Topics

locked EU General Data Protection Regulation


 

On May 25th 2018 a new privacy policy regulation is becoming valid and will be applicable in all member states to harmonize data privacy laws across Europe:

 

https://gdpr-info.eu/

 

This concerns every platform which is used by Eu-citizens, commercial and private. Since these regulations are substantially stricter than the ones I used to have on my sites so far, modifications to already existing private policy terms became necessary. Everyone who´s got homepages is obliged to adjust their private policy terms according to the new regulations, visible to everybody from the outside. High fines are waiting, and no need to say that lawyers are in the starting gates to search sites and send admonitions.

 

If mailing lists are concerned I do not know for they are not specified in the new regulations. Neither do I know if the private policy terms as they are laid out in groups.io meet the requirements.

 

Just to inform you ..

 

Victoria


Chris Jones
 

Victoria has raised an important issue; the Groups of which I am a member do not store (in any form) anything beyond members' Display Names and email addresses, and of course that storage is actually at Groups.io.

From reading posts on this and the GMF it is apparent that some Groups hold other much more personal information about their members, and if those members (and / or the Group Owners) are in the EU then the GDPR is something they (the Owners) really need to consider.

IANAL so I am not in a position to speculate on how much responsibility rests with individual Owners and how much with Groups.io as a corporate entity.

Chris.


Jeremy H
 

Yes, something we all should be aware of - a quote I have come across (at https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ):
“The directive will affect every single business that holds data on customers in Europe, whether or not the business is located in Europe or is part of the EU.”
Arguing that a group is not a 'business', or 'organisation' (word used elsewhere) is likely to turn into a lawyer enrichment exercise!  
And another from the Irish Data Protection Commissioner (at https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm )
In essence, you are a data controller if you can answer YES to the following question:
  • Do you keep or process any information about living people?
Which I interpret as including Groups.io, Inc., and any group that includes a member (I suspect one is enough!) in the EU, and applying to Mark and the Owner of any such group.

On Sat, Apr 7, 2018 at 03:56 am, Chris Jones wrote:
Victoria has raised an important issue; the Groups of which I am a member do not store (in any form) anything beyond members' Display Names and email addresses, and of course that storage is actually at Groups.io.
Also stored is anything that members post...
IANAL so I am not in a position to speculate on how much responsibility rests with individual Owners and how much with Groups.io as a corporate entity.
Nor am I - but I would hazard a guess at both, at their different levels (owners for groups, and group.io for the overall service).

That said, to a large extent, the GDPR are essentially a reiteration, and standardisation across the EU, of what is widely in place, and a codification of what we should be doing anyway as 'good practice' (the biggest thing for many will be the need for this to to documented).

There are guides to the GDPR (overkill for most groups! - the quick 12 step versions are probably more than enough for  most) from the UK ICO (at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ ) and the Irish DPC (at http://gdprandyou.ie/ ), and doubtless their equivalents in the other EU countries. Any group run in conjunction, or for, a 'real life' (i.e. non-email/non-internet) group (of whatever sort) needs consider how the two - and their policies - interact.

Mark should probably be reviewing the groups.io (his!) practices , Terms of Service and Privacy Policy in light of GDPR. 

For MOST (not necessarily all) groups, where the only personal data collected is (Display) Name and e-mail address, and anything they choose to post or otherwise upload (in file or database) - you probably need to think if you're asking for more, or have any expectation of it including anything 'sensitive', e.g. health data, I would think (IANAL) a simple statement, on the following lines, would be adequate if made available (as file or part of wiki):

We collect data <as above> on the basis of 'Legitimate Interests' [see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/  - as it is required or implicit for  the functioning of the group]; this data is stored by groups.io in the USA, see their ToS and Privacy Policy, and that it is or may be available to any current or future member (or publicly if group archives, etc. are 'public'!), as part of the normal functioning of the group. While Group Owner and Moderators will not disclose this information to third parties [if - as I would hope - this is the case: otherwise state position], we cannot guarantee that other members will not do so. In the event of any issues, please contact Group Owner <give e-mail address>.        

Anther thing to beware of is ensuring that any downloaded data (member list? back up of archives? files?) is kept secure (who can do this? and do they).

For those with more interest, other links I have come across which may of use include 

https://lizhendersondata.wordpress.com/2016/12/24/gdpr-are-you-aware/ ; https://lizhendersondata.wordpress.com/2017/01/25/gdpr-initial-steps-whats-next/ ;https://lizhendersondata.wordpress.com/2017/03/27/gdpr-privacy-notice/ ; https://lizhendersondata.wordpress.com/2017/05/24/gdpr-plan-do-you-have-yours/ ; https://lizhendersondata.wordpress.com/2017/06/21/now-gdpr-next-more-data-legislation/ ; and https://www.theguardian.com/technology/askjack/2018/mar/29/gdpr-email-data-protection-regulations-secure .

