 As usual there are a lot of great sidebar conversations going on. If you're having a great conversation I'd ask you to take it to the hallway track so that we can start now with Mark Jones. Hello my name is Mark Jones. I'm going to do a presentation on the GDPR in FOS today. So a little bit about myself before we get started. The obligatory, I am a lawyer. I'm not your lawyer. This isn't legal advice. I work for a company. I work for civic actions in-house counsel and a compliance engineer. But these are my views. These are not the views of my employer. And a little bit about the presentation. So the GDPR is the new EU privacy law that's going to be coming to effect next May. Generally there's no specific requirements that any software manufacturer has to implement in their software. So FOS developers, I'm not here to tell you what you need to do to comply with this law. So presentation over. But I do think the GDPR presents some opportunities for FOS projects in terms of promoting your own project but more importantly promoting the privacy rights of yourself and your friends and neighbors. And that's really what I want to talk about. So why listen to this presentation? Well I think you should listen to this presentation because if you're a FOS developer, I have come to believe that FOS developers in American parlance, and this is probably not the right word to use for Europeans, are basically civil libertarians. So in the United States what a civil libertarian would mean is someone who's very concerned with promoting individual liberties. So freedom of speech, freedom of religion, freedom from constraints from government control. That terminology changes from country to country. And I learned this when I was working at the Software Freedom Law Center as an attorney. I used to ask software developers, why do you care about free software? Because no one puts all of this work into creating software and giving it away for free, free in the gratis sense, unless they're doing it for a reason, like they must really care about something. And most of the time what my clients and people in that conference would tell me is they're concerned about control. They want control over their own computer. They want to know what programs are running on their own computer. But they're doing more than that too, because they're not just writing software for their own computer, they're writing software for other people's computers as well. And I think the other thing I noticed about free software developers too is they're kind of obsessed with encrypting things. I don't know, you know anyone like that who might be a little upset but everything's better when it's encrypted. And I think everything's better when it's encrypted mostly and the same reason why they want control over things. They want control over who has access to their data. And it generally comes from a sense of people are concerned about privacy. So why I think people should be, FOS developers should be concerned with the GDPR is that FOS developers aren't just concerned with control of their own computer. They're not just concerned with encrypting things. They're concerned about privacy and I mean privacy in a broader sense. Privacy the way most lawyers mean about it. So and I'm going to point to a couple of documents or one document in particular with FOS. These are the three documents that I usually talk about when I'm trying to explain to businesses or clients what it means to be an open source license or a free software license or a FOS license or FOS license or whatever you want to do. They're all related historically. They come from one each other. So generally you're not going to find a license that meets one of the standards for the free software definition or the Debian social contract or the open source definition that doesn't meet the other months. But I think the free software definition is probably the easiest one to explain from my point I'm trying to make here. When I tell my friends and family what I do is I help FOS developers. I work in the field of free software and they say what's free software like shareware the kind of things wins it. And I'm like no think of this great quote free isn't free speech not isn't free beer which some people think oh that's kind of ridiculous. It's not very serious. I'm like well I mean it is actually in the free software definition that's a direct quote from them. And I think that really goes to what what FOS is it's it's not about just writing code and giving code to other people or having your own code on your computer. It's about freedom. And I think if you look at the free software definition the four freedoms which there's probably some people in this room who know these four freedoms better than I do. I know there are some people in this room who know these four freedoms than I do. I have to go back and read them. But when I went and I looked this up I kind of divided them into two different things. The first two are really about freedom zero freedom that run the programs you wish for any purpose. The freedom to study how a program works and change it so that it does your computing as you wish. These are freedoms about how you interact with your computer. What your computer is doing with the data on your computer right because computers really aren't that useful unless they're operating on data right. So this is about how your computer is operating on your data. The second two and this is what I think makes FOS political and makes people civil libertarians because it's not a selfish action. The second two are about freedoms to help other people. Freedom to redistribute copies of the program so you can help your neighbor. It's explicitly in there in freedom two. The freedom to distribute copies of your modified version of those programs freedom three to make that program better to respect that person more so they have more control over how their computer is operating and what it's doing with their data right. It's not about telling other people what they should be doing with their data. It's about giving them the choice