LEGAL: transparency about data processing / GDPR

[rriemann]

Dear all,

organisations with an audience in the European economic area (EEA, includes EU) need to be very transparent with respect to the personal data that they process. They must also explain their legal basis to process personal data. The legal basis depends on the use case. A school, a university, an NGO may employ different legal bases.

Hence, I suggest that

1. We rewrite the section "P2P & Privacy" at https://peertube-domain/about/peertube#privacy to
   • focus on a technical description on how P2P works
   • display here again if P2P is enabled and invite users to review the setting
   • avoid language such as "worst-case scenario", "threats", "spy" as it does not inspire trust amongst the users
   • remove the discussion on third-party practices (Google/Youtube): While the comparison to Youtube may be OK in the context of NGOs, it is a bit different for the public sector or corporates who may feel uncomfortable to criticise Google through a standard text inside the Peertube about pages
2. We create a new custom text block similar to the terms called "privacy" or "data protection notice" where admins can explain all the relevant legal expects. Possibly, the current P2P setting should also be displayed here again.
3. The privacy text should be linked on each page for compliance in the EEA/EU. I suggest to add a tiny link to the bottom of the side.
4. It is good practice to keep the terms and data protection notice concise and short. However, some instances need to inform the peertube users about all their data protection rights and relevant supervisory authorities. This requires more space. So I suggest to place the custom text boxes terms and privacy in a new tab on the about page. This new tab could be called "legal" or "Terms and Data Protection" or "Terms and Privacy". Both terms and privacy should support markdown headlines (#, ##, etc.) so that the text can be structured better and provide the reader with some orientation.

[alvar-freude]

Dear all,

I support this and could help with the creation of such a text.

[rriemann]

GDPR Art. 12(1) is relevant in this context:

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. [my emphasis]

Link: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

The EDPB (former Working Party 29) also has guidelines on this:

The “easily accessible” element means that the data subject should not have to seek out the information; it should be immediately apparent to them where and how this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it or as an answer to a natural language question (for example in an online layered privacy statement/ notice, in FAQs, by way of contextual pop-ups which activate when a data subject fills in an online form, or in an interactive digital context through a chatbot interface, etc. […]

Source: paragraph 11 https://ec.europa.eu/newsroom/article29/redirection/document/51025

I conclude:

• Having a distinct link to the privacy/data protection notice makes the information more "easily accessible".
• headlines in the terms or privacy/data protection notice also makes the information more intelligable and accessible.