On Wed, Nov 12, 2025 at 08:49:29AM -0600, Michael Winters wrote: > But since this data is currently "published" by > Fedora, I believe that any entity is at minimum allowed to "read" this > information, and that no obligations exist thereafter regarding what > they've "learned". Meaning - any evil entity (especially one outside > of GDPR jurisdiction) can currently ingest this data and do whatever > they want with it within their own system, and would be under zero > obligation to execute PDRs. Ironically, it's the re-publishing that > Hatlas does which is most obviously protected by default copyright > etc, to my understanding. It's easier to be evil than open, as it > stands today.
NB, wrt jurisdiction, the important criteria is the location of the person whose data is being processed, not the location of the entity doing the processing. IOW, if the data processor is in the US, but are handling PII related to a person in the EU, the GDPR applies. How violations can be enforced is more questionable, but the rules are none the less intended to apply. IIUC the GDPR would even apply to any data about non-EU citizens for periods when they are travelling in the EU. > I also want people to understand that if they see something in > Hatlas they don't like, deleting it from Hatlas does nothing > to protect it -- it has to get deleted "upstream". I'll make > that more explicit in the FAQ. That is certanly true, but at the same time, I don't find that to be a particularly compelling rationale to put forward to justify Hatlas continue to hold the data. It comes across badly as a message IMHO. Even when all the source data is publically available, there is a material difference between that data being spread around 100's of individual systems, vs a system which proactively collects & aggregates the data from 100's systems into 1 place, and provides a data mining frontend. In the former case one has privacy-through-obscurity. Not perfect & vulnerable to malicious exploitation, but none the less a meaningful level of privacy for many people, much of the time. In the latter case one potentially has a form of dragnet surveillence in the extreme case. NB I'm not saying that's what Hatlas is, just talking in general terms about data aggregation & mining systems that process public data. People can quite reasonably be ok with the former situation, but be unhappy with the latter situation. There is data privacy precedent here with search engines. They can be required to remove results that are personally related to individuals, even if the article(s) indexed by the search engine were all public & continue to remain public & could in theory be indexed by a different search engine. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
