GDPR does not make much sense outside Europe about deltachat-pages HOT 8 CLOSED

Hello,

In the last months I have been dealing with Delta Chat and GDPR. First of all I am glad about everybody who is interested in this complex topic.

“The GDPR session of the site does not make sense if you live outside Europe and make the app feel something eurocentrist. “

I am very sorry that we leave this eurocentric impression. Privacy is indeed a global issue and is more and more treated as such: According to the United Nations conference on trade and development 107 countries have put in place legislation to secure the protection of data and privacy.
https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx As server, providers and users often end up in different corners of the world, in many places attempts are being made to comply with uniform data protection standards: As a result, for instance the new Australien Privacy Amendment (Notifiable Data Breaches) Act from 2017, as well as the Californien Consumer Privacy Act of 2018 and new Japanese legal attempts are very similar in their wording and meaning to the GDPR.

“Also, there are other laws out there that touches in the same object, which is personal data protection as, for instance, Brazilian Law of personal data protection, approved in the current year (2018).”

Brazil in particular has since the 14 August 2018 a new general data protection law Lei Geral de Protecao de Dados harmonized, because of its structure and content with the European Law. This suggests that mutual recognition of an appropriate level of data protection by the EU Commission and the future Brazilian authority could facilitate data transfer between Brazilian and EU companies in the future.

“I think it'd make more sense to talk about privacy compliance and its relation with GDPR in a broader manner, comprising it and not discarding or disregarding other laws from other countries or supranational organizations.”

This is a really good and important objection that I could not turn to due to time constraints and in view of the many legal acts mentioned above.
However, I find it rather strict to talk about discarding or disregarding considering the many overlaps and legal influences of the GDPR on international data protection laws.

“There's more, I have not, yet, studied GDPR deep enough to be peremptory, but as far as I'm aware, it's aimed to data processors as business organizations, so it does not apply to purely personal or household activity and thus with no connection to a professional or commercial activity*.”

It does not apply to purely personal or household activity, yes. But often the legal difference between professional and personal data processing isn’t that obvious: Doctors send the health data in a private messenger, minors upload the address books of their phone ect ect. There are still many gray areas and unexplained cases, what makes data protection law currently so exciting.

Here are some papers on the global impact of the DSGVO I highly recommend.

Intangible Privacy Rights: How Europe's GDPR Will Set a New Global Standard for Personal Data Protection, Safari, Beata A. , Seton Hall law review. 47(3):809-848 , 2017

The global impact of the new General Data Protection Regulation (GDPR); Enyedi, Márta ; Fézer, Tamás ; DE--Állam- és Jogtudományi Kar, 2018

The EU General Data Protection Regulation (GDPR): European regulation that has a global impact.
; Goddard, Michelle; International Journal of Market Research. 2017, Vol. 59 Issue 6, p703-705. 3p.
; 2017

from deltachat-pages.

luisfsr
You are absolutely wrong, and here's why:
The GDPR has an extraterritorial effect and is applied to all companies that process personal data of residents and EU citizens, regardless of the location of such a company.
So,This means that organizations that process personal data of Europeans in non-European countries in the implementation of online sales (for example, train, airlines, hotels, hostels and others) are subject to the GDPR and must comply with the new European rules for processing personal data.

from deltachat-pages.

Hi @guland2000 . I agree with you that GDPR has an extraterritorial side-effect, but that's not absolute. You may bring to your considerations that people outside Europe and that are non-Europeans also use Delta Chat, thus even if GDPR has effect in the development of the app, the law that protects that non-European citizen is another law, from another country. And more, I'm not sure that DC could be considered an European application, since it's open source code and, hypothetically, could be written by people form all over the world. So, for instance, writing about GDPR for Brazilian users/developers of DC is something pretty distant, since they are non-Europeans, they live outside Europe and Brazil has an specific law for data protection. I think it'd make more sense to talk about privacy compliance and its relation with GDPR in a broader manner, comprising it and not discarding or disregarding other laws from other countries or supranational organizations. There's more, I have not, yet, studied GDPR deep enough to be peremptory, but as far as I'm aware, it's aimed to data processors as business organizations, so it does not apply to purely personal or household activity and thus with no connection to a professional or commercial activity*. In that situation, and maybe this is DC situation, GDPR wouldn't be applicable even in European territory because it's out of its scope. See the extract of the regulation:

*Article 2
Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
   (a) in the course of an activity which falls outside the scope of Union law;
   (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
   (c) by a natural person in the course of a purely personal or household activity;
   (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
   Source: Regulation (EU) 2016/679

See also the Q/A " What does the General Data Protection Regulation (GDPR) govern? ".

At last I lay a question: Does DC process data of its users?

from deltachat-pages.

At last I lay a question: Does DC process data of its users?

Of course it does, but only locally on the user's device, which is no problem from a GDPR point of view (correct me if I am wrong). The GDPR is about the data you process on your (cloud) servers.

from deltachat-pages.

Nice @Hocuri. It process data locally. So it leads to the question if this data form part of a filing system or is intended to form part of a filing system. Which I assume "no", as you pointed out by stressing that GDPR applies to "cloud data processing". It seems DC is out of the material scope of GDPR (article 2, item 1, "fine")... DC improves our privacy (out fundamental rights) but it is not subject of GDPR.

from deltachat-pages.

Hello @jankass !
Indeed GDPR plays a really important role in the world. It, no doubt, is the fountain from which the "Lei de Proteção de Dados" has drunk, since it has the same basic structure and definitions (which suggests mutual recognition). IMO, GDPR has an extraterritorial side-effect which is more sociological than legal and that's really good for a better world; and in this aspect I may have used improperly the words "disregarding or discarding", sorry.
By the other hand, I'm not yet convinced that DC is in GDPR's material scope because of the above mentioned aspects of article 2, item 1, which in my point of view are not alternative, but rather cumulative (processing of personal data + filling system), without forgetting the exclusion cases of item 2*. I'm not pointing it as problem on DC, on the contrary, DC acts as a self defensing app in a case of GDPR non-implementation by the mail provider side. As a matter of fact, using DC is much more effective than relying solely in GDPR.
I promise that if I can get access to the papers you recommended above I'll read them.

* PS.: You pointed out the doctor-patient relation that goes through messengers. In that regard, if such thing happened in Brazil, the law that would be applicable in the relation doctor-patient would be a different one than the relations doctor-data-processor and patient-data-processor (not sure it would be the same in other corners of the world).

from deltachat-pages.

@luisfsr how would you proceed?

e.g. taking down the GDPR landing page for eurocentrism reasons, or adding other pages about privacy law in other countries?

personally I would prefer to close this issue, as it didn't have activity in a year.

from deltachat-pages.

Hello @lefherz ,
In addition to my above stated suggestions, @hpk42 came up with an idea.
If I my help is needed at some point I'd be pleased to help.
Cheers.

from deltachat-pages.