and the freedom to do that. So how does this relate to the GDPR? Well first I want to point out that privacy is more than just encryption. I think a lot of people think that privacy is about hiding your wrongs or making sure that people can't find out what you did. And I think that's a that's an underestimate or just disservice to the value and importance of privacy to society. And if you think about it from that way, authoritarian regimes are going to actually kind of win the argument about why it's okay for them to invade your privacy. So I want to point to a book called Nothing to Hide by Professor Dan Soloff who's a law professor specialized in privacy law in the United States. And his view about privacy is it's not just about hiding wrongs. Privacy is more than that. Privacy violations of privacy aren't just Orwellian where the state knows everything about you. They're Kafkaesque because it's about what they're doing with your information right. So it's not just keeping the government from not watching you so they don't know everything about you but you also want to know when you give up some of your data when you exchange that for something else. You let something know something about people know information about you. You care how that information is going to be used because it matters to you. It has an effect on you right. You're sharing data because you want to relate to other people. You might want something from them. Maybe you're training your you know biographical information for like free software. You can use Facebook for free. All you have to do is be the the subject of targeted advertising. Okay well you can do that but you also trade information and intimate relationships too right. You tell your spouse or your girlfriend or your boyfriend intimate details about you because you want to establish a relationship with them. Establishing those relationships creates control over each other people's lives and sometimes that's good right. You want your girlfriend or your boyfriend or your husband or your spouse to be able to influence you and sometimes you want advertisers to influence you too because you want to buy the best product. You want to find out about those good things and that's fine but violations of privacy where you don't have control over how your information being used affects the balance of power in that relationship right. So Dan Solov talked about it with the relationship with modern state and that's where traditional privacy might come from is what is the state's buying on but this is also true of corporations. How much control does a corporation have over you in part depends upon how much they know about you. So a similar way to think about privacy that kind of encompasses all this instead of just secrecy is a classic American legal definition is privacy is the right to be let alone right it's the right not to be bothered by other people to have them intrude in your life it's not just about keeping things secret. So how does this relate to the general data protection regulation well you'll notice that the P and the GDPR does not stand for privacy but I would think most privacy lawyers in the world would say that GDPR is going to be the leading regulation or along the world on privacy but it's a doubt data protection right because privacy is about how data is being used how your data is being used and your relationship to it. So I want to tell you a little bit about what is the GDPR what does it protect the rules of founding and some of the basic rules or principles of the GDPR keep in mind this is like a 200 page regulation so I'm not going to go into great detail she's going to give you a broad overview so what is it the general data protection regulation it's going to replace the current EU regulation for privacy rules so right now in the EU there's a directive and the difference in a directive and a regulation is a directive is a requirement from the EU that all of its member states in enact certain laws that meet certain requirements so all the member states have laws internal to them that are substantially similar to other member states and the idea being is well the laws are basically the same so it makes it easier to operate or move between jurisdictions a regulation on the other hand is a law that's implemented at the EU level so then every single member state the law is exactly the same well barring the fact that it's in six different languages and maybe that's some cause problems but i'll leave that to an EU attorney to tell you how that works um as an american that confuses me so this law doesn't come in effect until may 2018 so next year so um you might be wondering why i'm talking about it now is because right now all of the companies in the world that are affected by this are freaking out because they need to figure out how to comply with this law and may 2018 so they're making decisions about compliance with this law right now the other thing to point about this regulation why it's going to be kind of broad i know i'm a technologist myself i work with a lot of technologists i give them legal i give technologists legal advice they always want things as specific as possible what do i have to do gdpr doesn't tell you what you have to do it's technology roof neutral it's risk based so anyone here has been in compliance or security or privacy engineering they probably had to go through like a risk assessment um or an audit where they're saying like well i can't tell you exactly what you have to do but these are the things you should kind of be thinking about but you're the expert you tell me what you have to do the gdpr is basically listening to that methodology and i'm going to tell you why i think that's a good thing so you can read more specifically what the gdpr is trying to do um lays down rules related to protection of natural persons with uh regarding the crossing of personal data and the rules related to the free movement of that personal data um you can parse that a little bit more if you want but what does it what does it protect basically um it applies to personal data