Jeremy


Chris Jones
 

Having said all that Groups.io is outside the EU, and the EU's writ stops at the border. I don't know if the EU could or would block Groups.io if it was found to be being naughty. "We can't stop you but we can stop you doing it here".

Chris


Marina
 

On Sat, Apr 7, 2018 at 01:44 pm, Chris Jones wrote:


Having said all that Groups.io is outside the EU, and the EU's writ stops at
the border.
I am not so sure about that.
I moved to IO a Yahoo group whose members are primarily EU citizens. The new group stores members' names and e-mail addresses plus all posts from previous Yahoo group, including those sent by members who have left the group.
My practical question is: what should I do to avoid legal problems?
I wasn't aware of this issue when I moved over my old group, otherwise I would have opted out of the message archive transfer.
I'd like to hear from other EU group owners who moved to IO and learn how they are dealing with this problem.

Marina


 

Marina,

I think Chris and Jeremy have already pointed out that this issue concerns both sides: group owner and provider. This seems plausible to me. As far as groups.io is cconcerned, each group already has the privacy policy declaration on the bottom of the site, so I suppose Mark as provider is aware of that. Concerning the coming EU-regulations I´m pretty sure he has legal counselling for his side of the issue.

But as a European group owner I want to be on the safe side as far as my obligations here are concerned, especially since I do send out and receive personal questionnaires from prospective members which contain sensitive data. In our guidelines we already had a sort of privacy policy statement, but in the face of these new EU regulations I consider this not sufficient any more.

So I have just installed our own privacy policy regulations into my group´s files.

I used a free generator, created by lawyers, which poses a few questions concerning the type of declaration you need. This generator then creates the declaration covering your special issues.

I don´t know if in Italy the same is possible. If you spoke German I could send you the link to the generator.
Victoria


Ford Amateur Astronomy Club
 

In my work I specialize in information intelligence, legal and regulatory and I can tell you GDPR is and will be a PITA.
There are a few aspects related to GDPR that are vital to know as a data manager or data owner such as Group owner or Grouos.io owner.

First of all it becomes active in 46 days
Any group that processes or holds personal data of EU residents must comply no matter where in the world they are, this includes Groups.io
Non Compliance can result in 20 million euro or 4% of annual turnover, whichever is higher.

As part of this, one of the items an EU resident can ask for is to see all their personal data you hold which includes any conversations or emails they have been involved in.
The personal data can only be retained for a limited amount of time based on the reason you are holding it. 
Any personal data you do hold needs to be protected. Transparency on how its protected is also important so that needs to be documented.
A method to monitor any possibility of data breaches and reporting of such data breaches needs to be swift and transparent.


Here is the hard part.......... :)

If someone leaves the group and they are an EU resident they can submit a request for all their data which includes email, posts, chats, images, links and personal data and you have a short time to comply. They can also do this wile still members.
They also have the "right to be forgotten" which means all that data you have that they ever sent or stored on the group or any PII (personally identifiable information) such as email, name, address, phone number , SSN , drivers license or anything that can be linked to them........you must delete from your group. This includes from backups or other archives.

This also applies to data in the cloud. Nowhere is safe.

The fact that Groups.io is hosted outside the EU means nothing as they plan on aggressively perusing any and all companies to make their point. The question is will they go afer Groups.io or the group owner.


Liam


Ford Amateur Astronomy Club
 

This is 100% incorrect. They can and will peruse anyone worldwide. They have stated this in the GDPR regulations


Chris Jones
 

On Sun, Apr 8, 2018 at 08:03 am, Ford Amateur Astronomy Club wrote:
If someone leaves the group and they are an EU resident they can submit a request for all their data which includes email, posts, chats, images, links and personal data and you have a short time to comply. They can also do this wile still members.
They also have the "right to be forgotten" which means all that data you have that they ever sent or stored on the group or any PII (personally identifiable information) such as email, name, address, phone number , SSN , drivers license or anything that can be linked to them........you must delete from your group. This includes from backups or other archives.

This also applies to data in the cloud. Nowhere is safe.
The above sounds rather apocolyptic. Let me get this right; taking what you have written they can require posts such as this one to be removed, even if it contains no personal information. Is that correct? Or can they expect it to be returned to them? I take it then, if I write to a newspaper and it prints the letter, the same rules apply, perhaps?

The fact that Groups.io is hosted outside the EU means nothing as they plan on aggressively perusing any and all companies to make their point. The question is will they go afer Groups.io or the group owner.

Well they can try; the EU has no jurisdiction outside the EU borders; it can try but I don't think it will succeed. At the risk of upsetting the many US citizens on this forum the US has come in for a lot of criticism for trying that trick. US law finishes at its border as well.

