开云体育

On 03/22/2018 09:44 PM, Carole wrote:

For GDPR we are required to ensure compliance with any 3rd parties who store personal data on our behalf

Once GDPR goes into effect, there are going to be administrative
changes. What those changes are, depends upon what the courts decide.

Mailing lists owned by a private individual are an edge case. The
current assumption is that adherence to the entirety of the GDPR is
required. (Personal Rolodex cards fell into the scope of a similar,
albeit weaker measure, that passed about twenty years ago. This is why
those of us whose contact list looks like an expanded edition of _The
Mackay 66_ are also going to have to comply with GDPR, if anybody living
in Europe, or from Europe is in the list.)

The main concern is whether data is stored on servers inside or outside the EU.

Going by traceroute, it looks like the servers are in the United States.
However, that is a question best answered by Mark.

So my question is does Groups.io have servers inside the EU for those of us in Europe?

A. Storing and using data via third parties
e.g. sharing documents (Google Drive),

Unless Google has clearly stated that everything on Google Drive will
adhere to GDPR, regardless of physical location, the only storage that
will be compliant, is accounts that either originated in Europe, or for
individuals currently resident in Europe. (And yes, Google knows your
home address, even if you never told them.)

I am not a lawyer. This is not legal advice.

jonathon

Thank you Toki,

So does this mean we're going to have to wait for court decisions, i.e litigation? Or is it that courts are currently deciding what GDPR requirements mean and we'll have answers in or around the time GDPR comes into effect? Everyone on my Yahoo group lives in the UK and we're a members' group (choir) and charity, not a private individual. I am not concerned about my private contact lists however I absolutely don't use the list for any marketing neither do I pass addresses on to others without permission.

We do have to comply as a group and therefore need to have answers.

Many thanks

Carole

?On 22/03/2018, 23:52, "toki" <[email protected] on behalf of toki.kantoor@...> wrote:

On 03/22/2018 09:44 PM, Carole wrote:
> For GDPR we are required to ensure compliance with any 3rd parties who store personal data on our behalf

Once GDPR goes into effect, there are going to be administrative
changes. What those changes are, depends upon what the courts decide.

Mailing lists owned by a private individual are an edge case. The
current assumption is that adherence to the entirety of the GDPR is
required. (Personal Rolodex cards fell into the scope of a similar,
albeit weaker measure, that passed about twenty years ago. This is why
those of us whose contact list looks like an expanded edition of _The
Mackay 66_ are also going to have to comply with GDPR, if anybody living
in Europe, or from Europe is in the list.)

>The main concern is whether data is stored on servers inside or outside the EU.

Going by traceroute, it looks like the servers are in the United States.
However, that is a question best answered by Mark.

> So my question is does Groups.io have servers inside the EU for those of us in Europe?

> A. Storing and using data via third parties
> e.g. sharing documents (Google Drive),

Unless Google has clearly stated that everything on Google Drive will
adhere to GDPR, regardless of physical location, the only storage that
will be compliant, is accounts that either originated in Europe, or for
individuals currently resident in Europe. (And yes, Google knows your
home address, even if you never told them.)

I am not a lawyer. This is not legal advice.

jonathon

On 03/23/2018 09:35 AM, Carole wrote:

So does this mean we're going to have to wait for court decisions, i.e litigation?

Basically, yes.

in the UK and we're a members' group (choir) and charity, not a private individual.

If the list is "owned" by the charity, or is an official organ of the
charity, then full compliance is required. If the list is owned by an
individual, then some aspects might be dropped. This is what the court
cases will be about.

I am not a lawyer. This is not legal advice.

jonathon

On 03/24/2018 03:39 AM, toki wrote:

If the list is "owned" by the charity, or is an official organ of the
charity, then full compliance is required. If the list is owned by an
individual, then some aspects might be dropped. This is what the court
cases will be about.

Following up on this, despite the GDPR being an EU directive, specifics
are up to the individual member states. Those differences can be
startling:
* Estonia, for example, requires compliance within five working days,
with a single fifteen day extension permitted, if, and only if, the
original request lacked clarity;
* Ireland, OTOH, gives thirty days to comply, with no extensions;

Additional things that gave me pause were:
* All requested data must be provided to the requester, in a commonly
used format. So far so good. However, for list owners, that means that
if a request is made of all emails sent by the individual, or quote the
individual, the list-owner has to be provide them to the requester. The
only path to compliance with that, that I can see, is to set up an email
account that receives all messages sent to the list, and automatically
archives them in an email forensic analysis program;
* Consent to subscribe must be explicit, and must be retained by the
list owner. This implies that list-owners and moderators should not
auto-subscribe individuals, but will, on request, have to unsubscribe
individuals;
* Membership lists contain personal data, and as such, probably should
not be publicly available;