right so personal data is basically anything about you or can be identified about to a particular person and applies to natural persons doesn't actually apply to dead people so the person's breathing it applies to them it doesn't apply to legal persons they don't breathe you got to be breathing for this to apply to you so this really is about protecting people's data and not corporations data actually it's a little bit broader than just computers um anytime you're doing any kind of processing in an automated way or an organized filing system applies to you so technically like a business's rolodex of like clients they have if they've gotten a traditional paper rolodex it applies to that as well so there's no real there's no one with skate balls really or at least they haven't found any yet there are a couple exceptions i think the most important one and why this doesn't really require fos developers generally to do anything is it doesn't apply it doesn't regulate the use of data by natural persons and purely personal or household activity now personal and household activity we'll see how that gets defined underneath the old directive it was fairly narrow um but you know if you're using data you've got a mailing list for all your family members to send them christmas cards it doesn't matter how many people you're sending that those christmas cards to if you've got a big family it's still personal activity it's the kind of thing you do in your household and of course there are exceptions because they're still going to spy on you right so but at least the the nation states are going to be spying on you and who does it apply to so if it doesn't apply to fos developers and people doing their household activities who does it apply to pretty much applies to everyone else right so if you're a controller or a processor established in the EU and i'll explain what those are so you're a business in the EU it applies to you if you're offering goods and services in the EU it applies to you right so all the big american tech companies it applies to them um or anyone else in EU applies to and honestly international law not my specialty so giving you a good simple definition of who EU applies to can't really do that but it's their catch all right it's basically if you're doing any business with the EU in any way if EU can haul you into the court they're going to say you've got to follow this regulation so it applies to a lot of people um so basic summary gdpr applies to everyone processing data on EU citizen um unless you're doing it for personal use so controller these are basic words you'll find in the EU regulation controllers the guy who wants your data or collected the data processors the guy who's actually doing things to the data so you might have a big business like a shoe manufacturer who doesn't run his computing facility shoe manufacturers the controller the guy he outsources sending out mailing or data mining on to is the processor processing i'll show you the legal definition of that in a second processing is basically doing anything to data and why i mean anything to data i mean anything to the data data subject that's you the people who are still breathing up the dead ones and personal data basically any information that could be reasonably identified about you um reasonable as a keyword in there um we'll talk a little bit about reasonable and appropriate in a second so these are the definitions of processing and personal data you can see it's a very long list of verbs feel free to read that on your own time so basic rules these aren't really rules i'm going to tell you the purposes and the goals of the gdpr which i think are pretty good right so this goes back to us talking about it before but what is privacy so and you've you've if you've been in this room for the last two days like i've heard you've heard these words too because these things people are really concerned with right so one of the goals is transparency we heard about that in the last session transparency what are you doing with well if you're talking about a financial sponsor for a foster organization what are you doing with my money but if you're giving your data to someone else what are you doing with my personal information right i'm going to give you my medical record what are you going to do with that i want to know i want to give my doctor my medical information because i don't want to kill me accidentally but i don't know if i want someone to figure out that i'm like the perfect person to turn into like a cyborg like that's probably not things that i want them to just go experiment with purpose limitation right so like i gave you for one purpose don't use it for another purpose even if you're going to tell me uh data minimization only collect only ask me for the data you actually need don't don't ask for more data than you really need accuracy i you do if you're going to do things to me because that's what's about is doing things to me by processing data make sure you're doing it based on accurate information right so don't assume that i'm like well if you're in the united states right now like don't assume that you're not a u.s citizen and deport you accidentally which we do all the time um storage limitation only keep the data for as long as you're actually doing it for the reason you collected it for right so you can't ask for it for one person and do something else with it but if you can't do something else with it and you fulfilled that purpose it's time to get rid of it um and integrity and confidentiality so this is kind of where encryption falls in um and you have to use appropriate and technical and organizational means to protect the data um if any of your academics here like there are some exceptions for research there so you don't think this is like going to shut down research for social services or health care or anything like that um they're not going to let that happen so but i want to talk a little bit about appropriate and reasonable because this kind of goes into why i think fast developers care so uh quick search of the gdpr text