Open Letter: Call for a collaborative data protection FAQ

Open Letter: Call for a collaborative data protection FAQ

We call the international data protection and computer engineering community to found a collaborative data protection knowledge database (GDPR FAQ).

Language Versions English French German Italian
Online :gb: open :fr: open :de: open :it: open
PDF :gb: open :fr: open :de: open :it: open

Brussels, the 6 June 2018

Dear Data Protection and IT Professionals,

The EU’s new law General Data Protection Regulation (GDPR for short) applies from 25 May 2018 onwards. It consists of 99 articles and 173 recitals that fill together 88 pages in the official publication. Different than a technical standardisation document, many of those articles must first be interpreted under consideration of case law from past judgements and published opinions of data protection authorities. As a result, even compliance questions for relatively simple applications such as a mailing list cannot be answered without profound study of many legal documents. Complex concepts such as privacy by design and pseudonymisation are the source for many questions yet to be answered.

At the same time, the tech industry has worked for many years on solutions to setup fairly easy personal data processing applications. Thanks to e.g. Google Sheets, Doodle, Mailchimp, or Wordpress, even non-experts can nowadays become data controllers with only few clicks or swipes. The development of peer-to-peer protocols for distributed databases, e.g. Bitcoin, Dat, or IPFS, has the potential to further lower the initial hurdle to become a data controller—up to the point of unconsciousness of the controller.

Lettera aperta: appello per uno spazio collaborativo di FAQ sulla protezione dei dati

Lettera aperta: appello per uno spazio collaborativo di FAQ sulla protezione dei dati

Chiediamo alla comunità internazionale di esperti in materia di privacy e IT di stabilire una base di conoscenze collaborative su Internet per la protezione dei dati (GDPR FAQ).

Versione in lingua Inglese Francese Tedesco Italiano
on-line :gb: aperto :fr: aperto :de: aperto :it: aperto
PDF :gb: aperto :fr: aperto :de: aperto :it: aperto

Bruxelles, 6 giugno 2018

Cari professionisti della protezione dei dati e dell’IT,

Il nuovo Regolamento Generale sulla Protezione dei Dati (in breve RGPD) si applica a decorrere dal 25 maggio 2018. È costituito da 99 articoli e 173 considerando che occupano 88 pagine nella pubblicazione ufficiale. A differenza di un documento di normalizzazione tecnica, molti di questi articoli devono essere prima interpretati alla luce della giurisprudenza già consolidata e dei pareri precedentemente emanati dalle autorità di protezione dei dati. Di conseguenza, persino questioni di conformità per applicazioni relativamente semplici come una mailing list non possono essere risolti senza uno studio approfondito di diversi documenti giuridici. Concetti complessi come la privacy by design e la pseudonimizzazione sono fonte di molte domande a cui si deve ancora rispondere.

Allo stesso tempo, da molti anni nel settore dell’alta tecnologia si lavora a soluzioni agili che permettano la raccolta e il trattamento dei dati personali. Grazie a Google Sheets, Doodle, Mailchimp, o Wordpress, anche i non esperti, oggigiorno, possono diventare responsabili del trattamento di dati personali in pochi clic o passaggi. Lo sviluppo di protocolli peer-to-peer per database modulabili, come Bitcoin, Dat o IPFS, è in grado di ridurre ulteriormente le difficoltà iniziali per diventare responsabile del trattamento di dati, fino ad uno stadio di inconsapevolezza del responsabile.

Offener Brief: Aufruf zur Gründung einer kollaborativen FAQ für Datenschutz

Offener Brief: Aufruf zur Gründung einer kollaborativen FAQ für Datenschutz

Wir rufen die internationale Gemeinschaft der Datenschutz- und IT-Experten zur Gründung einer kollaborativen Internet-Wissensdatenbank zum Thema Datenschutz auf (GDPR FAQ/DSGVO FAQ).

