On 2018-05-13 at 05:39 +0900, Stephen J. Turnbull wrote: > It would be a much more annoying matter if they claimed the right to > be deleted from third party posts that quoted and identified them, > though. If there is a "right to be forgotten" that impinges on > mailing list archives, that seems plausible to me, though who knows > what the High Court would rule.
I see a few points here. First of all, and I think it hasn't been mentioned yet is the Right to access, ie. of letting people know which data you have about them. I would consider that listing all post by email address X would fulfill it, plus a search feature (*) in case they want to search by other terms, like looking for posts with their name in it. (*) It is my understanding that just providing the mbox and expecting them to grep through it just as the sysadmin would have to do would be sufficient (OTOH if you had an advanced system for completely tracking a guy, and provide him just a crude interface that's probably not ok). Having to find out "anything and everything" where the user was mentioned may imho require what the GDPR calls "a disproportionate effort", and could even result into some liability for not finding some instance. Whereas providing the tools with which it can be done, takes that issue back to the requestor, by providing the tools by which they can do it. As such, wrt redacting archives my view is that they should provide all the urls to the content they want removed (which they should have been able to easily found per above). They provide a list of urls for consideration, only those need to be looked at. I would assume they are ok with other mentions to them if they didn't provide them. If I detected that there was a follow-up top-posting email containing the original content I would probably also truncate it, but strictly as a courtesy matter and with no guarantees that I would do that. If they failed to find themselves, why would I need to dig through the archives, not even knowing what I am looking for? There are too many ways to refer to someone, the email address, different names and abbreviations (and misspellings!), which would not even be unique, plus all kind of references (just suppose that the people to which Julian referred claimed that his email contains PII about them!). Requests to remove on-topic inline replies would be quite a different matter, as they involve removing or altering messages by other people, which could significantly modify the meaning of what third users say by changing the context of the rest of the thread (which isn't necessarily well-defined in a machine readable way). Plus, changing that may infringe some protected speech rights by the subsequent poster (ouch!). Not to mention the multiple jurisdictions typically found on the user base many mailing lists. I would expect reasonable requests not to be a problem, though (eg. just removing an address from a mail signature). As an actionable for the mailman project, I think it could facilitate the implementation of §59: > Modalities should be provided for facilitating the exercise of the > data subject's rights under this Regulation, including mechanisms to > request and, if applicable, obtain, free of charge, in particular, > access to and rectification or erasure of personal data and the > exercise of the right to object. The controller should also provide > means for requests to be made electronically, especially where > personal data are processed by electronic means. The controller should > be obliged to respond to requests from the data subject without undue > delay and at the latest within one month and to give reasons where the > controller does not intend to comply with any such requests. > The user could be browsing a mailing list archive (as noted above) that provides a link to "report content to remove" (automatically verifying the reporter provided email address), which can then be automatically removed (if it's his own email message and configured that way by the list admin) or goes into a queue for admin reviewing (where it can be easily hidden) or replied. NB: this process is more ample than mere "Right to be forgotten" requests, as that would also work for copyright infringement, virus, etc. Best regards Ángel -- Just another non-lawyer looking for his way through the GDPR. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org