[Mailman-Users] [Mailman-cabal] GDPR

Bernd Petrovitsch bernd at petrovitsch.priv.at
Thu May 17 04:56:38 EDT 2018 

On Mon, 2018-05-14 at 16:54 -0600, Grant Taylor via Mailman-Users
wrote:
[...]
> On 05/14/2018 04:11 PM, Bernd Petrovitsch wrote:
> > Seriously, these folks don't know what they imply.
> 
> Nope.  Politicians (almost) never fully understand what's going on.

FWIW and IMHO, I think we are in violent agreement here.

[...]
> Who's at fault in this scenario:  The person who overheard what I said
> (the archive) or me for saying it in a non-secure manner (the sender)?

In the old-school life: the sender (because s/he said it on her/his
free will) - I hope;-).
But the person who overheard it may tell the story to a third person.
And it's just/only hear-say - even if it's actually 100% correct (which
it is almost never ever the case). And there starts actually the real
"forgetting" or "doubts" ...

But in a "everything is written" world, that is massively different: In
the old-school world, a "written proof" had a quite large value because
it wasn't trivial to have such a thing.
Nowadays - with almost every communication over the Internet - it's the
normal, that there is a "written proof" aka recorded/logged/whatever.

I'm not diving into differences of "how some judge may value some so-
called proof" in some given (somewhat Western) country, but most people
- even in Spring 2018 - don't realize, what's really going on and try
to get back the world from the 1960s (or so;-) - well, "thinking before
talking" was always a hard job;-)

> Is there any legal method that I can use to compel a person to
> forget=20
> what they overheard me say?

A court order may "force" you to not tell it to anyone but it can't
make you forget it (or write it down and hide it somewhere safe).

So in general: No. And that's exactly the problem with the "right to be
forgotten".

> > For the author's rights side to it: I answer an email (and happen
> > to quote just the relevant parts of other emails) to a public
> > mailinglist with a public archive.
> > 
> > I don't think that the archive's admin or anyone else should have
> > the right (let alone the duty) to edit or change my email in there
> > - or even worse: remove it completely.
> 
> I disagree.
> 
> I believe that the admins / owners of the archive have the right to
> remove something from the archive (or prevent it from going into the
> archive in the first place).

Of course.
But only for (somewhat obvious) very good (including legal) reason like
really hard law issues like - at least in .at and .de - Nazi stuff
and/or (everywhere I hope) certain forms of pr0n.

But for some claims of "please remove my email address?"?
If that email address can be found (via Google) on hundreds of sites,
the removal of one instance doesn't change anything.
Ooops, and a chicken-egg problem ....

> I don't believe that admins / owners have the general right to modify
> what was said.

ACK.

> I do believe that the admins / owners have the right to modify what was
> said in very specific cases, like REDACTING something.  As long as they

That question should be answered by some copyright/authors right
lawyer.

> do so in a manner that is clearly identifiable that something was REDACTED.

ACK.

> After all, it is their system, they administer / own it and can do
> what ever they want to with it.

Yes, and everyone writes that in the mailinglists charta (including
that all mails go into a public archive, are never edited, censored,
deleted, etc.).
Just from that point of view, everyone sending mails to the mailinglist
has implicitly agreed to the rules including the publication in a
Google-indexed archive.

BTW: I cannot do *everything* I want with it because I cannot choose to
plain simply ignore modification requests from a court.

> They should go out of their way to not misrepresent what you said /
> did.
> 
> They could also claim that your message was modified before it got to
> them.

Everyone can claim a lot of things - the hard question is how to proove
it;-)

> > PS: The whole "right to be forgotten" idea is absurd per se - think
> > about private archives (and I don't think about 3-letter
> > organizations only).
> > Can't we define the public archive to be an necessary and important
> > part of a public mailinglist and be done with it?!  For almost
> > everyone else some "important reason" is good enough too.
> 
> I feel like the idea that you can compel someone to forget something
> is absurd.
> 
> I think you can compel businesses to no longer use your contact
> information.

Any serious business won't send me any "newsletters" if I request that
without any legal backing (if only that I continue to buy from it in
the future and don't tell anyone that they ignore such simple things -
and because it's "just the right thing to do"(TM)).

> Which is my naive understanding of part of what the spirit of GDPR
> is.

Yup, but there are other companies or folks using selling addresses and
other personal data (if only for "scientific purposes"[0]).

> I can see a scenario where a company completely removes any and all
> traces of someone, then buys sales leads which contain said person, 

Selling and buying "sales leads" (which are actually contact addresses
at best) or personal data (as covered by the spirit of the GDPR) as
such should be forbidden - that would solve more problems and is easier
to enforce).
ATM the companies are free to do (almost - also depending on the local
jurisdiction) anything with personal data and the effort to handle
misuse of it is shifted to the private person.
It should be the other way around ....

> and ultimately contact said person again.
>
> Is the company in violation of GDPR?  They did (and can prove *) that

No.

> they removed the person's contact information and thus forgot about
> them.
> 
> Or should the company have retained just enough information to know
> that they should not contact the person again?  I.e. a black list.

Yeah, that's an interesting issue (which happen to apply to the next
club with normal member management): A member leaves (for whatever
reason) and - to minimize the data - expects that all data about
him/her is (really) deleted.
But if the same person comes back two years later, doesn't the club (or
company) have the right to *know* that that person was already a member
(and in which years)?
And if a member is expelled, the club surely wants' to remember that.

Of course, that completely invalidates any "request on forgetting" per
se (and reduces it to "act like you don't know it").

A completely other approach (and solution;-) to "mailinglist archive
and the GDPR": *Is* an automatically generated mailinglist archive in
HTML actually subject to the GDPR?
It's not that is really structured and/or organized like e.g. some SQL-
database.

MfG,
	Bernd (IANAL etc.)

[0]: Killing whales is only allowed for scientific purposes since >30
     years IIRC. Did that really change anything for the whales?
-- 
Bernd Petrovitsch                  Email : bernd at petrovitsch.priv.at
                     LUGA : http://www.luga.at

More information about the Mailman-Users mailing list