the word appropriate is used 80 times in the implementing rules and over 110 times in the entire text and the word reasonable is only used 10 times i'm pretty sure if it were written by an american attorney they use the word reasonable a heck of a lot more um and because i'm an american attorney i'm going to kind of make the assumption that appropriate and reasonable mean similar to the same thing i don't know if that's a good assumption there's anyone who practices e you and american law can tell me this is a terrible assumption let me know no it's a terrible assumption so um this is one of my favorite cases uh in us law um and it gives you a short succinct definition of what are reasonable or appropriate actions are um i will not redo the whole thing but basically it's defining um when you have a reasonable thing to do is when the burden is less than the probability of an injury occurring so b less than p times l right so mathematical terms everyone here now understands what they're supposed to do right reasonable things when the burden is less than the probability of injury occurring that is not any definition of reasonable that is common in europe in a u k they use uh on the balance of probabilities which goes hand in hand with the reasonable reasonable has a connotation of objective of anyone else would objectively choose the same thing that is more a typical term of reasonable okay uh my understanding of the word appropriate is it's listening to best practices in the industry so it is actually kind of similar in the larger ambiguities of american law i'm sure they're not exactly analogous but um for this audience i think they're probably close enough maybe not for a legal audience so um the gpr some of the things that it points out that are appropriate measures um they might include these right these are not always required in every case they might be required sometimes pseudonymization or encryption of the personal data if it's appropriate ensure confidentiality integrity and availability right so just do that just ensure it um ability to restore access to personal data in a timely manner just make sure that's done you don't have any problems figuring out what's required there if you're technologist you just do that um and process for regularly testing and evaluating the effectiveness of these controls that's also easy to do anyone who's a systems administrator in the room can just go down this list and check them off i'm sure right i mean these are pretty broad standards it's basically not telling you how to do this at all um but i think a couple important things about the gpr is the controllers responsible for demonstrating compliance with the gdpr right so they're accountable and they have to show that they're accountable so it's not about prove that i didn't follow these rules it's telling corporations you need to prove that you're following these rules which puts a big onus on them because it's not about what can i do to get away with this it's like what do i need to do to show that i'm not going to get in trouble a couple other things i want to point out about this is that um when you're processing data you've got to have a lawful reason for doing that and uh my experience at least amongst american attorneys who are discussing the gdpr the main reason they're looking for is the data subject has consent now it's not the only reason that they might be processing your data i think there are seven or eight legitimate reasons for processing data but they're telling corporations if you can find a way to ground your processing in consent this is the safest one because the other ones you're probably going to get some pushback on so consent and affirmative consent is what they mean here is going to be a big deal on this regulation so why should fos developers care about this regulation so i can think of three main reasons uh self promotion is one of them right so if you're making fos software that's used by corporations in the eu they're all freaking out right now about how to comply with the gdpr they're going to be very concerned with well if i use your fos software does it help me or hurt me when it complies with the gdpr right so it's about transparency and accountability um and knowing what the process is going on there like what does your software do what does it collect those are things you're concerned with but i think the more important ones for people in this room because i do think that fos developers are civil libertarians in the american sense they care about other people's privacy it's can we use the gdpr to strengthen privacy rights for ourselves and our friends um and does the gdpr present any opportunities that fos developers might want to take advantage of that corporations probably weren't volunteering before so here's a list of things just going through the gdpr that i think a lot of corporations are going to be going to their it department saying hey just you know implement all this stuff um i don't think these are all things that fos is i don't think fos is responsible for doing any of these things i don't even think some of them are really relevant um so i'm not going to spend too much time on that because this isn't a compliance talk that's for corporations um and i'm not here to tell you that fos developers have responsibility to help corporations save money by doing their work for them what i think is more important is to look at that list and say which one of those will actually strengthen pri privacy rights so i think fos developers have another opportunity to help define what is appropriate so if you ask a corporation well what can you do to to protect someone's privacy what are the appropriate steps you need to do to ensure confidentiality integrity and availability of data they're going to do the math and say like well you know how much is it going to cost me if i violate this regulation how much is it going to cost me to implement this protection and they're going to figure out the cheapest way for them to comply with the rule right that's their motivation is to make the money which is