On Thu, Oct 11, 2018 at 5:52 PM Dusty Mabe <dusty@xxxxxxxxxxxxx> wrote: > > > > On 10/11/2018 05:12 PM, Paul W. Frields wrote: > > On Wed, Oct 10, 2018 at 10:41:07PM -0400, Dusty Mabe wrote: > >> /me waves at legal experts > >> > >> In the Fedora CoreOS community we'd like to log our IRC channel so we > >> can refer back to conversations we've had or link people to conversations > >> if they weren't in the channel and start a discussion with them while > >> allowing them to gain full context. > >> > >> We were using botbot.me, but they will be shutting down soon [1]. We > >> are looking to explore other options for this and are looking for legal > >> help to know what we can and can not do. A few comments/questions: > >> > >> - logging channels seems to possibly conflict with GPDR > >> - if we were to keep logs for a shorter period of time, would it help? > >> - if an individual kept logs and provided a service, would that be > >> possible or would that possibly have implications for the individual's > >> employer? > >> - Are fedora irc meeting logs something that should have GPDR concern? > >> - If not, why not? Could the same reason apply to a general channel? > >> > >> Do you have any advice on how we can achieve this goal? > >> > >> See [2] where we have been having this discussion in Fedora CoreOS community. > >> > >> Thanks for any help you can provide! > >> Dusty > >> > >> [1] https://lincolnloop.com/blog/saying-goodbye-botbotme/ > >> [2] https://github.com/coreos/fedora-coreos-tracker/issues/11#issuecomment-426069775 > > > > While IANAL, here is some guidance I can give based on recent > > experience in looking at the GDPR: > > > > The Fedora Project has a legitimate business interest in maintaining > > records that sometimes have personally identifying information. This > > is balanced against GDPR rights such as the so-called "right to be > > forgotten," which itself is not unlimited. This is a basis on which > > we maintain records like email archives and other communications the > > community uses to research, analyze, understand, and act on background > > or other information. > > > > A limited lifespan for communications certainly means less risk of > > upsetting that balance. So if you intend these communications to be > > archived for only a window of a week or two, that's helpful. > > > > It would be a good idea to inform all channel users about any > > round-the-clock logging. I'd recommend text like "NOTE: This channel > > is logged at all times for historical and decision purposes. Logs are > > retained for <$TIME> and can be found here: <$URL>." I'd also > > recommend having a bot that echoes a notice to the channel routinely, > > at least every few hours (hourly would be even better). The point is > > to make sure no one is under-informed. > > > > I do not recommend an individual do the logging or retention, since I > > don't know whether they'd have the same level of legitimacy in > > retaining information as the Fedora Project does. > > > > Given what I know about GDPR and our project, the above seems > > reasonable. Periodic IRC meetings have different sets of > > expectations. > > > > Thanks Paul. I'll try to make sure all of your recommendations get put > into practice. I'll also reach out to fedora infra to see if we can set > up a botbot.me instance to solve this problem for us in the future. Suggestion: Build a containerized service and offer to keep it updated, so that all they have to do is deploy it in an Openshift cluster. josh _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
