On Sun, May 27, 2018 at 11:32 PM, David Gerard <dgerard(a)gmail.com> wrote:
I'm a big fan of the GDPR and why it had to be
created. (I'm doing a lot of
the bureaucratic work on the tech side at the day job and am getting very
used to thinking of ways something could constitute Personally Identifying
Information.)
But I'm wondering how we'll approach it for the Wikimedia sites. Not just
the log data - but the content.
We already have problems with Right To Be Forgotten, and well-cited content
being removed from the search engines.
What do we have in place to deal with this when - not if - we get GDPR
requests to remove information about a person from the site?
I don't mean just the letter of the law, in the EU or the US - I mean also,
how we can handle this *right*. Because there are multiple competing
legitimate interests here, and the editing communities tend to take a lot
more care than they're strictly required to by law, because we are here to
get things right. (This is why our DMCA numbers are ridiculously low for a
top 10 site, for example.)
In general Wikipedia falls under the journalistic exemption
("publication of ideas, information or opinions"), which means many
rules from the GDPR are dropped. Mostly what remains is just that a
weighing has to be done between the subject's privacy interest and
Wikipedia's own reporting interest. Even the possibility to object to
that decision is dropped in this case, so if, as I assume will happen,
such a request is taken as a reason to re-evaluate that decision, we
are already going beyond the minimum of what the law requires.
--
André Engels, andreengels(a)gmail.com