fine that's what corporations are supposed to do fos developers on the other hand might want to ask a different question right so when it comes to the appropriate means for protecting data they might want to say well what's actually practical for protecting people's privacy they're not asking though well how much is it going to cost that might ask the practical question of like well it might cost a little bit more but it gives us better protection it's you know i'm not worried about the fine so much is like if i were trusting my data with someone else this is what i would hope they would do for me if i were trusting uh holding my sister's data how much effort would i put into protecting my sister's data so it's a chance to define appropriate which really is about raising the bar on what privacy protections exist right so if the fos community can do this it's going to end up influencing corporations or has the possibility to influence corporations in two ways one well the fos community makes a lot of software and a lot of that software gets used by corporations right so if you're building software that's already respecting people's privacy and it go and a corporation chooses to use it you're now helping their customers that they're interacting with other people they're holding data on the other thing is is that they don't like that they don't like that raised bar that you put into your software they could change it right they're free to do that fos lets them do that but now they need to explain to a regulator why they remove some privacy protection right the other thing is is that by creating the community standard we can create expectations amongst users and set an example for regulators right so even if they're not using fos software they might say well you know that's great that you have a blogging service over there but you and you're saying it's too complicated to get the data out of it so someone can move to another blogging service because you know it's a vast network of friendship relationships you're tracking but here are these guys over here who don't get paid they do this on the weekend and they're able to exchange data from their platform to another platform and they manage to preserve all those things if you make a billion dollars a year off of making a blogging platform i don't understand why they were able to do it and you couldn't i mean do you not have enough money to pay for people's weekends is that the problem um the other thing is creating expectations for users right so you know this is an opportunity to show users fos actually does respect you i hear that a lot use software that respects the user like well let's respect them and more than just giving them control over their computer but let's create software that helps respect users data even when they don't have the compute that software on their own device so here's the long list of things that is going through there um these are some that i think are particularly relevant to fos developers and i just want to go through a little bit talk a little about what i think projects could do if it's applicable to you that would make a difference um i was seeing talking in very general terms it's going to depend from project to project but consent must be affirmative i think is probably an easy one so part of the new regulations is it's codifying that when you give consent it's got to be an affirmative action so what's an affirmative action so when you go to a website and you're about to sign up for that service and they're going to collect data about you they're going to give you a long well they used to be it'll give you a long ununderstandable description of what they're going to do with all that data and the box would already be checked and you could just hit okay at least that's how it stills in america and probably will stay that in america i signed a contract the other day where if you read it you could find embedded inside of the paragraph there was a checkbox pre-check that said i waived my rights to file a class action and as long as you were willing to go to like the 20th page and look in the middle of a paragraph in text that was smaller you could find the checkbox pre-checked it's not really affirmative consent if you hit i agree to that agreement that you also affirmatively consented to agree to waive your right to class action sure there was a checkbox i could have unchecked but i had to find it right so if you're building fast software where people are signing up and agreeing to certain terms of services or if you're building a module for fast software where they they're adding in like the ability to agree to certain terms just make it real easy just make that box the agree i agree a box unchecked by default right that's all you have to do um now a corporation that's going to use that perhaps on modify because a lot of smaller companies do they don't have to go through and find that they're going to say no i didn't agree to in the first place right like that's the way it's come should be by default so do that the other thing you can do related to this too is make it easy to opt out of processes so if you've got a piece of software that performs multiple different functions can you make it so that a user of that software has the ability to opt out of some part of that process that doesn't break the whole product so if you're going to have someone might sign up for like a user forum and that forum might also have like social networking features as well so people can find them well they might want to have access to the forum but they don't want to publish their user data right so let them turn off the ability to have it listed in the directory or some kind of social networking forum but let them still access the directory give them that option build that into your software architect your software so that they can choose which parts they're actually going to use pseudonymization immunization when possible um i don't know how much this applies to fosch directly although i'm sure it's out there none of the projects that i've dealt with directly