开云体育

All,

Apologies if this has already been discussed or indeed this is the incorrect place for new feature requests. But I managed a groups io list where the committee have decided that in order to comply with GDRP every member must re-subscribe every 2 years.

After the issues getting people to subscribe in the first place I can see this being a nightmare!

My idea of a feature request is to have an extra field with a date that the acceptance with GDRP was declared for each member. Then have a function where the list sends a URL to each member and by clicking on this the field is updated.

Then have a feature where members people with out of date acceptances can be emailed to remind them to do so. (Allow for specific text to be entered).

Finally a feature to remove all members with out of date acceptances from the list.

Apologies if this has already been raised or indeed it's the incorrect place. The list was created December 2016 so time left!

Thanks,

Chris

On Wed, Jul 18, 2018 at 03:35 PM, <groupsio@...> wrote:

But I managed a groups io list where the committee have decided that in order to comply with GDRP every member must re-subscribe every 2 years.

Is there anything in the GDPR that points towards the above being a requirement?

I think I would argue that your committee has made a rod for its own back and is now looking for someone else (ultimately Mark) to provide a technical solution. Groups.io has its own Privacy Policy and Mark has taken / is taking specialised advice about what is necessary to keep Groups.io in compliance with the requirements of the GDPR, and AFAIK renewals every other year don't feature.

I'm far from certain that it is in any way reasonable for your committee to more or less mandate that Groups.io finds a technical solution to a problem that it itself has generated, particularly so given that there is no clear legal requirement behind your request.

I have found what I think is your group's website, and I notice that there is no sign of a "Privacy Policy" statement anywhere on it! What I did notice is that there are several photographs of people who I assume to be some of your members; did each and every one of them give you permission in writing to use their image(s) on your website, and how long does that permission remain valid?

(Another...)

Chris.

--
Help: /static/help
More Help: /g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list

On 18/07/18 12:59 PM, Chris wrote:

the committee have decided that in order to comply with GDRP every member must re-subscribe every 2 years.

Which of the 18 or so official versions of the GDPR, and/or official
statute of the 28 member states and roughly dozen other countries that
tend to follow EU directives, are they looking at, to come to that
conclusion?

I know that the various official versions of the GDPR, do conflict with
each other, and that some countries added things to it, and others
removed things to it, But of the half dozen translations of official
statutes, and half dozen official versions of the GDPR I've read, I
haven't seen anything that has that as a suggestion, much less a
requirement.

More pointedly, even the privacy lawyers in Europe are suggesting that
the wave of "please re-suscribe" requests that hit list-subscribers when
punishment for violating the GDPR went into effect, were unnecessary, if
the list had been adhering to the law that went into effect in 2002.

###

I'm assuming they are referring to the GDPR, as laid out by the European
Union. If they mean the GDPR, as proposed in California (^2), BRICS
(^1), or somewhere else, then that needs to be specified.

If they are looking of the privacy statutes in the Philippines, then;
* that law applies only within the Philippines;
* that law appears to be enforced only against those on the hit list of
the politicians that mismanage that country;

My recollection is that the two year requirement is for data retention,
with the count starting at the demise of the list. IOW, you have to keep
subscription information of each subscriber, from the time the
individual subscribes, until two years after the list shut down.
However, I might be confusing Philippine law, with that of another country.

My idea of a feature request is to have an extra field with a date that the acceptance with GDRP was declared for each member.

If the sole reason for implementing this feature, is to conform with
that an alleged requirement of the GDPR, then the requester needs to
cite both the statute law and the case law, that supports the alleged
requirement. Given the plethora of requests Mark has been given, I don't
see him implementing this, unless Legal-Man presents a very solid legal
case for so doing.

Using Estonian law as the example, the requirement is that the list
owner show the date that the individual subscribed, and be able to
demonstrate that the subscription was voluntary in nature. I'm not going
to go into what constitute "voluntary" and "involuntary" under Estonian
Law, except to say that as a general rule of thumb, somebody sending an
email to an email list, to subscribe to the list, is "voluntary". The
major exception is when subscribing is required, to participate in a
sweepstakes, or similar giveaway.

Groups.IO keeps the date that one subscribed to a list, and how they
subscribed (email, web, moderator/owner added, other). This record
conforms with current Estonian law.

Finally a feature to remove all members with out of date acceptances from the list.

Back around 1992, it was fairly common for list-owners to unsubscribe
everybody on all of the lists they owned, or managed, at least once a
year. Then Eternal Fall happened, and list subscribers appeared to have
lost the ability to know how to re-subscribe. If that list committee
really thinks that the GDPR mandates re-confirming list subscriptions
every two years, then the simple solution is for them to, on the first
Monday of even years, unsubscribe everybody on the list, regardless of
when they subscribed to the list, and wait for people to re-subscribe.
Call it _The Great Biannual Re-subscription Day_.

Apologies if this has already been raised or indeed it's the incorrect place.

This is a good place to float ideas.

Responses might not be what you expect, but will, as a general rule,
explain why a proposal is a good idea, or a bad idea, or needs more
information, to ascertain the utility of the proposal.

###

^1: Brazil, Russia, India, China, South Africa. All five have floated a
proposal similar to the GDPR in the last six months. Just how they
reconcile it with their internal security "requirements", makes for some
interesting situations.