Sprachversionen Englisch Französisch Deutsch Italienisch
Online :gb: öffnen :fr: öffnen :de: öffnen :it: öffnen
PDF :gb: öffnen :fr: öffnen :de: öffnen :it: öffnen

Brüssel, den 6. Juni 2018

Sehr geehrte Datenschutz- und IT-Expert_innen,

Die neue EU-Datenschutz-Grundverordnung (DSGVO) gilt ab dem 25. Mai 2018. Sie besteht aus 99 Artikeln und 173 Erwägungsgründen und umfasst 88 Seiten in der amtlichen Fassung. Anders als technische Normen ist die DSGVO ein Gesetz und wird von der Rechtsprechung und den Rechtsanwender, allen voran den Datenschutzbehörden, durch Urteile bzw. Stellungnahmen ausgelegt. Dadurch können auch Fragen zu simplen Anwendungen wie Mailinglisten nicht ohne gründliches Studium vieler Rechtsdokumente beantwortet werden. Komplexe Konzepte wie Privacy by Design oder Pseudonymisierung sind erst recht Quelle vieler Fragen, die es zu beantworten gilt.

Gleichzeitig arbeiten Technologiefirmen schon seit Jahren an Lösungen, um die Verarbeitung von persönlichen Daten relativ einfach zu gestalten. Dank Google Sheets, Doodle, Mailchimp oder Wordpress können heutzutage auch Nicht-Experten mit wenigen Klicks zu Verantwortlichen im Sinne der DSGVO zu werden. Peer-to-Peer-Protokolle für verteilte Datenbanken, z.B. Bitcoin, Dat oder IPFS könnten die Zugangsbarrieren weiter abbauen—bis hin zur Unmerklichkeit der Verarbeitung seitens der Verantwortliche.

First Gem: jekyll-onebox

I published my first Ruby gem. The Liquid tag jekyll-onebox allows to display HTML previews (embeds) for links to popular websites.

Initially, I wanted to blog about my travels. In the end, I refactored old code on my computer to publish eventually my first Ruby gem in the official repo at RubyGems. Welcome now jekyll-onebox on Github and RubyGems! :tada: :clap:

So if you use Jekyll for blogging, you can install this plugin and add HTML previews for links to popular websites very easily.

Security Issues due to bad Mail Practices: The LyonMUN case

So many associations use GMail for their general communication with members. Often, this comprises the sending of newsletters. Recently, the organisers of the UN politics simulation MUN LyonMUN leaked this way by accident a large number of participants mail addresses (mine as well). I decided to raise awareness of the security risks by a little experiment and also to test the reaction of the organisers.


On Friday 0:251, I received a mail from the organisers of this year’s [Model United Nations] (MUN) conference in Lyon called LyonMUN. The mail has been sent from to 222 people, that either participated in earlier editions in the conference or already signed up for this year’s edition. Purpose of the mailing: promote the upcoming edition and urge people to pay the conference fees.

The problems in here are:

  • The sender mail address is difficult to verify (I come back to this later).
  • All 222 people have now the mail addresses of all others. That means, many personal mail addresses have been assumably accidentally leaked by the organisers.

Due to the way mail works, you cannot undo a mail once it has been sent. The only possible measures are to inform the data subjects in a transparent manner on the incident and potential security implications and to take precautions to prevent future incidents.

I made a bad experience when I made during the last year’s edition LyonMUN 2016 in the role of a participant the remark that one aspect of their conference may intimidate the participants: They offered to allow sending anonymously roses to individual participants with a message read out loud by the organisers in front of the assembly without prior consent of the receiver. I thought this may open doors to potential bullying. The then president of LyonMUN Mélanie Villar and now secretary general just made a IMHO snide remark and that’s all what happened. I was certainly a bit disappointed and expected a debate taking into account that promoting debating is one of the purposes of MUN associations and events.

For that reason, I though of a more creative approach to initiate a discourse. It is not like security in the internet is not a topic for LyonMUN. On their website, the press team posted not even 2 weeks ago an article concerning cyber defence. Unfortunately, LyonMUN has apparently not adopted adequate measures on their own. Let’s see what happened!

  1. Maybe the sender was tired after working past midnight and less attentive of what s/he is doing. ↩︎