John Fawcett
2022-Jan-05 18:00 UTC
GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)
On 05/01/2022 18:36, Sam Kuper wrote:> On Wed, Jan 05, 2022 at 06:00:31PM +0100, John Fawcett wrote: >> my understanding of the GDPR legislation is that it defines what is >> considered lawful processing. One of those items that makes the >> processing lawful is consent. > Not necessarily. > > An action that would not be lawful without consent is not automatically > made lawful with consent, including under GDPR. >Correct there could be other reasons that make processing unlawful. However, GDPR will allow processing if the data subject consents and I think taht is what we are talking about in this thread.> >> If I send an email to a public mailing list I think it's fair to say >> that I am providing consent. > Again, not necessarily. > > First of all, consent cannot necessarily be assumed.Correct that it cannot necessarily be assumed. But in this case I think it would be fair to assume it when someone sends an email to a public mailing list that consent has been given. I cannot see how having sent an email to a public mailing list I can then object to people processing it. Although it's not a question about GDPR, if I DID then change my mind, I cannot see a technical way to enforce it.> > Secondly, a person sending an email to a mailing list might very well > consent for the mailing list's recipients to receive the content, > subject, and reply address of that email - but *not* the IP address from > which it was sent.Correct. That is why I mentioned as an alternative "request that your users consent to the processing of the data".> > > Sam > >
Sam Kuper
2022-Jan-07 13:01 UTC
GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)
On Wed, Jan 05, 2022 at 07:00:19PM +0100, John Fawcett wrote:> On 05/01/2022 18:36, Sam Kuper wrote: >> On Wed, Jan 05, 2022 at 06:00:31PM +0100, John Fawcett wrote: >>> my understanding of the GDPR legislation is that it defines what is >>> considered lawful processing. One of those items that makes the >>> processing lawful is consent. >> >> Not necessarily. >> >> An action that would not be lawful without consent is not >> automatically made lawful with consent, including under GDPR. > > Correct there could be other reasons that make processing unlawful.Indeed.> However, GDPR will allow processing if the data subject consents [..]Not necessarily. The consent must meet four tests before it is valid for GDPR purposes. It must be: - freely given, - specific, - informed, and - unambiguous. See https://gdpr.eu/gdpr-consent-requirements/>>> If I send an email to a public mailing list I think it's fair to say >>> that I am providing consent. >> >> Again, not necessarily. >> >> First of all, consent cannot necessarily be assumed. > > Correct that it cannot necessarily be assumed. But in this case I > think it would be fair to assume it when someone sends an email to a > public mailing list that consent has been given. I cannot see how > having sent an email to a public mailing list I can then object to > people processing it. [..]You say you cannot see it, but I gave an example below, in my previous email:>> Secondly, a person sending an email to a mailing list might very well >> consent for the mailing list's recipients to receive the content, >> subject, and reply address of that email - but *not* the IP address >> from which it was sent. > > Correct. That is why I mentioned as an alternative "request that your > users consent to the processing of the data".The IP address is a different kind of datum to the content, subject, and reply address. For instance: - The IP address is likely to allow the user's location (city or region) to be inferred, in a manner typically outside the user's control. As such, disseminating the IP address unnecessarily would reduce the user's privacy. - The sender of an email is likely to be aware of the content, subject, and sender address of an email that they send, because MUA UIs typically make this clear. But many (most?) email users don't know what IP addresses are or what can be inferred from them, and so *cannot* (without being provided with a clear explanation) give informed consent about divulging their IP addresses unnecessarily. So, unless a service provider obtains user consents meeting the four tests above, in respect of *each kind* of datum they intend to process, then the service provider would on the face of it be in breach of the GDPR in respect of that kind of datum. In particular, the "freely given" consent means that provision of a service, etc, should not be contingent upon consent. I.e. if it is not *necessary* (which it isn't, by definition) for some kind of datum (e.g. users' IP addresses) to be disseminated more widely than necessary, then a service provider cannot validly under the GDPR require a user to consent to such dissemination in order to receive the service. Such contingency would render the consent not freely given. Sam -- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing? () ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.