XMPP Service Operators - 2020-11-03

TMakarios: As a Service Operator can't you mention the applicable law in your TOS and applicable law should be the place you are operating (as a service provider) from n then from where the service is being provided. So a Bhutan user should not enforce Bhutan law on you else you can have Australian, Japanese etc Users.l am not legal expert...

alacer: So far, I'm just providing service to close friends and family, so I have no TOS. I'm just curious about what legal principle (if any) the EU believes it can use to impose GDPR on the rest of the world. Hence the reductio ad absurdum with Bhutan.

kwak

TMakarios: Well I am not a legal expert but GDPR compliance is complex...May be ask.specifically for.GDPR in this room.. then what about US, Canada like 5 eyes and relevant compliances... as your services are not professional Nature but for GDPR you may need a node in EU... well ask ppl here...

I don't quite remember the name of the legal principle but it's basically: you offer services in / for customers in the European Union, you must adhere to our rules.

Or what

Digital hexing over the net to make all breakfasts you touch magically turn into beans on toast until compliance is achieved?

It starts with a fine and escalates from there, I suppose.

> I don't quite remember the name of the legal principle but it's basically: you offer services in / for customers in the European Union, you must adhere to our rules. So TMakarios should basically be fine until users start to communicate with European users via federation.

millesimus: not federation, until EU users have accounts on that server

Licaon_Kter: As soon as servers communicate and exchange personal data like JIDs or message contents etc. you are processing that data in the GDPR sense.

But other rules apply, iirc

> millesimus wrote: > I don't quite remember the name of the legal principle but it's basically: you offer services in / for customers in the European Union, you must adhere to our rules. So could the King of Thailand say the same thing, and prevent anyone on European XMPP servers from criticizing him?

(Thailand has a lèse-majesté law.)

> So could the King of Thailand say the same thing, and prevent anyone on European XMPP servers from criticizing him? What's this about, TMakarios? Do you want answers / advice or do you just want to rant? ;)

> But other rules apply, iirc There will surely be some special rule sets (like privacy shield, lol). I understood the question to be more about the general applicability of the law and how it could be enforced.

TMakarios: in theory that's what the new/old upload filters law they want to push these days in the EU tries to say, if Thailand says "this meme is terrorism" you gotta take it down in one hour, 24/7

millesimus: I'm genuinely curious about what reasoning the EU uses to justify its apparently unilateral claim of extraterritorial jurisdiction. I'm willing to discuss this somewhere where it's more on-topic, such as xmpp:politics@chat.disroot.org?join

Licaon_Kter: That's...interesting. I guess it shows some bullet-biting consistency, at least.

TMakarios: it's not extraterritorial because it affects European users.

TMakarios: it might be hard to enforce, but it's a valid approach in a globalized world. Also as a citizen of the EU, I'm very much glad about strong privacy protection, even if I had to invest some days into writing a proper privacy policy for xmpp

remember that privacy is, in the first place, not a law against the service operator, but a fundamental right of the data subject

hence the jurisdiction of the data subject is what should and does matter, not the jurisdiction of the service provider

Ge0rG, jonas’: But it purports to constrain the behaviour of people and servers outside the EU, not the behaviour of their EU users. Seems pretty extraterritorial to me.

TMakarios: well, you are also not allowed to fire intercontinental ballistic missiles onto the EU, as it would affect its citizens.

yupp

you’re also not allowed to mail anthrax

If it prohibited EU citizens from _using_ services without adequate GDPR policies and practices, and punished those citizens who used the services in violation of the law, I wouldn't think it so strange, at least from the point of view of the claim of jurisdiction.

so you’d punish those receiving the anthrax letters instead of those sending them?

you are also seeing US companies trying to enforce the DMCA and other useless monopoly laws all over the world.

that sounds weird

TMakarios: you could prohibit EU users from using your service.

some american news outlets replaced their whole ad-ridden clickbait with a GDPR tombstone page.

I'm not even sad about it

As for cross-border acts of murder, I'm pretty sure those would violate my _local_ laws, possibly with some matters determined by treaties that _explicitly_ grant limited extraterritorial jurisdiction.

I’m also fairly certain that you’re not allowed to sell, for example, $drug prohibited in the EU even if it is allowed to be sold in your country.

Yeah, the US is also prone to unilateral claims of extraterritorial jurisdiction, and I'm not a fan of it there, either.

Prone to _making_ such claims, I mean.

> jonas’ wrote: > remember that privacy is, in the first place, not a law against the service operator, but a fundamental right of the data subject According to Wikipedia, in New Zealand, > Privacy tends to hold the status of a value or an interest, rather than a right.

TMakarios: well, in Germany it's a fundamental human right, so as a German citizen, I can demand its enforcement everywhere my data goes ;)

Am I right in thinking this includes the so-called "right to be forgotten"?

TMakarios: it does

OTOH, no, the right to be forgotten is not explicitly worded in that fundamental human right, but the GDPR has a requirement to delete data on demand

Has this resulted in people using the law to effectively censor criticism of themselves? Or does the law try to prevent such censorship somehow? ✏

TMakarios: there is a trade-off between that right and the right of the public to be informed

generally, the right to be forgotten is applied in very limited ways to politicians and VIPs

Doesn't sound like a very "fundamental" right if tradeoffs are involved.

TMakarios: see my correction above

https://en.wikipedia.org/wiki/Right_to_be_forgotten#Germany is some interesting read

TMakarios, and yes, human rights also have tradeoffs. hence why they are ordered

Does GDPR not involve the same tradeoff? I mean, if requires you not to store embarrassing messages people send in public chats like this, you can no longer inform the public about what they said.

TMakarios: I think that by explicitly making your data public in a public forum you will be subject to different rules than just the GDPR

I should probably try sleeping now. I've probably got a long afternoon and evening of morbid curiosity about a certain election tomorrow.

just don't go out after election day. The lead concentration in the air might be too high.

TMakarios: https://law.stackexchange.com/a/31028/17202 is a nice explanation of article 17 trade-offs in the context of private messages, but those apply equally for public ones, I'd say.

» <tom> Digital hexing over the net to make all breakfasts you touch magically turn into beans on toast until compliance is achieved? » <millesimus> It starts with a fine and escalates from there, I suppose. But if I don't live in the EU, how are they going to collect that fine?

> But if I don't live in the EU, how are they going to collect that fine? tom: They send you a demand and they either have a contract with your government to mutually collect and enforce such fines or you will have a hard time entering the EU, eventually.