On Sun, Jun 03, 2018 at 12:45:25PM +0200, Ævar Arnfjörð Bjarmason wrote: > protection". I.e. regulators / prosecutors are much likely to go after > some advertising company than some project using a Git repo.
Well, it is indeed rather unlikely that one particular git repo project will be targeted, but I guess it is basically certain that at least some of them will be. It is the same as a lottery, it's very unlikely you win the jackpot, yet someone wins it every few months. We should care about the entire community, not be too selfish. > Since the Author is free-form this sort of thing doesn't need to be part > of the git data format. You can just generate a UUID like > "5c679eda-b4e5-4f35-b691-8e13862d4f79" and then set user.name to > "refval:5c679eda-b4e5-4f35-b691-8e13862d4f79" and user.email to > "refval:5c679eda-b4e5-4f35-b691-8e13862d4f79". Well, this is merely pseudonymization, not anonymization. Note that the UUID, innocent as it may look, is not in any way less "personal data" than the author string itself. Your proposal would thus not actually solve the problem, only slightly transform it. Only when you truly anonymize (see my proposal about one way to to it), you can completely evade the GDPR. > Sites that are paranoid about the GDPR could have a pre-receive hook > rejecting any pushes from EU customers unless their commits were in this > format. This won't work either. The GDPR makes each data processor directly responsible in relation to the data subject. So it does not matter at all who is pushing, it matters who is in the author field of the commits that were pushed. And since you don't have any information about whether those authors are residing within the EU or not, you have to assume they are and you have to obey the GDPR. Even if you are outside the EU and do not have any subsidiaries within the EU, the GDPR sill applies as long as you are processing personal data of EU citizen. Perhaps the authorities in your country will refuse to obey letters of request if the EU authorities try to enforce the GDPR on an international scope, but if you have a record of GDPR violation and you ever set foot on EU territory, you are fair game. > Instead I'll have a daily UUID issued from a government API Heaven forbid. ;) There is an old German proverb, warning that even humorous trolling might be dangerous: "Man soll den Teufel nicht an die Wand malen!" ;) Best wishes Peter -- Peter Backes, r...@helen.plasma.xg8.de
