Commons.hour special - data privacy

Data privacy - TransAtlantic regulatory regimes and migrating meet. coop

A commons.hour special

Date: Monday, May 22, 2023
Time: 18:00 London time. (European time = +1, N America Eastern time = -5, N America Pacific time - -8).
Venue: commons.hour room (@ DE server)

meet. coop intends to migrate to platform hosting by WebTV, a Canadian coop. This opens the possibility of choosing which data protection regulatory regime to be under - Canadian or European - or even operating under both regimes on different servers, and offering members the choice as part of the service we give. This commons.hour aims to assemble the best knowhow that we have in our community, to underpin a sound strategic choice and highlight practical issues.

@petter @flancian and @anarcat have some inputs on this, but a bunch of others in our community have relevant knowhow (see Commons.hour special - data privacy - #5 by mikemh). Please do come and contribute. This is a significant strategic decision for meet. coop.

See ongoing discussion in this thread: Evolution #2 - A `commons.hour` on data privacy and regulatory regimes

Post-meeting documentation is below: Commons.hour special - data privacy - #11 by mikemh

Three core topics:

• TransAtlantic difference
• Key differences between Canadian and European regulatory frames?
• Does regulation operate on the server or on the formal organisation that manages it?
  Does it matter where the organisation’s servers are, geographically?
• Is GDPR really an effective option for North American data hosts (Canada, USA)?
• Surveillance vs commercial extraction
• How much is the regulatory framework about privacy and extraction of users’ data (by commercial operators) , and how much is about access of State agencies (surveillance, legal demands for disclosure)?
• What kinds of resistance to surveillance and disclosure have members of our community needed to mount,. With what kinds of consequences, or risks to our organisations and our members?
• How much is State surveillance and disclosure an issue in Europe, compared with the USA?
• Preferences
• Expectations of meet. coop User members, regarding a regime of protection for their data? Would adopting one or other regulatory jurisdiction limit our membership and our service to our members?
• Is there any consensus on the value of the European regulatory frame (GDPR) vis a vis North American frames (Canadian, US). Or the UK frame?

Without getting into any spoilers, it’s important to be aware of politics in Canada before getting into this. This usually doesn’t matter too much, but in this case it matters very much because last year a new privacy law came in effect in the canadian province of Québec that is somewhat inspired (but even stronger on some aspects) by the GDPR.

All the documentation I have on this is unfortunately in french, but I’ll dump it here anyway in case people want to catch up with Google Translate or DeepL or ChatGPT or a friend or whatever it is people use these days:

https://blog.didomi.io/fr/quebec-loi-25-protection-donnees-cookies

sorry for the link dump, but it’s all i have. ):

Terrific @anarcat thanks lots. I use Deep-L these days, works well. Questions below are tactical questions for meet. coop. Shouldn’t (?) necessarily shape the session too much, which ought to be a bit more broad, and ‘principles’ based?

• My first reaction is that this is good news (that the Euro and Quebec regimes are basically similar, and going in the same direction).
• Second thought is: this still probably won’t affect the willingness of European public (governmental?) organsiations to have their data on ‘non-European’ servers (whatever that phrase means).
• And third - our members so far - none of them (?) governmental organisations - have been fine with the informal ‘GDPR’ claim we have made, so why would this change in the future?
• Fourth is: of course we have to step into a formal GDPR regime now (or GDPR-plus = Quebec). It’s basic? Regardless of what our users’ privacy consciousness may be?
• Finally: who do we expect our members to be in the future? Coops. Civil society informal organisations. Governmental organisations. Individuals. In Europe. In Canada. In USA. In other national jurisdictions?

Questions for @evolution team to form some views on. This is placing more emphasis on the ‘prefernces’ section of the discussion?

These members might want to contribute? Do join this session.

• @gcotnoir @jamie @Jaime
• @dvdjaco @wouter @3wc @hng @Sebas891 @Yurko @chris @evolution
• @georgiamoon @shibco

I don’t think I can join on Monday, apologies as I’ve been swamped lately!

Reminder invite, do join us…
@dvdjaco @wouter @3wc @hng @Sebas891 @Yurko @chris @evolution

Here are machine translations into English, of the pages provided above by @anarcat : Nextcloud

Mostly, guides to data-holding organisations, about obligations under the new Quebec state law (‘Bill #25’) coming into force in stages between September 2021 and 2024.

Here a schema of data locations in meet.coop, to summarise topics that need discussing (‘protocols’), jurisdictions and digital spaces

data locations841×595 115 KB

The seminar I went to also listed Canada as approved by the EU “to some extent” (which might mean Quebec, don’t remember), but I agree with Mike’s points.

Countries with an adequate level of protection
• Andorra
• Argentina
• Faroe Islands
• Guernsey
• Isle of Man
• Israel
• Japan (under review)
• Jersey
• Canada (to some extent)
• New Zealand
• Switzerland
• UK (reassessed after 2 years)
• Uruguay
• South Korea

Post-meeting

Shared notes: Nextcloud
Full-feature playback: Playback
mp4 video: https://bbb.de.meet.coop/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/meeting.mp4
mp4 download : https://bbb.de.meet.coop/download/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849.mp4

Closing this topic. Please pick up discussion in this thread: Evolution #2 - A `commons.hour` on data privacy and regulatory regimes - #12 by mikemh