2002/58/CE (was: Re: [Foundation-l] Re: Privacy concerns)

[Jean-Baptiste Soufron]

Well, you're talking about the European Directive 2002/58/CE on Privacy 
related

For everybody's concern, the text of the Directive is here :

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexdoc!prod!CELEXnumdoc&lg=EN&numdoc=32002L0058&model=guicheti

> As a fist answer (actully problem in answering to this question) is
> that there *NOT* exists a UE law on privacy, UE has approvved a law
> about that but it is not a law in the strict sense. Every state of UE
> has approved its own law about that basing that on the rights
> explained in the UE decisions (yes, I know it is a very difficult
> thing, very difficult to understand).

Well there is a European Directive and it has been adapted in mostly 
every european countries. But even countries that did not adapt it yet 
can already apply it directly. So there is a law actually... Following 
this Directive is the best way to comply with national legislations.

> 1) you should inform people when you are gathering peronal information
> (note that the law is about personal data only of people, there is no
> protection on data of society, bussiness firm and so on) and who is
> managing the data, in what matter and why and the instruction to use
> their right about their data
> 2)You should give the right to people (and give them instruction on
> how to obtian them) to know what datas you hold about them and to
> required them to be delete on request. (Note that this rights are not
> respect even by public and statal organization with the excuse of
> being in duties of keeping datas by some other laws).
> 3) You should inform if datas will be keept on the state or if they
> are going to be transitted abroad

These are the guidelines of 2002/58/CE. You must inform users and give 
them the right to access/modify/delete/ the information gathered on them.

> Point 2 could be a little be problematic. Can we delete some datas if
> people request it?

> But the law is difficult to interpret and to understand what does it
> mean. What really does personal information rellay mean? 

Personal information means anything that can allow you to identify 
someone, even indirectly. For example, dates of birth and names are 
personal information. But even dates and nicknames or IP are also 
personal information. A database can very well be anonymous and contain 
personal information at the same time.

> It is my opinion (but it just just this) that IP numbers are not a
> personal informations (since they are just  numbers.

IP numbers are personal information because you can cross them with 
other databases in order to identify people.

> But the important and very difficult part to understand is about the
> limit of the law about the geographic position. Are people outside EU
> in the need to respect this law? If someone access to some personal
> data on a server in EU (or Italy) from a different state is this a
> trasfert of personal data. A tipical example of data trasfert is if
> someone collect persoanl data in one state (say for exaple Italy) and
> then send them to a society abroad to have them statistically analyzed
> or for using them as a mailing lists address. In these example the
> collector actively send the whole of the datas aborad. But is
> accessing to some data from abroad the same thing or not? If data are
> kept on a server in the same state and someone access to this server
> from abroad can this be qualified as an abroad transfert or not?

Well data transfers is authorized to the US since a EU decision of 
2000/07/26.

> But a crucial point is if gathering data about access to server is or
> not a personal data (keep in mind that law is about only to personal
> data, thing such knowing that the user who accessed the web server
> today is the same of yesterday without knowing who the user is (e.g.
> with a cooky) is *IN MY opinion* not compleately qualifing as personal
> data)

Actually cookies are personal information. They are even explicitely 
mentionned by 2002/58/CE at point 25 :

"such devices, for instance so-called "cookies", [...] their use should 
be allowed on condition that users are provided with clear and precise 
information in accordance with Directive 95/46/EC about the purposes of 
cookies or similar devices [...]"

> On the other hands I strongly see the need that an editor of a page is
> *STRONGLY* informed that everifing he/she send to the wiki... will
> became immediately visible by every people accessing to the page and
> so he/she should do it only if accept this (in particular, but not
> limited to, personal data). I have found some people (even if I put
> many rilevant note on that) send story on the Italian wikinews giving
> their persoanl data (such as real name, mobile phone number and so on)
> acting us they belive that the message will be only visible by the
> "journalist" (like when you send a letter to a newspaper)

sounds good to me... :)

>> I would also like to propose that any person with access to server logs
>> (which include IP addresses), including people with access to the
>> checkuser tool, should sign a legal agreement of some sort with the
>> Wikimedia Foundation concerning non-disclosure of this information.
> The more important part is not about disclusure, but that they act on
> personal data in respect on the people's legal right and use them just
> for the porpuse stated in the information given to people.

Exactly, but concluding an agreement about it could help to better 
inform them on this point.

> This European squid server are a particular case. I do not know how
> the legislation will consider it. The log on the squid about the squid
> are surelly pertinent to UE, but what about the datas that just
> transit on the squid to be delivered to the Florida server? People
> belive that data are just sent to the wikipedia server well actually I
> do not know where people belive it is)

Actually european law protects european citizens and it does not really 
matter whether the data is collected within or outside Europe, the 
court's decision would simply be difficult to apply abroad, but it would 
get full effect within the EU.

I don't think the foundation would enjoyed being banned of EU...