Evolution #2 - A `commons.hour` on data privacy and regulatory regimes

meet. coop intends to migrate to platform hosting by WebTV, a Canadian coop. This opens the possibility of choosing which data protection regulatory regime to be under - Canadian or European - or even of operating under both regimes on different servers, and offering members the choice as part of the service we give. This commons.hour aims to assemble the best knowhow that we have in our community, to underpin a sound strategic choice in this and to highlight practical issues.

This is urgent. Issues were identified by meet. coop Board of Stewards April 27th as needing initial assessment during May, preparing maybe for server hosting migration in June. Evolution 1 - Find a new home - #44 by mikemh

Please come into this thread with views on questions (below) and/or edits to the wiki post(s). Thanks.

This thread initially is to gather appropriate questions and assemble related knowhow, in the planning run-up to a commons.hour session. After the session the thread can hold outcomes of that exploration, issues framed for the meet. coop Board to choose on, and assemble some protocols for the meet. coop handbook.

A date poll is open here Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate

Who has understanding and experience?

If you should be in this listing, do please add yourself, apologies for oversight.

• @anarcat @ Tor project
• @petter @ collective.tools
• @gcotnoir @ WebTV
• @jamie /@Jaime @ May First Movement Technology
  Perhaps:
• @flancian @ social. coop
• @dvdjaco @ femProcomuns/CommonsCloud
• @3wc @ Autonomic
• @hng @ Collocall
• @Sebas891 @ Koumbit
• @Yurko @ Hypha
• @chris @ Webarchitects

Digital safety is an issue that intersects with data privacy and regulation. So include:

• @georgiamoon @ Simply Secure
• @shibco @ New Design Congress

When to meet?

A date poll is open here Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate

Update: Poll is closed, date and details are here. Evolution #2 - A `commons.hour` on data privacy and regulatory regimes - #9 by mikemh

What are the questions?

Please do edit/extend this list…
Three core topics:

• 1 TransAtlantic difference
• Key differences between Canadian and European regulatory frames?
• Does regulation operate on the server or on the formal organisation that manages it?
  Does it matter where the organisation’s servers are, geographically?
• Is GDPR really an effective option for North American data hosts (Canada, USA)?
• 2 Surveillance vs commercial extraction
• How much is the regulatory framework about privacy and extraction of users’ data (by commercial operators) , and how much is about access of State agencies (surveillance, legal demands for disclosure)?
• What kinds of resistance to surveillance and disclosure have members of our community needed to mount,. With what kinds of consequences, or risks to our organisations and our members?
• How much is State surveillance and discolure an issue in Europe, compared with the USA?
• 3 Preferences
• Expectations of meet. coop User members, regarding a regime of protection for their data? Would adopting one or other regulatory jurisdiction limit our membership and our service to our members?
• Is there any consensus on the value of the European regulatory frame (GDPR) vis a vis North American frames (Canadian, US). Or the UK frame?
  Etc?

What are the data that meet. coop hosts?

• Recordings of meetings, in Greenlight @ CA (Koumbit) or DE (Hetzner) servers
• Live meeting traffic, in BBB. CA (Koumbit) or DE (Hetzner) servers
• Membership database, in NextCloud spreadsheet @ Webarchitects UK. What data are held in the database? Financial data, geographical and internet address data, institutional affiliation data, personal names? Other? What does regulation make us accountable for?
• Email correspondence, in Sogo @ Webarchitects UK
• Postings in the Discourse forum @ Webarchitects UK (The forum has no copyright/copyleft marking but the handbook section is marked [Creative Commons — Attribution-ShareAlike 4.0 International — CC BY-SA 4.0] )
• Data in other media spaces? Website? Handbook? Both these are posted by meet. coop. They are not open to direct writing by User members, and only hold information on Operational Members or Collaborating Members (organisations, not individuals), not on User Members or members of the public.
• Etc?

Hi! My experience is from providing services to Swedish municipalities, and I’ve also been to a 5h lecture on data transfer by a legal expert. (Could try to summarize that lecture in English at some point…) A lot changed with Schrems II in 2020 when it comes to this, which in some ways make it more complicated, but also gives smaller open source companies a huge advantage to companies like Zoom, Google and Microsoft.
There are exceptions when you can transfer data legally, but it makes things extremely complicated, compared to keeping it all in the EU.
So as I understand things in short:

• data needs to be handled in the EU, on EU based servers
• if the company is based outside the EU or has a US parent company that has access to the servers, this also counts as data transfer, so basically the legal entity should be based in the EU (this is particularly bad news for Google and the rest of them)

Noyb, the organisation behind the Schrems II case has a lot of info on this. (it might be worth becoming a supporting member to get some advice from them?) EU-US Data Transfers | noyb.eu

When to meet?
A date poll is open here Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate
It covers two weeks at the end of May.

• @anarcat @petter @flancian thanks
  Preferred date is: Monday, May 22, 2023 - 18:00 London time

Please express any other prefences before the poll closes:
Poll closes 12may2023, 19:00 London time.

• @gcotnoir @jamie @Jaime ?
• @dvdjaco @3wc @hng @Sebas891 @Yurko @chris ?
• @georgiamoon @shibco ?

Would be great to share this Brief summary maybe?

Date poll has closed: Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate

Selected date is: Monday, May 22, 2023 - 18:00 London time. (European time = +1, N America Eastern time = -5, N America Pacific time - -8).

Topic: Data privacy - TransAtlantic regulatory regimes and migrating meet.coop. For details see the commons.hour announcement Commons.hour special - data privacy

See this important update by @anarcat on data laws on Quebec Commons.hour special - data privacy - #2 by mikemh These documents are in French. Here are machine translations into English : Nextcloud

Mostly, these are guides for data-holding organisations, about obligations under the new Quebec state law (‘Bill #25’) coming into force in stages between September 2021 and 2024.

A useful description of concepts, terms and principles for cloud hosting, by UK government (2021) : Cloud computing guidance . Broadly, meet. coop is a cloud hosting organisation.

Post-session documentation

Shared notes : Nextcloud
Full-feature playback: Playback
mp4 video: https://bbb.de.meet.coop/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/meeting.mp4
mp4 download : https://bbb.de.meet.coop/download/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849.mp4

data locations841×595 115 KB

Reposted from @petter in Commons.hour special - data privacy

The seminar I went to listed Canada as approved by the EU “to some extent” (which might mean Quebec, don’t remember) . . . .

Countries with an adequate level of protection
• Andorra
• Argentina
• Faroe Islands
• Guernsey
• Isle of Man
• Israel
• Japan (under review)
• Jersey
• Canada (to some extent)
• New Zealand
• Switzerland
• UK (reassessed after 2 years)
• Uruguay
• South Korea

This thread, specifically focused on the commons.hour session, is closed now. Discussion continues here: Evolution #2 - Infrastructuring through federating