Evolution #2 - A `commons.hour` on data privacy and regulatory regimes

meet. coop intends to migrate to platform hosting by WebTV, a Canadian coop. This opens the possibility of choosing which data protection regulatory regime to be under - Canadian or European - or even of operating under both regimes on different servers, and offering members the choice as part of the service we give. This commons.hour aims to assemble the best knowhow that we have in our community, to underpin a sound strategic choice in this and to highlight practical issues.

This is urgent. Issues were identified by meet. coop Board of Stewards April 27th as needing initial assessment during May, preparing maybe for server hosting migration in June. Evolution 1 - Find a new home - #44 by mikemh

Please come into this thread with views on questions (below) and/or edits to the wiki post(s). Thanks.

This thread initially is to gather appropriate questions and assemble related knowhow, in the planning run-up to a commons.hour session. After the session the thread can hold outcomes of that exploration, issues framed for the meet. coop Board to choose on, and assemble some protocols for the meet. coop handbook.

A date poll is open here Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate

Who has understanding and experience?

If you should be in this listing, do please add yourself, apologies for oversight.

Digital safety is an issue that intersects with data privacy and regulation. So include:

When to meet?

A date poll is open here Framadate

Update: Poll is closed, date and details are here. Evolution #2 - A `commons.hour` on data privacy and regulatory regimes - #9 by mikemh

What are the questions?

Please do edit/extend this list…
Three core topics:

  • 1 TransAtlantic difference
  • Key differences between Canadian and European regulatory frames?
  • Does regulation operate on the server or on the formal organisation that manages it?
    Does it matter where the organisation’s servers are, geographically?
  • Is GDPR really an effective option for North American data hosts (Canada, USA)?
  • 2 Surveillance vs commercial extraction
  • How much is the regulatory framework about privacy and extraction of users’ data (by commercial operators) , and how much is about access of State agencies (surveillance, legal demands for disclosure)?
  • What kinds of resistance to surveillance and disclosure have members of our community needed to mount,. With what kinds of consequences, or risks to our organisations and our members?
  • How much is State surveillance and discolure an issue in Europe, compared with the USA?
  • 3 Preferences
  • Expectations of meet. coop User members, regarding a regime of protection for their data? Would adopting one or other regulatory jurisdiction limit our membership and our service to our members?
  • Is there any consensus on the value of the European regulatory frame (GDPR) vis a vis North American frames (Canadian, US). Or the UK frame?

What are the data that meet. coop hosts?

  • Recordings of meetings, in Greenlight @ CA (Koumbit) or DE (Hetzner) servers
  • Live meeting traffic, in BBB. CA (Koumbit) or DE (Hetzner) servers
  • Membership database, in NextCloud spreadsheet @ Webarchitects UK. What data are held in the database? Financial data, geographical and internet address data, institutional affiliation data, personal names? Other? What does regulation make us accountable for?
  • Email correspondence, in Sogo @ Webarchitects UK
  • Postings in the Discourse forum @ Webarchitects UK (The forum has no copyright/copyleft marking but the handbook section is marked [Creative Commons — Attribution-ShareAlike 4.0 International — CC BY-SA 4.0] )
  • Data in other media spaces? Website? Handbook? Both these are posted by meet. coop. They are not open to direct writing by User members, and only hold information on Operational Members or Collaborating Members (organisations, not individuals), not on User Members or members of the public.
  • Etc?

Hi! My experience is from providing services to Swedish municipalities, and I’ve also been to a 5h lecture on data transfer by a legal expert. (Could try to summarize that lecture in English at some point…) A lot changed with Schrems II in 2020 when it comes to this, which in some ways make it more complicated, but also gives smaller open source companies a huge advantage to companies like Zoom, Google and Microsoft.
There are exceptions when you can transfer data legally, but it makes things extremely complicated, compared to keeping it all in the EU.
So as I understand things in short:

  • data needs to be handled in the EU, on EU based servers
  • if the company is based outside the EU or has a US parent company that has access to the servers, this also counts as data transfer, so basically the legal entity should be based in the EU (this is particularly bad news for Google and the rest of them)

Noyb, the organisation behind the Schrems II case has a lot of info on this. (it might be worth becoming a supporting member to get some advice from them?) EU-US Data Transfers | noyb.eu

1 Like

When to meet?
A date poll is open here Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate
It covers two weeks at the end of May.

