Well, you're talking about the European Directive 2002/58/CE on Privacy
related
For everybody's concern, the text of the Directive is here :
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexdoc!prod!CELEXnumdo…
As a fist answer (actully problem in answering to this
question) is
that there *NOT* exists a UE law on privacy, UE has approvved a law
about that but it is not a law in the strict sense. Every state of UE
has approved its own law about that basing that on the rights
explained in the UE decisions (yes, I know it is a very difficult
thing, very difficult to understand).
Well there is a European Directive and it has been adapted in mostly
every european countries. But even countries that did not adapt it yet
can already apply it directly. So there is a law actually... Following
this Directive is the best way to comply with national legislations.
1) you should inform people when you are gathering
peronal information
(note that the law is about personal data only of people, there is no
protection on data of society, bussiness firm and so on) and who is
managing the data, in what matter and why and the instruction to use
their right about their data
2)You should give the right to people (and give them instruction on
how to obtian them) to know what datas you hold about them and to
required them to be delete on request. (Note that this rights are not
respect even by public and statal organization with the excuse of
being in duties of keeping datas by some other laws).
3) You should inform if datas will be keept on the state or if they
are going to be transitted abroad
These are the guidelines of 2002/58/CE. You must inform users and give
them the right to access/modify/delete/ the information gathered on them.
Point 2 could be a little be problematic. Can we
delete some datas if
people request it?
But the law is difficult to interpret and to
understand what does it
mean. What really does personal information rellay mean?
Personal information means anything that can allow you to identify
someone, even indirectly. For example, dates of birth and names are
personal information. But even dates and nicknames or IP are also
personal information. A database can very well be anonymous and contain
personal information at the same time.
It is my opinion (but it just just this) that IP
numbers are not a
personal informations (since they are just numbers.
IP numbers are personal information because you can cross them with
other databases in order to identify people.
But the important and very difficult part to
understand is about the
limit of the law about the geographic position. Are people outside EU
in the need to respect this law? If someone access to some personal
data on a server in EU (or Italy) from a different state is this a
trasfert of personal data. A tipical example of data trasfert is if
someone collect persoanl data in one state (say for exaple Italy) and
then send them to a society abroad to have them statistically analyzed
or for using them as a mailing lists address. In these example the
collector actively send the whole of the datas aborad. But is
accessing to some data from abroad the same thing or not? If data are
kept on a server in the same state and someone access to this server
from abroad can this be qualified as an abroad transfert or not?
Well data transfers is authorized to the US since a EU decision of
2000/07/26.
But a crucial point is if gathering data about access
to server is or
not a personal data (keep in mind that law is about only to personal
data, thing such knowing that the user who accessed the web server
today is the same of yesterday without knowing who the user is (e.g.
with a cooky) is *IN MY opinion* not compleately qualifing as personal
data)
Actually cookies are personal information. They are even explicitely
mentionned by 2002/58/CE at point 25 :
"such devices, for instance so-called "cookies", [...] their use should
be allowed on condition that users are provided with clear and precise
information in accordance with Directive 95/46/EC about the purposes of
cookies or similar devices [...]"
On the other hands I strongly see the need that an
editor of a page is
*STRONGLY* informed that everifing he/she send to the wiki... will
became immediately visible by every people accessing to the page and
so he/she should do it only if accept this (in particular, but not
limited to, personal data). I have found some people (even if I put
many rilevant note on that) send story on the Italian wikinews giving
their persoanl data (such as real name, mobile phone number and so on)
acting us they belive that the message will be only visible by the
"journalist" (like when you send a letter to a newspaper)
sounds good to me... :)
I would also
like to propose that any person with access to server logs
(which include IP addresses), including people with access to the
checkuser tool, should sign a legal agreement of some sort with the
Wikimedia Foundation concerning non-disclosure of this information.
The more
important part is not about disclusure, but that they act on
personal data in respect on the people's legal right and use them just
for the porpuse stated in the information given to people.
Exactly, but concluding an agreement about it could help to better
inform them on this point.
This European squid server are a particular case. I do
not know how
the legislation will consider it. The log on the squid about the squid
are surelly pertinent to UE, but what about the datas that just
transit on the squid to be delivered to the Florida server? People
belive that data are just sent to the wikipedia server well actually I
do not know where people belive it is)
Actually european law protects european citizens and it does not really
matter whether the data is collected within or outside Europe, the
court's decision would simply be difficult to apply abroad, but it would
get full effect within the EU.
I don't think the foundation would enjoyed being banned of EU...