[Board] GPDR
Ben Caradoc-Davies
ben at transient.nz
Sat Jul 14 17:45:09 PDT 2018
On 15/07/18 10:51, Ben Caradoc-Davies wrote:
> On 12/07/18 05:18, Jody Garnett wrote:
>> Anything missing in the above list?
> Name and email address in Git commits.
Of particular concern to Git repository maintainers is:
"Art. 17 GDPR Right to erasure (‘right to be forgotten’)"
https://gdpr-info.eu/art-17-gdpr/
because removal of personal identity information from a commit changes
its hash and requires rewriting the repository, which makes its history
incompatible with its clones.
The exemptions likely to be applicable include:
"3 Paragraphs 1 and 2 shall not apply to the extent that processing is
necessary"
"3(a) for exercising the right of freedom of expression and information;"
and especially:
"3(e) for the establishment, exercise or defence of legal claims."
In my view, recording author and committer identity information is
necessary to establish provenance and the validity of copyright
agreements. It might be useful to take legal advice on whether this
would be a valid basis for rejecting a demand for erasure.
"Art. 16 GDPR Right to rectification" seems to lack these exemptions:
https://gdpr-info.eu/art-16-gdpr/
See also this GitLab issue proposing the use of opaque identifiers in
Git commits:
GDPR Compliance: Maintain Separate Mapping of Commits to Authors in Gitlab
https://gitlab.com/gitlab-org/gitlab-ce/issues/42829
Kind regards,
--
Ben Caradoc-Davies <ben at transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand
More information about the Board
mailing list