Be GDPR compliant

[bnjbvr]

Hi! Just a quick reminder (since we're talking about it right now with the Framasoft non-profit): this project should be GDPR compliant by design, so that it doesn't get too painful later to adapt to the regulations.

It's rather a meta-list of features, so maybe it's not very useful to keep as an issue here and you'd like to store it somewhere else, which would be fine.

I don't know all the specifics, but things that come to mind:

• [x] allow to migrate a user account from one Peertube instance to the other
• [x] explicitly tell what data (login, password, etc.) is stored about the users
• [x] make sure users are at least 16 years old before they sign up
• [x] allow to hide specific content from the video search system (maybe it's already there?)
• [x] make sure users agree to the terms of the instance upon signup (#659)
• [x] allow to remove all the data associated to a specific user (videos, comments, etc.) easily (and make sure removal notices are emitted to federated servers) [see #662]

Feel free to update this list or comment if other things come to mind.

[SoniEx2]

I like the idea of FOSS and p2p because legally-mandated ageism is inherently incompatible with it.

you can always just make your own instance. or in the case of p2p you don't have to do anything and it just works.

if instances wanna help raise hackers who just go around stuff, they can implement the age checks themselves. (or is the goal to do that. I can't tell tbh.)

[Dragnucs]

@SoniEx2 How can I put it? Compliance to regulations, like GDPR, is about the entity running the server to be complaint, not if the restrictions or features could be circumvented. If anybody not liking the situation or the regulation does not apply to him, he is free to run his own server or find one that does what he wants.

[Chocobozzz]

allow to migrate a user account from one Peertube instance to the other

I'm not sure this is required by the GDPR. I think we just need to provide an "export" feature, so users can download all their data.

allow to hide specific content from the video search system (maybe it's already there?)

Instance administrators choose if they want to hide NSFW videos by default or not. Then, users can override this behaviour. So I think this is okay.

[skid9000]

allow to migrate a user account from one Peertube instance to the other

The problem is that an option like this could let people use the servers' bandwith to DoS others instances if you abuse of it :/ A export feature is better for that case, you can always reupload your vids to another instance anyway.

make sure users are at least 16 years old before they sign up

A popup at the sign up process should suffice. Asking the birth date would be just more data to deal with and privacy speaking, that's not a good idea...

[Booteille]

The problem is that an option like this could let people use the servers' bandwith to DoS others instances if you abuse of it :/ A export feature is better for that case, you can always reupload your vids to another instance anyway.

Couldn't we just create a timer between each user migration? ("You're not able to migrate your account again until next week.")

[bnjbvr]

allow to hide specific content from the video search system (maybe it's already there?)

Instance administrators choose if they want to hide NSFW videos by default or not. Then, users can override this behaviour. So I think this is okay.

I wasn't referring to this, but rather to the "right to be forgotten", that is, if a video includes specific content about one person who wants it to be deleted / hidden from search results, then there should be a mechanism to do so.

[rkyleg]

@bnjbvr the ability to delete one's data in a decentralized (or blockchain-based) environment is one of the most missed features that these new companies miss when trying to solve the centralization problem. This feature is crucial to privacy (and the real meaning of 'you control your data') in my opinion.

[ghost]

We can learn from the experience of other decentralized projects, one such example is Riot (decentralized, secure IM). https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix/

[FirePowi]

I guess we also need to be able to send an email to every users on terms update, am I right ?

[aeris]

allow to migrate a user account from one Peertube instance to the other

This is highly overkill for strictly speaking GDPR compliance. You only need to provide a way to allow a user to download all it content. No formal need to be fully importable on another side. But if you could do this, it's perfect!!!

explicitly tell what data (login, password, etc.) is stored about the users

You also have to explain why you need such data. Collection is not the sole part of the GDPR, purpose is also cricital.

make sure users agree to the terms of the instance upon signup (#659)

Do you speak about generic Peertube ToS or is it possible for an instance to override such default ToS? (I will look about standard ToS to catch any not compliant things on it)

allow to remove all the data associated to a specific user (videos, comments, etc.) easily (and make sure removal notices are emitted to federated servers)

You also need a tool to be able to search for user data storage & usage (from IP or email for example) to be able to respond to a data access request, before any removal.

[nils-van-zuijlen]

You also need a tool to be able to search for user data storage & usage (from IP or email for example) to be able to respond to a data access request, before any removal.

The problem with IP being that IPv4 are often dynamic

[aeris]

The problem with IP being that IPv4 are often dynamic

Yep, of course. From a GDPR point of view, I personnally consider that a data access request based on an IP must not be answered. Because you have the risk of providing PII to a people not related to those PII. But if data access request provides other PII too (an email, a cookie, a device ID…), you can fetch related IPs.

[frankenstein91]

What about the imprint?

[svenzimmermann]

These are very good and important considerations. These functions would be very important in EU.

In addition: In order to legitimize the IP transfer for P2P, an opt-in is mandatory for GPRD regulations, such as the GPRD cookie banner. If the user actively agrees after reading, P2P is not a problem, but it has to be voluntary and if the user does not consent, P2P must also remain deactivated.

I assume that 95% of users consent anyway. For the project this would not be a problem but even better, as everything would be completely transparent and voluntary. Something like a strict privacy switch would also be conceivable to deactivate such a function for less strict data protection requirements.

[Martinligabue]

Is Peertube now GDPR compliant - and if not, should it be blocking access in the EU?

[ROBERT-MCDOWELL]

@Martinligabue GDPR has no legal value as EU never represented european countries.... it's up to you to obey or not.

[Chocobozzz]

Hello,

I think we can consider PeerTube as GDPR compliant (even if we're not 100% sure as we aren't lawyers) if their administrators correctly fill their terms and provide information of what data is stored on their instance. They may also have to disable P2P, but again we're not sure if the P2P part of PeerTube is GDPR compliant or not.

We still let this issue opened as we could like to help administrators to import/export user data, and to help them to fill the ù"explicitly tell what data (login, password, etc.) is stored about the users"* part.

[Chocobozzz]

Hi,

We consider PeerTube 6.1 GDPR compatible now we'll release an export feature available for users.

We also added a privacy guide on https://docs.joinpeertube.org/admin/privacy-guide to help admins to correctly fill their Terms section.

Do not hesitate to comment on this issue, even if it's closed if you notice missing information :)