Hi All -
Thanks to our BOD member Mitchell, a few of us from the S&O working group (strategy & operations) had a call this morning with the lead compliance officer at Mozilla to discuss GDPR for data privacy in open source communities. @darius and @terry, please add to this or correct anything I’ve overlooked from our call.
Summary of the call:
- Many rights under GDPR are not absolutes, but are rather proposed as “if, then” scenarios - so the organization must decide what applies to itself. The reasons/purpose for gathering and legal basis for processing will determine what kinds of rights you need to provide to your users.
- The collecting and use of data needs a legitimate business interest, and the right to delete data is not absolute
- Any downloaded code becomes the responsibility of the person who takes the code to de-identify any references to identified persons in the codebase. Mozilla has not created any extra disclaimer or guidance around GDPR for the downloading of the codebase
- Mozilla has created the ability for a user to go into their account and opt to make it “anonymous”. This is an all-or-nothing move, so it’s either all anonymous or no postings anonymous. It was a bit unclear if users could continue to post as this anonymous user, or whether that user became “anonymous-1234” to be able to still be identified throughout the forum (although without personally identifiable information publicly displayed).
- They have added to their consent the clause about being able to become anonymous, but have stipulated that they will not delete the post by the user since it is important to their business to have discussion threads remain. In addition, they also clearly state that they will not modify the post content itself, even if any posts contain personally identifiable information. So users that choose to include those details in the post content will still see those details, even after they have made their account “anonymous”.
She gave us this link for additional understanding: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
Our next steps are to:
- Create ability to have user be anonymous (all or nothing)
- Publish guidance- support articles around data protection (they said we could copy theirs)
- Remodel our privacy based on Mozilla’s: https://www.mozilla.org/en-US/privacy/
Notes from the call are here: https://docs.google.com/document/d/15ME4lD8outfWEol04AiL07KXB_CKyskmyRVes-iV29w/edit