but i certainly see it working in in-house when we bring software in developers seem to collect all the data they possibly can on a user registration forum so whenever you have a user registering your software you have to and i know this is absolutely mandatory you have to ask for the twitter handle i don't know why um it's very uncommon that i see people may actually ever have that integration with twitter but we've got that twitter handle data just in case we decide to use it later and then even when i go back and i ask him because i'm finally not a privacy impact assessment i said well do we ever use the twitter handle for anything they're like well no not really and i'm like what do you mean by use i'm like well do you ever like display it or a lot of people to search on it or interact with twitter and like well i mean technically we display it when people go to look at their own account information so that's a use right i'm like well i mean yeah i guess the way i just defined use for you that that is a use because you are displaying it but i don't think it's a useful use we don't need to tell the person we asked their twitter handle what it was what their twitter handle is and then do nothing else with it it's not necessary to have it it presents a risk to that user if your software ever gets hacked in their installation there's just more data that was collected for literally no reason this happens all the time so just don't ask for that information if you're not actually going to use it have a reason um right to access a review processing of data at any time so if you are building software that acts automatically on other people's data um perhaps it descends out you know you sign up for some kind of process uh discussion forum and keep going back to this as an example you also have a mailing list feature on it make it easy for people who are in your system to find out what you did with their system right so most servers now have got audit logs that are built into it a lot of them are going to keep track of when you send outgoing emails especially if it's for some kind of marketing campaign um and i know there's fast software out there helps you deal with this and the people who are sending out those emails want to know if other people read them or at least that the emails were sent if for no other reason you want to know you sent this person an email yesterday when you run that crime job tonight don't send it to them again so we've got that data there but do you let the person who received that email know that you sent them that that email like make it easy for them to see what you did with their data i'm like okay i signed up for the discussion forum and i keep getting emails and you know i think it comes from this company can i go and see oh yeah look they're actually sending me emails they send me emails every two weeks let them know what you're actually doing with their data now again this is going to be context specific right so you've got to think about it in the context of your faw software of how does my my program process data what can i let people opt in and out of and when i'm processing it is there some way that i can make that information by default accessible to the people whose information is being held inside the software um these three i think are all kind of the same i'm sure everyone in the room has heard of the right to be forgotten even people in the united states know about the right to be forgotten because it made a big splash a couple years ago the right to be forgotten is going to be enshrined codified in the gdpr it is codified in the gdpr but along with that is the right to update incorrect data for free and the right to have the data only stored for a limited period of time right so i mentioned this to some of my friends or some of my co-workers at the company i work at who are big into drupal and i said you know so for example right to have your data deleted if someone goes into your blogging software community software and says given the option to delete their own account because why not right you gave me option to make their own account maybe they want to leave the community given the option to delete the account and when you give me after the account actually delete the account and the response i got back from one of the drupal teachers like oh yeah i think we had a drupal ticket open for a couple years um about how you couldn't actually do your account it wouldn't work and i'm like right you could prioritize that right if we were if we're writing software because we respect other people's freedoms we respect their right of privacy and how their data is going to be handled then prioritize the delete option for their account so that they have the option of removing their personal data from their system now you might think well you know if you're building a discussion forum i don't want to interrupt that thread like are they going to be able to remove all of their discussion comments well this is a contextual thing too right so the right to be forgotten case that established this sued google google was determined like no you can't actually make that the the link to the newspaper article accessible to everyone at least that easily but the newspaper that wrote the article they don't have to go back and delete that article because it's a different context is it relevant to your service that that data still exists it's not relevant 10 years on that make google make that the first search result for this person who followed the lawsuit but the article the newspaper that wrote the article on the other hand probably has an interest in preserving the integrity of their archive of what their newspaper looked like that day right so when you're looking at your software you might want to make that choice of if you've got a discussion forum is there some way that i could just maybe i just remove their name but leave their comment or could you remove their comment and then just put a note there that says it was removed if any of you are reddit users i think you will know you will have noticed at some