On Tue, Jun 12, 2018 at 11:56:13AM -0700, David Lang wrote: > [quoting github] > > It's important to remember that the Right to Erasure only applies to > personal data, not all data. It only applies to data a controller (GitHub, > for example) is processing _solely_ on the basis of consent. This is very obviously wrong. See Art. 17 GDPR. Consent is only one of the explicitly mentioned grounds for deletion (it is (1) lit b, but there's also a and c to f). > And it only > applies when there's not another legal reason to keep the data -- for > instance, if the data is no longer necessary for the purpose for which it > was collected. This incorrect claim is completely inverting the logic of Art. 17. The logic is clarly that if ANY of lit (a) to (f) is satisfied, the data must be deleted. It is not necessary for ALL of them to be satisfied. In particular, if the data is no longer necessary for the purpose for which it was collected, then THAT ALONE is grounds for erasure ((1) lit. a). It does not matter at all whether processing was consent-based or whether such consent was withdrawn. > We do not process Git commit history on the basis of consent. We have a > legitimate business purpose for collecting Git commit history: to maintain > the integrity of the Git commit record. It remains necessary for its purpose > for as long as a commit needs to be attributable to its committer. Right, but this merely justifies storing the data, not publishing it, or keeping it published, as I already explained at length. > At GitHub, as part of our Privacy By Design work, we offer ways for users to > set their own Git commit email data, so if an individual wants to remain > anonymous or pseudonymous, he or she can do so. Not only is this contradicting fundamentally what they just said in the previous sentence, it is not a justification for ignoring the right to erasure either. It is exactly the purpose of the right to erasure to get the data erased *after* the fact. > We also explain, in our > [Privacy > Statement](https://help.github.com/articles/github-privacy-statement), that > we are not able to delete personal data from the Git commit history once it > has been recorded. Privacy Statements are not a justification under GDPR for processing data or ignoring the right to erasure. And oh yes they are able. Rewriting history is a possibility, though an inconvenient one. I have pointed towards more convenient solutions. > I'll point out that not only did the Github lawyers need to sign off on this > stance, but the Microsoft lawyers would have looked at it as well as part of > their purchase of Github. So? If a thousand lawyers claim 1+1=3, it becomes a mathematical truth? Best wishes Peter -- Peter Backes, rtc@xxxxxxxxxxxxxxxxxxx