.tsukuba.ac.jp/     Faculty of Systems and Information
Email: turnbull at sk.tsukuba.ac.jp                   University of Tsukuba
Tel: 029-853-5175                 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN

More information about the Mailman-Developers mailing list