point in time that there are comments on there where there's no name associated with it or it's a throwaway count it's kind of a culture on reddit but you was also seeing conversation threads where comments have just been removed either because someone deleted it or because a moderator removed it it doesn't actually hurt the conversation that much you might kind of wonder what that was right now but it's possible so think about that and then if you're really concerned with strengthening people's privacy rights maybe you want to be pretty kind of aggressive about that if the person who gets your software wants to say well you know i kind of want to hold on to this data a little bit more i'm not as concerned with privacy rights i think i've got a reason the onus could be on them to hold on to the data right the default could be no we're going to get rid of your data if you want to use my software for free the defaults i'm sending you is where we remove data when people ask for it so there's a couple of opportunities too that i think the gdpr also creates the right to data portability and the right to data export to common format this is actually when i was reading the gdpr this is the thing that kind of um inspired me to say oh this is something i should tell people about because the word common format i was interested what that means and i don't i don't know if there's someone who knows what that means exactly or if there's an established body of law on that um but it's not use an international standard right um it's a commonly used machine readable format so if anyone here has tried to process a word doc file format before doc x came out i would probably want to say like well that's probably not something we generally would commonly use machine readable format i guess technically microsoft could do it right and then they came out with doc x um and i don't know if that actually meets this standard either because the only software i know that can parse doc x is still word but odt exists um so maybe that's a commonly used machine readable format or maybe it's a yaml file or csv files it kind of depends upon this but this isn't just about word documents right this is about all software you're operating in personal data right so facebook at least in the shrems case max shrems who kind of invalidated the e u relation data sharing relationship with the united states when he asked for his data from facebook he got something like 50 pages of pdfs of his facebook account that was all the data he had on him i don't think anyone's going to seriously contend that a pdf file is a commonly used machine readable format for like a blogging network that maintains social relationships right how easy is it going to be for him to ask a computer to reconstruct his social relationships with friends that he had stored in facebook by parsing a pdf file like it's going to be kind of a challenge right so this standard doesn't exist the other thing that they're asking here is that it's going to be an expectation that controllers remember these are the corporations that are collecting your data allow you to move data between controllers directly right so it's not about you have to export the data onto your computer which i know google allows you to do now and then if you can find someone else that happens to parse our file format you can import it into them but they want you to be able to move data directly right so if you want to go from facebook to google buzz or google plus whatever it's called now you should be able to do that right so but that's not a standard that exists right now so here's the two opportunities that i think this creates for fos one if you're able to export your blog from drupal and import into jumlah and bring it over to wordpress that looks like a commonly used machine readable format to me right and if you're able to export your your blog because i think that's basically what facebook and google buzz are you're able to export that out into your local computer and report it only into facebook i'm not sure that they can make a good argument at that point of well it's a commonly used machine readable format because the plaintiff can always say in that case like well i can move between all of these blogging software but i can't move between facebook and anyone else or if i can move between all these different fos software is and i can only move between facebook and google which one's the commonly used machine readable format now i'm not saying you're going to win that case maybe the judge the lawyer in that case will be persuaded as long as you can move between the most two popular platforms that's fine but there's a heck of a lot better chance of forcing facebook and google to actually give people's data back and let them move their data to where they want it to go if the community is building a standard that they have to meet and if we wait to play catch up i'm pretty sure google and facebook are not going to make it as easy to parse their data it's going to be one of those situations where how easy it is to parse a doc x format file sure it's possible but is it going to show up commonly in fos software so i think i've got a little time for questions so so this regulation that you've just talked about does it only apply to EU citizens so the regulation applies to controllers who are collecting data on EU and EU subjects like can we have a situation where like at the moment there is about 900 companies in the world on both sides of the Atlantic that are collecting stuff unknown to you people about things that people do online yeah so can we have a situation and kind of a loophole where european companies can do that on u.s citizens while u.s companies can do that on EU citizens uh so the question was is there a loophole where EU citizens or united states companies can do this to EU citizens and EU companies can do it to american citizens um so um the common the more common case that people are worried about is american companies doing this to EU citizens so the gdpr is actually a regulation about not just processing your data