> I frequent Europe and do not want to get into legal trouble on vacation.
There is no precedent for violators of EU law regarding privacy to cause people to be harassed on their vacation (yes, there are examples of this on the US side but that's not what we are discussing here).
Worst case you would be warned to become compliant, then if you persist in not being compliant you might be fined, then if all that fails there might be a request for extradition but I highly doubt it would even get that far. Time will tell. What will definitely not happen is that out of the blue you will be yanked from your bed in Paris or Barcelona because you decided to refuse a request for deletion.
> The days of someone making something, putting it on the internet and offering it to the world seem to be over.
No, the days of harvesting data and building profiles without consent are over. You can make something just like you did last week and you can offer it to the world just fine. Do take care of your users data, be a good steward and try to do your best not to get hacked.
> do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
The GDPR does not have this requirement for the kind of business the article writer has. No need to hire anybody. Pure nonsense.
> Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.
Having a DPA in place with Crashlytics takes care of this, that's all the burden there is, in fact, Crashlytics most likely has a standard form for this because they will be entering into DPA's with a lot of companies in the next couple of weeks/months.
> Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance.
Everything you do requires GDPR compliance but not everything is impacted by the GDPR. In this case logging the IP is fine, and then when you're done with the data you can get rid of it. No need to keep it indefinitely. And that simple trick: remove data that you no longer need is going to go a long way towards establishing GDPR compliance.
> APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII.
So do not keep it longer than you need it.
> I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
But he does have the time to write blog posts complaining about having to meet the letter of the law. That time would have been better spent actually reading the law and figuring out the impact.
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
Of course it is.
> EU user data is sent out of Europe constantly.
Indeed. And that won't stop because of the GDPR.
> GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service.
Yes, that's the whole point. You can't blackmail your users to opt-out of the law by virtue of withholding your product, which is a very very nasty way of trying to deal with a legal issue, rather than to face it head on and simply attempting to try to comply.
> GDPR compliance is something the XSF is talking about right now.
Good to see not everybody has the same attitude.
The way I read it this person is not trying to limit their liability, they're simply trying to pretend the law doesn't exist, have come to the conclusion that that won't fly and now blame the law for their laziness and negative attitude towards the privacy of their users in general.
If he really cared about the users privacy then he'd at least make a serious attempt. This blog post does not indicate a serious attempt was made, it reads like someone looking for excuses.
i think you are being a bit naive and dismissive. the law could easily be interpreted as his endeavor requiring a Data Protection Officer. the guidelines (http://ec.europa.eu/newsroom/document.cfm?doc_id=44100) for the DPO require that processing "special categories of data" needs a DPO. those categories include tings as benign as "trade union membership."
so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.
Bigger than the DPO issue for processing Article 9 special data is the fact that processing Article 9 special data is generally prohibited outside of enumerated exceptions.
> so if his chat app has someone in the EU chatting about trade union membership while this chat service then "processes" that data, they might be held liable to the DPO requirement.
This is a ridiculous argument. No, someone in the EU chatting about trade union membership does not magically require him to hire a DPO.
There's two kinds of "free service" on the internet. There's the Facebook / Google kind of free, where the herd of non-paying users is being aggressively monetised in other ways by a very profitable business. It's perfectly reasonable to expect this kind of free service to jump through the GDPR hoops as just another cost of doing business.
This is the other kind of free, where it genuinely is being done out of interests sake as a public service, like guerilla gardeners. In this case, it's perfectly reasonable to say that you got into this because you're interested in solving the technical challenges, not because you enjoy wading through bureaucratic rules, and decide to stop offering that free service in the EU because the fun has gone out of it.
Probably you're completely right about how easy complying would actually be, and in that case you could certainly take this code and run your own push server that serves EU clients.
As you wish:
> I frequent Europe and do not want to get into legal trouble on vacation.
There is no precedent for violators of EU law regarding privacy to cause people to be harassed on their vacation (yes, there are examples of this on the US side but that's not what we are discussing here).
Worst case you would be warned to become compliant, then if you persist in not being compliant you might be fined, then if all that fails there might be a request for extradition but I highly doubt it would even get that far. Time will tell. What will definitely not happen is that out of the blue you will be yanked from your bed in Paris or Barcelona because you decided to refuse a request for deletion.
> The days of someone making something, putting it on the internet and offering it to the world seem to be over.
No, the days of harvesting data and building profiles without consent are over. You can make something just like you did last week and you can offer it to the world just fine. Do take care of your users data, be a good steward and try to do your best not to get hacked.
> do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR.
The GDPR does not have this requirement for the kind of business the article writer has. No need to hire anybody. Pure nonsense.
> Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.
Having a DPA in place with Crashlytics takes care of this, that's all the burden there is, in fact, Crashlytics most likely has a standard form for this because they will be entering into DPA's with a lot of companies in the next couple of weeks/months.
> Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance.
Everything you do requires GDPR compliance but not everything is impacted by the GDPR. In this case logging the IP is fine, and then when you're done with the data you can get rid of it. No need to keep it indefinitely. And that simple trick: remove data that you no longer need is going to go a long way towards establishing GDPR compliance.
> APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII.
So do not keep it longer than you need it.
> I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
But he does have the time to write blog posts complaining about having to meet the letter of the law. That time would have been better spent actually reading the law and figuring out the impact.
> Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR.
Of course it is.
> EU user data is sent out of Europe constantly.
Indeed. And that won't stop because of the GDPR.
> GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service.
Yes, that's the whole point. You can't blackmail your users to opt-out of the law by virtue of withholding your product, which is a very very nasty way of trying to deal with a legal issue, rather than to face it head on and simply attempting to try to comply.
> GDPR compliance is something the XSF is talking about right now.
Good to see not everybody has the same attitude.
The way I read it this person is not trying to limit their liability, they're simply trying to pretend the law doesn't exist, have come to the conclusion that that won't fly and now blame the law for their laziness and negative attitude towards the privacy of their users in general.
If he really cared about the users privacy then he'd at least make a serious attempt. This blog post does not indicate a serious attempt was made, it reads like someone looking for excuses.