Are the points you mentioned specifically in the GDPR, or are they in  some "Guidance Note" prepared by someone trying to make sure that everything is gold plated as a "backside" protecting device?

Chris (in UK!)


Ford Amateur Astronomy Club
 

Actually they do. I'm Irish but in the US and many US companies are gearing up for GDPR and being ready to deal with the regulations.

US legal teams are gearing up on the regulations for two reasons. To guide their clients in being prepared and to try to defend their clients if needed,

The smart entities are getting ready now. Those that think it wont apply to them are resisting until they see they see the EU win this in court.

The regulations basically say this is what you have to do to do business with the EU or if you store data belonging to an EU resident.

I think they already have some companies or entities in mind and they will go after them hard and make an example to prove their point that no matter where you are they will get you. When the first non EU company will get hit, many will scramble to be compliant to the regulations

It is also important to know that the US senate has approved HR 1865 FOSTA which makes the hosting company is now deemed equally responsible for the content hosted on their systems which means if a Groups.io group is in breach of any regulation or hosting data that is subject to legal or regulatory action the host, being Grouos.io, and even their hosting service are also deemed responsible. This basically means if a group owner is pursued with legal or regulatory action then Groups.io and their hosting service can also be sued


Ford Amateur Astronomy Club
 

The statement that the EU has no jurisdiction outside the US is inaccurate. How many times has the EU won against companies like Google and others. They also prevent mergers of US companies that do business in the EU as they fail to meet the EU regulations regarding competitive regulations. The US has the FOIA (Freedom Of Information Act) regulations with is similar to the GDPR requirements to provide all related data on request as does the HIPPA regulations for the health industry. The EU are not reinventing the wheel here they are just extending regulations they have had in various forms in different EU countries into an EU wide regulation for all. 

I can see the US doing something similar in the near future, the US are sometimes slow to adopt such changes but they get there eventually

The press has regulations that protect them from such regulations but they have others they are required to comply with. They would not have to comply with the right to be forgotten but may have to meet the need to turn over all data. that's yet to been clarified, we will find out if a news entity gets hit but my guess is they wont be included.


Chris Jones
 

On Sun, Apr 8, 2018 at 08:56 am, Ford Amateur Astronomy Club wrote:
How many times has the EU won against companies like Google and others.
Not difficult when Google, Facebook and the like have offices in the EU. Whether Groups.io does I don't know.

The question of posts on Groups may be easily soluble. If I change my Display Name then all past posts change to the new name. All it would need would be for ex members' Display Names to be set to a default of Ex Member. If members put unnecessary personal information in posts then they only have themselves to blame!

Chris


 

Liam,

As part of this, one of the items an EU resident can ask for is to see
all their personal data you hold which includes any conversations or
emails they have been involved in.
This seems reasonable with regard to "personal" data, if that is defined as data which has a reasonable expectation of privacy. There can be no such expectation when posting to a group such as beta, with public archives. I would argue that even groups with "private" archives involve a purposeful dissemination of information (among the group members) and so also cannot have a strict expectation of privacy. At least not in the sense one normally means for a two-party communication.

However, IANAL and not even an EU resident, so my opinion on that counts for less than nothing.

Fortunately though, at least with respect to message postings, it is easy to comply with a retrieval request (so long as web delivery is permissible) - just provide the "All Posts By This Member" link. In your case that's:
https://beta.groups.io/g/main/search?q=posterid:174318

Maybe something similar can be devised for other content areas. Messages sent to the +owner address are also recorded, but I don't know how you would deliver them to the requesting member.

For messages sent to me off-list (at my personal email addresses) I'd have to decide between the effort required to find and deliver them, versus simply deleting them and asserting that I did not retain them.

They also have the "right to be forgotten" ...
Yup, that is harder. I like Chris' idea of just removing their display name and other meta-data from the content, thereby anonymizing it. But that may not cut it, and no doubt Chris has identified the bug-a-boo: personal info within the content.

Shal


Gerald Boutin <groupsio@...>
 

Users agree to certain Terms when using groups.io. This includes a Privacy Policy.
https://groups.io/static/tos

Here's a portion of the Privacy Policy. Perhaps this will help clarify some of the ongoing discussions.
Your Choices

You can visit the Site without providing any Personal Data. If you choose not to provide any Personal Data, you may not be able to use certain Services.

Exclusions

This Privacy Policy does not apply to any Personal Data collected by Groups.io other than Personal Data collected through the Services. This Privacy Policy shall not apply to any unsolicited information you provide to Groups.io through the Services or through any other means. This includes, but is not limited to, information posted to any public areas of the Services, such as forums, any ideas for new products or modifications to existing products, and other unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information shall be deemed to be non-confidential and Groups.io shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution.