but the transfer of data too so you're not allowed to transfer data outside of the EU unless you're complying with these rules and it also applies to companies doing business in the EU right so you can't collect data on EU citizens and then transfer to the u.s to do whatever you want if you do that you need to have some legal mechanism in place that the EU has approved that allows that transfer there's a couple different agreements in place for that but basically they take the EU rules and force them on the companies even when they're operating outside the EU jurisdiction so the one with the united states that's in place right now is privacy shield the one was in place two years ago was called the safe harbor safe harbor was invalidated because they found that the protection provided in the united states weren't actually adequate so the EU actually does have data protection authorities who are interested in preventing that loophole from occurring hello i'm Federico from wikimedia italy two very concrete examples do you think that an organization like the wikimedia foundation which runs wikimedia should try to apply these sort of standards for its users and even though perhaps it's not legally forced to and second do you think that for instance web server software like Apache or ngx should change their practice their defaults for things like storing ip addresses in web server logs so the first question was do you think do i think that the wikimedia foundation that runs wikipedia should comply with this role even if it doesn't apply to them my recommendation would be to them is i'm not your lawyer but you should ask your lawyer if this does apply to you because it's not clear to me whether or not the EU law applies to them maybe an EU attorney could tell them that basically there's also a journalism exception and that's for the most part would apply to most of the stuff wikimedia does but wikimedia does have legal people on the ground here so apart from the private use exception journalism is generally not covered by the gdpr because there's an overriding freedom of expression interest there this is overly simplified by the way it is not that it's always it depends etc right so and then to get to the question after that the publisher of software is not necessarily the data processor so the idea of privacy by defaults for example putting do not track by default on in a patcher is not necessarily a responsibility to a patcher foundation but anyone who rolls out a patch in real life shoot under the gdpr consider it consider turning on do not track and reduce the logging to the minimum so if the question is about what they should do as a as an interest of promoting privacy right now again i can figure in a patchy server i usually choose between combined and what's the other log webs for long common you know maybe they want to come up with a new default option for choosing for logging standards that doesn't include ip address or something like that so very briefly i'm working in that domain for one of the european data protection authorities i'm happy to take questions offline but i wanted to clarify one point on the territorial scope of the regulation because it applies to all entities that process data in the EU regardless of who are the person's concerned there's no limitation to EU citizens so when your company is here or your organization is here they are subject to it even if the people are american so that that would be covered in in any case so that's just a simple explanation we just have time for two more questions how is europe planning to execute that law are they doing audits or something like that so my understanding of the and this i do not understand the european regulatory process in general because the EU's still kind of a bureaucratic mystery to me so ask a european attorney but each each member state still is going to have a regulatory authority which companies are going to be to some extent at least choose which member states data protection authority they want to be regulated by but the idea is that the rules are supposed to be uniform so you shouldn't be able to forum shop by going to the forum that interprets the rules more laxly how that actually occurs in the EU as an american attorney that kind of confuses me because in america we would actually kind of encourage the as the structure of our system kind of encourages forum shopping so it's not something i exactly understand how that'll work hi just to not really question just to comment about your presentation first it's maybe you haven't mentioned but all the practice that you recommend and that i think some of them is quite good can be summarized under the concept of privacy by design that is the idea that when you design a software you should in the process of designing this software and so in the process of coding it ever in mind the gtpr so the protecting the privacy of your users your intended users and make sure that everything is following this state of mind so for example anonymizing when possible and so on and so on and second comment about the question of how to apply this that's still a big question among lawyers of course and technician in EU member states but one of the thing is the idea to have a privacy impact assessment and that is a risk-based approach you didn't detail this approach but mainly what does it mean it means that when you when you design your software before design before designing of course you need to ensure that every good practice for protecting privacy is is but also the risk that is minimized so what is the risk for users that use your software to to be subject to a violation of privacy for example if if you forget to make anonymization for some personal data of course this kind of practice will will hire the level of risk for your users and of course it doesn't it's not very compatible with the idea of privacy by design thank you i apologize we're out time i know there are more questions for mark maybe mark if you'd be willing to step into the hallway people could continue to ask you questions thank you very much