meet. coop intends to migrate to platform hosting by WebTV, a Canadian coop. This opens the possibility of choosing which data protection regulatory regime to be under - Canadian or European - or even of operating under both regimes on different servers, and offering members the choice as part of the service we give. This commons.hour aims to assemble the best knowhow that we have in our community, to underpin a sound strategic choice in this and to highlight practical issues.
Please come into this thread with views on questions (below) and/or edits to the wiki post(s). Thanks.
This thread initially is to gather appropriate questions and assemble related knowhow, in the planning run-up to a commons.hour session. After the session the thread can hold outcomes of that exploration, issues framed for the meet. coop Board to choose on, and assemble some protocols for the meet. coop handbook.
Please do edit/extend this list…
Three core topics:
1 TransAtlantic difference
Key differences between Canadian and European regulatory frames?
Does regulation operate on the server or on the formal organisation that manages it?
Does it matter where the organisation’s servers are, geographically?
Is GDPR really an effective option for North American data hosts (Canada, USA)?
2 Surveillance vs commercial extraction
How much is the regulatory framework about privacy and extraction of users’ data (by commercial operators) , and how much is about access of State agencies (surveillance, legal demands for disclosure)?
What kinds of resistance to surveillance and disclosure have members of our community needed to mount,. With what kinds of consequences, or risks to our organisations and our members?
How much is State surveillance and discolure an issue in Europe, compared with the USA?
Expectations of meet. coop User members, regarding a regime of protection for their data? Would adopting one or other regulatory jurisdiction limit our membership and our service to our members?
Is there any consensus on the value of the European regulatory frame (GDPR) vis a vis North American frames (Canadian, US). Or the UK frame?
Recordings of meetings, in Greenlight @ CA (Koumbit) or DE (Hetzner) servers
Live meeting traffic, in BBB. CA (Koumbit) or DE (Hetzner) servers
Membership database, in NextCloud spreadsheet @ Webarchitects UK. What data are held in the database? Financial data, geographical and internet address data, institutional affiliation data, personal names? Other? What does regulation make us accountable for?
Data in other media spaces? Website? Handbook? Both these are posted by meet. coop. They are not open to direct writing by User members, and only hold information on Operational Members or Collaborating Members (organisations, not individuals), not on User Members or members of the public.
Hi! My experience is from providing services to Swedish municipalities, and I’ve also been to a 5h lecture on data transfer by a legal expert. (Could try to summarize that lecture in English at some point…) A lot changed with Schrems II in 2020 when it comes to this, which in some ways make it more complicated, but also gives smaller open source companies a huge advantage to companies like Zoom, Google and Microsoft.
There are exceptions when you can transfer data legally, but it makes things extremely complicated, compared to keeping it all in the EU.
So as I understand things in short:
data needs to be handled in the EU, on EU based servers
if the company is based outside the EU or has a US parent company that has access to the servers, this also counts as data transfer, so basically the legal entity should be based in the EU (this is particularly bad news for Google and the rest of them)
Noyb, the organisation behind the Schrems II case has a lot of info on this. (it might be worth becoming a supporting member to get some advice from them?) EU-US Data Transfers | noyb.eu
The seminar I went to listed Canada as approved by the EU “to some extent” (which might mean Quebec, don’t remember) . . . .
Countries with an adequate level of protection
• Faroe Islands
• Isle of Man
• Japan (under review)
• Canada (to some extent)
• New Zealand
• UK (reassessed after 2 years)
• South Korea
An update on the Schrems situation: the US has regained access to EU data, calling for a fresh Schems initiative. Reported here in il Manifesto by Boccionetti (Englis translation from DeepL, Italian original):
In this folder of material connected with the commons.hour session:
Not sure about this, there are challenges to Schrems from US all the time, but the official list of countries that are accepted for data transfer is listed by the EU commission here: Adequacy decisions
At Adequacy decisions Canada is recognised - ‘commercial organisations’. I guess a Montreal social coop is ‘a commercial organisation’.
002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539) Link
Reposting this. . . @mikemh posted in a private thread:
Data privacy and servers. And rental
Hi @andia I believe that the German (Hetzner) server is to be retained. Bcos according to @petter European users (especially governmental accounts and other ‘public’ organisations) are increasingly unwilling to use a service on any platform that is mounted outside the geographical range of GDPR. A degree of geographical chauvinism/paranoia has set in?
However, a Canadian host (say) can be licensed as a ‘data processor’ to view and handle data of European (GDPR) subjects, by the ‘data owner’ - a European organisation. In our case, I’m assuming that innovation.coop would need to be GDPR data owner, and WebTV a licensed data processor, for the German server. Or maybe another, more experienced GDPR actor in the meet. coop federation, like collective.tools. This has yet to be discussed eg with @petter, or agreed by/with @graham.
@gcotnoir are you aware that WebTV would need to be ‘licensed’ as a GDPR data processor? D’you have much procedural apparatus in WebTV currently, for the provisions of Law#25 in Quebec? Or is it very informal?
This data privacy thing will be a bit loose when we start? But needs nailing down rather soon? I guess the rental of the Hetzner account would need to be transferred rather soon. To innovation.coop? There’s certainly no need for Hypha to remain connected with the account? @Graham@dvdjaco
There’s a related recent query in the forum of MayFirst, about GDPR coverage on a US site.
I posted a comment there, and the thread has some links that may help us with document examples, when we settle down - soon? - to create protocols for GDPR coverage of our Canadian servers and of WebTV as a data processor for GDPR covered data.