More diagnostics data from desktop

Jeremy Bicha jbicha at ubuntu.com
Wed Mar 7 20:43:10 UTC 2018 

(Keeping the full comment since the replied email hasn't shown up in
the ubuntu-devel archives yet.)

On Wed, Mar 7, 2018 at 2:42 PM, J Fernyhough <j.fernyhough at gmail.com> wrote:
> (cross-posting because ubuntu-devel is moderated and this may not reach
> that list)
>
> On 07/03/18 11:46, Jeremy Bicha wrote:
>> What proposed collected data do you think should be considered
>> personal data for GPDR purposes?
>>
>
> "What constitutes personal data?
>
> "Any information related to a natural person or ‘Data Subject’, that can
> be used to directly or indirectly identify the person. It can be
> anything from a name, a photo, an email address, bank details, posts on
> social networking websites, medical information, or a computer IP
> address." [1]
>
> And more specifically:
>
> "(26) The principles of data protection should apply to any information
> concerning an identified or identifiable natural person. Personal data
> which have undergone pseudonymisation, which could be attributed to a
> natural person by the use of additional information should be considered
> to be information on an identifiable natural person. ..."
>
> "(30) Natural persons may be associated with online identifiers provided
> by their devices, applications, tools and protocols, such as internet
> protocol addresses, cookie identifiers or other identifiers such as
> radio frequency identification tags. This may leave traces which, in
> particular when combined with unique identifiers and other information
> received by the servers, may be used to create profiles of the natural
> persons and identify them." [2]
>
> Hence, if you _ever_ record an IP address, you are recording "personal
> data" and must be able to demonstrate you are meeting the requirements
> of the GDPR **even if you pseudonymise that data**. Given the proposal
> extends to storing a full hardware specification it's very easy to see
> how that could be used as "additional information" or "other identifiers".
>
>
> Regarding consent:
>
> "(32) Consent should be given by a clear affirmative act establishing a
> freely given, specific, informed and unambiguous indication of the data
> subject's agreement to the processing of personal data relating to him
> or her, such as by a written statement, including by electronic means,
> or an oral statement.
>
> "This could include ticking a box when visiting an internet website,
> choosing technical settings for information society services or another
> statement or conduct which clearly indicates in this context the data
> subject's acceptance of the proposed processing of his or her personal
> data. Silence, pre-ticked boxes or inactivity should not therefore
> constitute consent.
>
> "Consent should cover all processing activities carried out for the same
> purpose or purposes. When the processing has multiple purposes, consent
> should be given for all of them. If the data subject's consent is to be
> given following a request by electronic means, the request must be
> clear, concise and not unnecessarily disruptive to the use of the
> service for which it is provided." [2] (Split to highlight central section)
>
>
> Given the discussion is about about large-scale systematic data
> collection Ubuntu/Canonical should also be aware of:
>
> "Does my business need to appoint a Data Protection Officer (DPO)?
>
> "DPOs must be appointed in the case of: (a) public authorities, (b)
> organizations that engage in large scale systematic monitoring, or (c)
> organizations that engage in large scale processing of sensitive
> personal data (Art. 37).  If your organization doesn’t fall into one of
> these categories, then you do not need to appoint a DPO." [1]
>
>
> Essentially, the onus here is on Ubuntu/Canonical to demonstrate any and
> all data collection meets the requirements of the GDPR. This is a bigger
> issue than most people realise.
>
>
>
> References
>
> [1] https://www.eugdpr.org/gdpr-faqs.html
> [2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Notably, in the very first email in this thread, Will Cooke
specifically said IP addresses will never be stored with this data. A
Launchpad account is not needed for apport to send crash data for
stable Ubuntu releases (it works a bit differently while an Ubuntu
release is still in development.)

In my opinion, the basic hardware data collection being proposed is
completely insufficient to identify people.

Thanks,
Jeremy Bicha

More information about the ubuntu-devel mailing list