--
Gerald


 

On 8 Apr 2018, at 15:47, Ford Amateur Astronomy Club <info@...> wrote:

The fact that Groups.io is hosted outside the EU means nothing as they plan on aggressively perusing any and all companies to make their point. The question is will they go afer Groups.io or the group owner.

Hi Liam,

I’m interested in what evidence you have seen that this is so? I am involved in a number of UK/EU government roundtable departmental meetings (connected with intellectual property) in which the GDPR has come up as a discussion point. I have not heard anything from the EU officials side that they 'plan on aggressively pursuing any and all companies’ as you say.

As a side note, the fact that the UK is leaving the EU won’t make any difference to anything (as far as the UK is concerned) as the EU acquis as it stands will be implemented into UK law (regulations such as the GDPR have direct effect anyway and directives will have been transposed into UK statute).

kind regards

Nick
__

dUNMUR | member of the Association of Photographers


Marina
 

On Sun, Apr 8, 2018 at 07:29 am, Victoria wrote:


So I have just installed our own privacy policy regulations into my group´s
files.

I used a free generator, created by lawyers, which poses a few questions
concerning the type of declaration you need. This generator then creates the
declaration covering your special issues.

I don´t know if in Italy the same is possible. If you spoke German I could
send you the link to the generator.
Thank you for your offer, but unfortunately I don't speak German.
I shall try and set up a privacy policy. Ideally, prospective members should have a chance to read it before even sending a subscription request.

Marina


Marina
 

On Sun, Apr 8, 2018 at 05:03 pm, Shal Farley wrote:


Fortunately though, at least with respect to message postings, it is
easy to comply with a retrieval request (so long as web delivery is
permissible) - just provide the "All Posts By This Member" link
That sounds a good way to deal with privacy requests.
However, even if you manage to delete all past messages sent by a member (by the way, I couldn'f find a "bulk remove" option under All Posts by this Member), this does not grant his/her right to oblivion as parts of the original messages may be disseminate in other members' replies.

Marina


Chris Jones
 

On Mon, Apr 9, 2018 at 02:11 am, Marina wrote:
However, even if you manage to delete all past messages sent by a member (by the way, I couldn'f find a "bulk remove" option under All Posts by this Member), this does not grant his/her right to oblivion as parts of the original messages may be disseminate in other members' replies.
If you read Gerald's post above I think you will find that this is a non - problem. At the risk of "padding" I will repost a highly relevant paragraph that he quoted from the Privacy Policy.

Exclusions

This Privacy Policy does not apply to any Personal Data collected by Groups.io other than Personal Data collected through the Services. This Privacy Policy shall not apply to any unsolicited information you provide to Groups.io through the Services or through any other means. This includes, but is not limited to, information posted to any public areas of the Services, such as forums, any ideas for new products or modifications to existing products, and other unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information shall be deemed to be non-confidential and Groups.io shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution.

The sentences in bold have been highlighted by me. In other words, if someone puts something "personal" in a Group Post then it's their responsibility, not that of Groups.io. It also addresses the point made by Shal earlier in this thread:

I like Chris' idea of just removing their display name and other meta-data from the content, thereby anonymizing it. But that may not cut it, and no doubt Chris has identified the bug-a-boo: personal info within the content.

I would have thought that just removing the original Display Name would be perfectly adequate.

The real problem will arise with individual Groups that for whatever reason collect personal information about their members as part of the Groups raison d'etre. A further potential problem is the ability of some types of Group to be able to download a list of previous members. Now that might prove contentious.

Chris



 

Marina,

However, even if you manage to delete all past messages sent by a
member ... this does not grant his/her right to oblivion as parts of
the original messages may be disseminate in other members' replies.
Quite true. And while it is technically possible for a moderator to go through and edit each post with a quote of that member, that would likely be completely impractical in practice for an active member.

This speaks to my common-sense argument that the privacy rules, and in particular the right to be forgotten, shouldn't be applicable to group messages, for much the same reason they won't be applied to newspapers: the postings are intended, purposefully, for dissemination (at least among group members). They are in that sense published works, even if the distribution is limited.

But yes, I know, the law is an ass, having no regard for common sense.
https://en.wiktionary.org/wiki/the_law_is_an_ass

(by the way, I couldn'f find a "bulk remove" option under All Posts by
this Member)
That feature does not exist. I fear we'll all rue the day it does. It seems like a quick way to destroy the useful content of a group.

There's a reason that the word "archive" is often used to describe a group's store of messages: it carries the connotation that they are something of value.

Shal


Chris Jones
 

On Mon, Apr 9, 2018 at 03:08 am, Shal Farley wrote:
This speaks to my common-sense argument that the privacy rules, and in particular the right to be forgotten, shouldn't be applicable to group messages
As they stand Groups.io's Privacy Rules clearly exclude anything posted in a Group Message.

Chris