On Wed, Oct 10, 2018 at 10:41:07PM -0400, Dusty Mabe wrote: > /me waves at legal experts > > In the Fedora CoreOS community we'd like to log our IRC channel so we > can refer back to conversations we've had or link people to conversations > if they weren't in the channel and start a discussion with them while > allowing them to gain full context. > > We were using botbot.me, but they will be shutting down soon [1]. We > are looking to explore other options for this and are looking for legal > help to know what we can and can not do. A few comments/questions: > > - logging channels seems to possibly conflict with GPDR > - if we were to keep logs for a shorter period of time, would it help? > - if an individual kept logs and provided a service, would that be > possible or would that possibly have implications for the individual's > employer? > - Are fedora irc meeting logs something that should have GPDR concern? > - If not, why not? Could the same reason apply to a general channel? > > Do you have any advice on how we can achieve this goal? > > See [2] where we have been having this discussion in Fedora CoreOS community. > > Thanks for any help you can provide! > Dusty > > [1] https://lincolnloop.com/blog/saying-goodbye-botbotme/ > [2] https://github.com/coreos/fedora-coreos-tracker/issues/11#issuecomment-426069775 While IANAL, here is some guidance I can give based on recent experience in looking at the GDPR: The Fedora Project has a legitimate business interest in maintaining records that sometimes have personally identifying information. This is balanced against GDPR rights such as the so-called "right to be forgotten," which itself is not unlimited. This is a basis on which we maintain records like email archives and other communications the community uses to research, analyze, understand, and act on background or other information. A limited lifespan for communications certainly means less risk of upsetting that balance. So if you intend these communications to be archived for only a window of a week or two, that's helpful. It would be a good idea to inform all channel users about any round-the-clock logging. I'd recommend text like "NOTE: This channel is logged at all times for historical and decision purposes. Logs are retained for <$TIME> and can be found here: <$URL>." I'd also recommend having a bot that echoes a notice to the channel routinely, at least every few hours (hourly would be even better). The point is to make sure no one is under-informed. I do not recommend an individual do the logging or retention, since I don't know whether they'd have the same level of legitimacy in retaining information as the Fedora Project does. Given what I know about GDPR and our project, the above seems reasonable. Periodic IRC meetings have different sets of expectations. -- Paul W. Frields http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ The open source story continues to grow: http://opensource.com _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
