As this discussion also touched on other aspects of personal data handling (e.g. through SUSE’s sites) I will allow myself to share an update on the progress of this whole situation:
-
I have filed a bug report about microfocus.com requiring too much personal information and the sharing of data with 3rd parties without the actual need for it.
-
It got closed as “RESOLVED DUPLICATE” of another bug which itself had been closed earlier. I reopened it and asked for further attention on the matter.
-
I have also contacted all email addresses found on the terms and policies pages of SUSE and Microfocus asking them to pay attention to the reopened bug report. I explained to them that there are no tools for one to control one’s personal data, there is no granularity on agreements, no unified privacy policy but multiple ones, personal data is shared with 3rd parties without that being necessary. Additionally I asked for personal data erasure as per Article 17 of GDPR. I have sent this to:
No reply so far
No reply so far
As it was clarified earlier this was a non-existing mailbox.
3 days after my message I received a reply:
We at Micro Focus have received your request to have your personal information erased from our systems, and we are actively working to fulfil your request in the manner and time period prescribed by law.
We may ask you to provide us additional information if it is necessary for us to fully comply with your request and would appreciate your cooperation if that is the case.
Please note that since 1 March 2019 that SUSE is no longer part of the Micro Focus group of companies, and any queries concerning SUSE should be addressed directly to that company.
Please feel free to contact me directly if you have any questions or concerns.
I explained in my reply that their intention to ask for additional information contradicts GDPR Recital (57) because they already can identify me as I am sending through the email address which they already have on record. I didn’t receive any further reply.
Contacting this email address resulted in opening a ticket on the issue tracker. One of the people who replied in the ticket has an email address which is not @suse.com or @opensuse.org or @microfocus.com which implies my request and the personal data in it were also shared with yet another 3rd party - of course without anyone asking me for that. In a further comment another one replied:
We should do our best to honour our obligations under those rights, and the policy goes into some details about the steps we might take and further discussions that would be initiated if exceptions exist.
This sounds good but to have the overall picture paid attention to, I also I explained further that the current terms and tools are simply not GDPR compliant because:
[list]
The legal basis for this processing of your data is Article 6(1)(f) of the GDPR, which allows the processing of data to ensure e.g. a functioning and usable online services such as forums.
However what Article 6(1)(f) actually says is:
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
IOW: the “legitimate interest” cannot overpower the fundamental the right to data protection which says it must be processed fairly and on the basis of consent, i.e. not forced. GDPR Article 6(1)(a) says the same. So Article 6(1)(f) which is mentioned as a ‘basis’ is really just used partially, for the convenience and the interest of the data controller, thus justifying a “legitimate interest” by completely ignoring what the rest of it and the whole GDPR stands for.
- The principle of data minimisation is not followed which contradicts Article 5(c) of the GDPR.
There is absolutely no technical reason to:
[list]
- collect name, physical address, phone, job, etc.
- share this data with 3rd party (e.g. Microfocus)
- share IP address, HTTP user agent, referrer and give the possibility for 3rd party cookies with Google Analytics or other third parties (all listed in the policy)
in order to post in the forums or file a bug report.
Although it may be of valid legitimate interest of the controller to process as much data as possible under a catch-all agreement GDPR Recital 43 says:
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
So one is not only deprived of the possibility for separate consent for non-essential personal data processing but is even forced to accept the policies of multiple legal entities. I wonder where is the privacy in this privacy policy.
- One of the people who fixed a bug which I reported some time ago has shared my personal details in the form of credit (assuming that this is public data and obviously with good intentions but without asking me). Unfortunately through kernel.org now my name and email address are on thousands of pages, copied/mirrored on multiple websites, crawled, indexed, combined with other data and used in who knows what context now or in future. To that I got the suggestion to try to contact each domain which has a copy of the data (and I don’t even know which are those domains). Even if it was possible, not every domain has contact email published. Even if they have and if they reply - they can argue that their system is automatic and they have not done anything deliberately. In best case I would get a shrug. I do appreciate that the developer is sorry for doing it but unfortunately that doesn’t help at all.
One of people who replied in my admin@ case said:
This was merged into the Linux master branch, so there is no chance to fully remove it from the world.
Merge tag 'firewire-fixes-6.8-rc7' of git://git.kernel.org/pub/scm/li… · torvalds/linux@04b8076 · GitHub…]
I do not think, immutable git history was considered in GDPR design.
however according to GitHub’s terms:
- Conduct Restrictions
While using GitHub, you agree that you will not under any circumstances:
…]
- violate the privacy of any third party, such as by posting another person’s personal information without consent.
After commenting on all these issues in the ticket I got a reply in it:
So your inclusion of that information just adds noise to the discussion from the point of view of the volunteers who will be taking care of the parts of this request they can deal with.
I don’t blame you, but would discourage you from adding too much noise to this request - in order to fulfil you’re request many volunteers are going to have to spend non-insignificant amounts of their limited spare time to take care that your data is removed. If they’re distracted by additional irrelevant information, that will not help the timely processing of your request.
I don’t know why the info which I added to explain that the policies and tools need fixing is considered irrelevant but as it seems the main accent is on the request for erasure, not on fixing things and making them long term good for everyone.
[/list]
[/list]
I am so baffled that I have no words to explain what I am thinking right now.
