On 30/05/18 22:56, Richard via dmarc-discuss wrote:
I realize that enforcement of GDPR is still a work in progress, but:
> Failure reports send copies of your users'
> mail to total strangers.
would seem to run directly against its intent.
I hadn't thought to perform this analysis:
* Consent is out, unless you really want to (a) solicit voluntary
consent from all of your users and (b) turn off failure reporting
for those users who have yet to consent, or who have withdrawn
consent.[1]
* Necessity for the performance of a contract with the data subject
would not withstand scrutiny. (Most mail services today are capable
of operating without this; it's therefore provably not necessary.)
* Controller's legal obligations are not relevant.
* Data subject's vital interests are not relevant.
* Public interest/official authority are not relevant.[2]
* This leaves legitimate interests of the controller or a third party.
In the legitimate interests case:
1. The interest must be identified. In this case I'd suggest something
along the lines of improving the ability of the controller (and
mail-server operators generally) to distinguish legitimate email
from impersonation by helping domain registrants take action to (a)
correct configuration errors in legitimate email and (b) shut down
impersonation, by voluntarily sending copies of messages to the
party apparently nominated by the registrant of the domain.
2. The means must be necessary (least invasive approach possible). As
for necessity for the performance of a contract, I'd suggest that
this is demonstrably not true. The vast majority of DMARC's
protection with respect to failure reports can be achieved (and as
being achieved) by failure reports provided under NDA and by
aggregate reports. It would be necessary to demonstrate that the
added value of the volunteering failure reports to strangers was
material.
3. A balancing test must be performed (interests of the controller and
third parties vs. rights of the data subject). In particular, this
looks at what protections are in place. I'd suggest that, at a
minimum, this would call for data transfer agreements with
enforceable NDA terms and data minimisation. In the latter case, if
it is possible to perform substantially the same processing on
anonymous data (e.g. the aggregate reports), then skipping that
measure would be hard to defend.
More broadly, any situation in which controllers are automatically
disclosing personal data to other controllers who are strangers to them
would be extraordinarily difficult to justify under legitimate
interests. Note that this is not the same situation as sending an email
message at the request of a user, that's necessity for the performance
of a contract.
I'd suggest that automatic sending of failure reports to strangers would
be very difficult to justify under GDPR.
- Roland
1: There is a lot of confusion about this. Consent in GDPR terms
(6(1)(a) and 7) means something quite different to consent in its
contract- or common-law senses. In particular, if some other thing that
the data subject cares about is conditioned upon that consent, or if the
consent can't be withdrawn without the loss of some other thing that the
data subject cares about, then it's not freely given and therefore - per
the snappy little sentence at the end of 7(2) - didn't happen. This is
not to say that the processing in question can't be lawful, only that
consent can't be the legal basis. There are five other legal bases to
explore...
2: Note that this is not a DIY thing; the interest/authority in question
must be laid out in legislation.
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