Please express any other prefences before the poll closes:
Poll closes 12may2023, 19:00 London time.

Would be great to share this :slight_smile: Brief summary maybe?

Date poll has closed: Sondage - A commons.hour session on data privacy and regulatory regimes - Framadate

Selected date is: Monday, May 22, 2023 - 18:00 London time. (European time = +1, N America Eastern time = -5, N America Pacific time - -8).

Topic: Data privacy - TransAtlantic regulatory regimes and migrating meet.coop. For details see the commons.hour announcement Commons.hour special - data privacy

See this important update by @anarcat on data laws on Quebec Commons.hour special - data privacy - #2 by mikemh These documents are in French. Here are machine translations into English : Nextcloud

Mostly, these are guides for data-holding organisations, about obligations under the new Quebec state law (‘Bill #25’) coming into force in stages between September 2021 and 2024.

A useful description of concepts, terms and principles for cloud hosting, by UK government (2021) : Cloud computing guidance . Broadly, meet. coop is a cloud hosting organisation.

Post-session documentation

Shared notes : Nextcloud
Full-feature playback: Playback
mp4 video: https://bbb.de.meet.coop/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/meeting.mp4
mp4 download : https://bbb.de.meet.coop/download/presentation/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849/ff16731f1cbc3a25ea8332c15a0c65fb6e739b43-1684771322849.mp4

Reposted from @petter in Commons.hour special - data privacy

The seminar I went to listed Canada as approved by the EU “to some extent” (which might mean Quebec, don’t remember) . . . .

Countries with an adequate level of protection
• Andorra
• Argentina
• Faroe Islands
• Guernsey
• Isle of Man
• Israel
• Japan (under review)
• Jersey
• Canada (to some extent)
• New Zealand
• Switzerland
• UK (reassessed after 2 years)
• Uruguay
• South Korea

An update on the Schrems situation: the US has regained access to EU data, calling for a fresh Schems initiative. Reported here in il Manifesto by Boccionetti (Englis translation from DeepL, Italian original):

In this folder of material connected with the commons.hour session:

@petter you probably know of this already?

Not sure about this, there are challenges to Schrems from US all the time, but the official list of countries that are accepted for data transfer is listed by the EU commission here: Adequacy decisions

At Adequacy decisions Canada is recognised - ‘commercial organisations’. I guess a Montreal social coop is ‘a commercial organisation’.

002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539) Link

Reposting this. . . @mikemh posted in a private thread:

Data privacy and servers. And rental
Hi @andia I believe that the German (Hetzner) server is to be retained. Bcos according to @petter European users (especially governmental accounts and other ‘public’ organisations) are increasingly unwilling to use a service on any platform that is mounted outside the geographical range of GDPR. A degree of geographical chauvinism/paranoia has set in?

However, a Canadian host (say) can be licensed as a ‘data processor’ to view and handle data of European (GDPR) subjects, by the ‘data owner’ - a European organisation. In our case, I’m assuming that innovation.coop would need to be GDPR data owner, and WebTV a licensed data processor, for the German server. Or maybe another, more experienced GDPR actor in the meet. coop federation, like collective.tools. This has yet to be discussed eg with @petter, or agreed by/with @graham.

@gcotnoir are you aware that WebTV would need to be ‘licensed’ as a GDPR data processor? D’you have much procedural apparatus in WebTV currently, for the provisions of Law#25 in Quebec? Or is it very informal?

This data privacy thing will be a bit loose when we start? But needs nailing down rather soon? I guess the rental of the Hetzner account would need to be transferred rather soon. To innovation.coop? There’s certainly no need for Hypha to remain connected with the account? @Graham @dvdjaco

@gcotnoir responded:

I did not know about being “licensed” for GDPR, but I’ll look into it right away.

@petter d’you have experience of administering data owners and data processors under GDPR? @Graham does innovation.coop have background in this? @wouter d’you know about this practice?

There’s a related recent query in the forum of MayFirst, about GDPR coverage on a US site.

I posted a comment there, and the thread has some links that may help us with document examples, when we settle down - soon? - to create protocols for GDPR coverage of our Canadian servers and of WebTV as a data processor for GDPR covered data.