This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/cooperation-wg@ripe.net/
[cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Previous message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Next message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Wed May 18 23:37:35 CEST 2011
On 18 May 2011, at 19:56, Alessandro Vesely wrote: > How is the data subject's consent acquired? Consent for what? Joining the list? Receiving and posting messages? Being moderated or cross-posted to a newsgroup? > In response to the Data Protection Directive, operators should have > defined a protocol for obtaining and keeping proof of the consent. > It never happened. In > facts, it is very difficult to introduce new protocols for email. I think we need to be careful to avoid confusing each other. For the purposes of this discussion, "protocol" should mean an IETF specification. Let's use "process" to mean "protocol for obtaining and keeping proof of the consent" ie not an IETF protocol. A dictionary definition of protocol would include this "process" definition, but let's not use the same word for different things. List managers may need a process to show they have user consent. This might but probably won't need a protocol such as yet another tweak to SMTP. At least I hope it won't need that. With that clarification out of the way, the consent you ask about is probably implicit: eg your employer puts you on company mailing lists as a condition of employment or it's your job to join certain (public) lists. In other cases, the act of joining a mailing list implies consent. If you don't want the list to process your Personal Data (email address), don't join it. In other cases, consent may be inherited from other terms and conditions: eg your ISP or registrar puts you on some mailing list for management of your account or whatever and you agree to that as a part of doing business together. I am not a lawyer and don't play one on TV. However I have dealt with Data Protection issues and had too many non-trivial discussions with a DPA, the UK Information Commissioner's Office. [ICANN gTLD registry contracts and whois, if anyone cares... The scars have nearly healed in case any of you are asking.] The short answer to how your SMTP concern plays out will depend on the view of your DPA. So ask them. Or ask your lawyer first and then ask the national DPA. I would be surprised if there was unanimity or even consensus amongst the EU DPAs on this topic, assuming they have considered this issue in WP29. And yes, I realise this is underpinned by a couple of EU Directives. But how these get enacted and enforced in national law differs from country to country. Then there's the question of how the national DPA sees its responsibilities and priorities. I would expect most will either not care about electronic mailing lists or take the pragmatic view that since list membership is under the user's control, that in itself provides the required consent. However I would not bet money on this. Another rat-hole to explore is what the list manager does with the Personal Data and if consent is needed for adding list members to other lists. Or lists of lists. What constitutes proportionate and fair usage of Personal Data then? My head is now starting to hurt... Perhaps we could invite someone from WP29 to speak about this at the next WG meeting?
- Previous message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
- Next message (by thread): [cooperation-wg] SMTP forwarding in the face of Data Protection Directive
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]