On Wednesday May 02 2018 17:44, you wrote to Markus Reschke:
MR>> Currently we're discussing the German version of the GDPR MR>> (General Data Protection Regulation) in R24 since it will take MR>> effect on May 25th. Unfortunately the German DSGVO seems to apply MR>> to Fidonet which is an unmitigated disaster IMHO. Do other EU MR>> states have exemptions for small companies or organizations?
WV> How is fidonet an "official" organization? We are just a bunch of WV> private persons, sending messages to eachother as a hobby. When I send WV> emails to my family members and they send some back. Are we as a WV> family regarded as an organization that the GDPR applies to? Do I need WV> to apply the GDPR to the emails of my family members that I stored on WV> my private computer?
MR>> How do you deal with this topic regarding Fidonet?
WV> I'm ignoring it.
I have given this some thought and it so happens that earlier todat I discussed this with my sister in law who is a laywer and who does the administration for a few small non profit organisations.
The conclusion is that ignoring is not an option. This law affects all organisations that deal with personal date. "Official" or not Fidonet /is/ an organisation. We have a hyrarchie, we have rules of conduct and we have a membership list. We are not exempt from this new law that in Dutch is called AVG, Algemene Verordening Gegevensbescherming.
We do handle personal data. Not to long ago a Dutch court ruled that an IP number is personal data. We distribute a list that links people to IP numbers. Either directly or via the host names.
It is unclear how this all will work out. Many things are vague and subject to interpretation. But in my mind it is clear that we are affected and ignoring is not an option.
One of the relevant rules is that on may not gather and distribute more personal date than needed for the proper functioning of the organisation without explicit permission .
Regarding the IP numbers, I think that can easely be justified as needed for the network to function. Fidonet is a peer to peer network and the IP numbers or host names are needed to make peer to peer connections.
One thing I think that is not required for the smooth operation of the network is the location. In the POTS age, the location was useful to control cost, but in the IP age this is no longer an issue.
So... one of the first things I will do in my capacity of NC280 to deal with this new law is to contact all the sysops in net 280 and ask for explicit permission to publishing their location in field 4 of the nodelist. If I do not get a positive respons by the official method of Fidonet communication - netmail - before Friday the 25th of May 2018, they will be listed in nodelist.145 with something neutral in field 4. I have not decided on exactly what. Maybe some consencus will evolve. Maybe just an underline, or -Unregistered- or something like that.
And oh, it applies to the point list as well...
Ignoring is not an option. Not for the *Cs anyway.