^2: The California statute, which is a watered down version of the GDPR,
goes into effect 1 January 2020. Off the cuff, I'd be very surprised if
it mandated all list subscriptions be verified every two years. I don't
remember reading anything that carved out a special exemption for
politicians. I'm fairly confident that no political campaign manager
wants to devote one week each year, to confirm that their donors still
want to donate to CREEP,(^3) or whatever the politician chooses to call
his/her re-election fund.

^3: CREEP: _Committee to RE-Elect the President_ was the name of Nixon's
campaign, in 1972.

I am not a lawyer. This is not legal advice.


jonathon

On Wed, Jul 18, 2018 at 08:50 PM, toki wrote:

I am not a lawyer. This is not legal advice

Given that there is quote a lot of it, what "status" would you then ascribe to it? It seems odd to spend time and effort posting a detailed comment and then nearly saying "don't pay any attention to it".

To add to my previous comment, if my original digging found the right target then the organisation to which the OP referred (now no longer traceable from scratch; I suspect that the original message was later edited to remove a revealing detail) also has a publicly accessible Facebook page. I therefore pose similar questions to that I asked previously; have all the people whose photographs appear on that Facebook page provided written consent for their likenesses to be used, and how often are they required to renew that permission? Have all those whose names appear as having "liked" something also given their permission for their names to be revealed? Have you asked Facebook to provide a facility similar to that you are considering requesting from Groups.io?

At the risk of being accused of repeating myself I am of the view that considering asking Groups.io to provide a technical solution to a problem that your committee has (I think) more or less invented is wholly unreasonable, unless of course you can specify some part of the GDPR (as interpreted in <location redacted>) that will be breached if the capability is not provided.

Chris

On 19/07/18 09:23 AM, Chris Jones via Groups.Io wrote:

I am not a lawyer. This is not legal advice

Given that there is quote a lot of it, what "status" would you then ascribe to it?

Since I'm not a lawyer, the only thing it can legally be, is the opinion
of an individual. One might hope that said individual has spent time
studying the law in question, including cases arising from it, and
reflects something approximating the current legal situation.

It seems odd to spend time and effort posting a detailed comment and then nearly saying "don't pay any attention to it".

There is this thing known as "practising law without license".
If one doesn't explicitly proclaim that one is not a lawyer, one can run
afoul of legislation related to the practice of law.

Under the laws of the legal jurisdiction in which I reside,
both "Using Estonian Law as an example..." and the description of the
Philippine Privacy Statute looks like a legal opinion, and hence can be
construed as practising law without a license. Thus the requirement for
the disclaimer.

If you read legal books, or browse legal websites, you'll see a similar,
albeit much longer disclaimer. First Year Law students are always
surprised to see the disclaimer in their textbooks, and even more
surprised upon encountering it in their State Reporter.

At the risk of being accused of repeating myself I am of the view that considering asking Groups.io to provide a technical solution to a problem that your committee has (I think) more or less invented is wholly unreasonable, unless of course you can specify some part of the GDPR (as interpreted in <location redacted>) that will be breached if the capability is not provided.

+1



I am not a lawyer. This is not legal advice.

jonathon

Amen... and... isn't Groups.io located entirely within the USA?

If so, completely ignoring whether the GDPR really contains the rule in question... does the EU and its GDPR really create any obligation whatsoever on the part of Groups.io?

Jim H


Received from Chris Jones via Groups.Io at 7/19/2018 09:23 AM UTC:

On 7/19/2018 21:42, Jim Higgins wrote:

Amen... and... isn't Groups.io located entirely within the USA?

If so, completely ignoring whether the GDPR really contains the rule in question... does the EU and its GDPR really create any obligation whatsoever on the part of Groups.io?

Jim H

I does if it has users who are overseas.? The company I work for is exclusively in the US, but we've had to do major GDPR steps because of our international clientele.

Best,

Glenn

On 20/07/18 04:42 AM, Jim Higgins wrote:

Amen... and... isn't Groups.io located entirely within the USA?

Whilst the servers, and the Sysadmin are located within the US, the
Domain Name Register ostensibly falls under British law, making the
domain automatically subject to British, and EU law.

does the EU and its GDPR really create any obligation whatsoever on the part of Groups.io?

Depending upon which official version of the GDPR one reads, it applies
either to residents or Europe, citizens of the European Union, or both
groups. On second thoughts, I think all of the official versions have
harmonized on residents of Europe. Some countries wrote their version to
include both residents, and citizens of the country.

Technically, the GDPR only applies to physical residents, but material
on one of the Estonian bureaucracies was ambiguous about the status of
the Digital Residents & the GDPR. The Estonian Privacy Commission
responded to my email, stating that Digital Residents are not explicitly
covered, but if they are residents of the EU, they would be covered
under local laws, whether Estonia, or another country.

Pop quiz: Name the cities and towns in North America, in which the GDPR
unambiguously applies.

jonathon

On 7/20/2018 2:25 PM, toki wrote:

Pop quiz: Name the cities and towns in North America, in which the GDPR
unambiguously applies.

Saint Pierre and Miquelon?

--
Bill

Thank you for all your responses and time! I think they've been persuaded that having to force everyone to re-apply wouldn't work in practice the UK national charity that the group is part of think they should control all email adresses but haven't produced a means for group email contact with this.?

Chtis

On 20/07/18 07:05 PM, Bill Burns wrote:

On 7/20/2018 2:25 PM, toki wrote:

Pop quiz: Name the cities and towns in North America, in which the GDPR
unambiguously applies.

Saint Pierre and Miquelon?

And we have a winner.

Technically, that is the name of the French Department, not the cities
and towns within it.

jonathon