#####

Something to consider, is appointing one moderator, whose sole function
is to ensure conformance with GDPR (Europe), CASL (Canada. I have no
idea what this law is about, but I've heard it often enough in
discussions about GDPR, to assume that it has some relevance), and other
privacy legislation in other countries, or regions of the world. IOW, a
mailing list _Data Protection Officer_.

jonathon

I originally drafted the text below to send to Beta, but Mark closed the topic
there before it was sent. Since the subject is still being discussed here I
thought the content might provide some reassurance to group owners and
moderators. In any case, I'm sure Mark will provide any necessary guidance once
his lawyers have done their work on the subject:

This quote from Article 17 Right to erasure (`right to be forgotten?) of the
actual regulation would perhaps solve the problem of quotes included in other
people's messages when someone exercises this right, under the "freedom of
expression" and possibly the also the "archiving" exceptions:

"3.Paragraphs 1 and 2 shall not apply to the extent that processing is
necessary: (a) for exercising the right of freedom of expression and
information; (b) for compliance with a legal obligation which requires
processing by Union or Member State law to which the controller is subject or
for the performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller; (c) for reasons of
public interest in the area of public health in accordance with points (h) and
(i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the
public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) in so far as the right referred to in
paragraph 1 is likely to render impossible or seriously impair the achievement
of the objectives of that processing; or (e) for the establishment, exercise or
defence of legal claims."

This provision in the lengthy introductory statement para 13 may also make life
easier for Groups.io, but not for Yahoo groups (unless group owners and
moderators are counted as voluntary employees for this purpose):

"To take account of the specific situation of micro, small and medium-sized
enterprises, this Regulation includes a derogation for organisations with fewer
than 250 employees with regard to record-keeping. In addition, the Union
institutions and bodies, and Member States and their supervisory authorities,
are encouraged to take account of the specific needs of micro, small and
medium-sized enterprises in the application of this Regulation. The notion of
micro, small and medium-sized enterprises should draw from Article 2 of the
Annex to Commission Recommendation 2003/361/EC (1)."

However, I'm sure Mark's lawyers will sort it out for him, in so far as that is
possible in advance of any court rulings.


Jim Fisher
--
- My thoughts on freedom (needs updating)
- political snippets, especially economic policy
- misc. snippets, some political, some not
Forget Google! I search with which doesn't spy on you

Very nice out for small, nonprofits with only small volunteer staff.
Thank you.
Besides this no one gets into our group unless they agree formally to our terms and conditions which make all content ours.
--
Bob Bellizzi

The Corneal Dystrophy Foundation

On 04/14/2018 09:00 PM, Jim Fisher wrote:

(i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims."

My guess is that this is talking about either private archives, or
archives held by a library, museum, or similar cultural institution,
that impose specific criteria, in order to access the archive. (This is
just one of the plethora of things with the GDPR that is somewhat
ambiguous.)

As a general rule of thumb, European Law ignores precedent, as set by
case law. However, precedent qua "this is what the law makers meant,
based upon this section of this text", is usually accepted.

I can see a company in the US claiming that archives were deleted to
comply with GDPR, when US law specifically requires the archives to
retained, especially when such archives contain the smoking gun. that
the court wants/needs to prove malfeasance.

this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.

This is one of those things that appears to be country specific:
* Estonian law appears to ignore organization size, dividing
organizations into solo-practitioner v non-solo practitioner, and
looking into why the data was collected, and retained;
* Irish law appears to differentiate between more than 250 employees and
less than 250 employees;
* I can't decipher the Hungarian website. :(

I'm sure Mark's lawyers will sort it out for him, in so far as that is possible in advance of any court rulings.

I hope so.

I've seen a couple of companies set up geoblocks, so that people from
Europe can neither access their website, nor purchase goods nor purchase
services from them, stating that they are doing so, because their
lawyers were unable to provide the required assurance that they were in
compliance with GDPR, and their accountants said that the costs involved
in compliance were higher than the revenue obtained from current
European customers.

In reading through the literature this past fortnight, it looks like
people in the data privacy field expect the GDPR to be the blueprint for
similar legislation world wide. Personally, I see it as being a
non-starter in the US, PRC, Russian and the Organization of Islamic
Cooperation/United Muslim Nations (OIC/UMN). The most it can spread is
into former European colonies that are neither Russian, nor PRC, nor
OIC/UMN client states.

Nor am I convinced that GDPR compliance is going to be seen as a good
thing, by the majority of individuals outside the EU.

I am not a lawyer. This is not legal advice.

jonathon

Those of us who make use of Google Adwords or Analytics need to comply with much of GDPR because Google is enforcing it in the way we use their platforms.
--
Bob Bellizzi

The Corneal Dystrophy Foundation

--