GDPR/sender-ip (was: make received-header on submission optional or at least drop the ip in it)

Sam Kuper sampablokuper at posteo.net
Fri Jan 7 13:01:09 UTC 2022


On Wed, Jan 05, 2022 at 07:00:19PM +0100, John Fawcett wrote:
> On 05/01/2022 18:36, Sam Kuper wrote:
>> On Wed, Jan 05, 2022 at 06:00:31PM +0100, John Fawcett wrote:
>>> my understanding of the GDPR legislation is that it defines what is
>>> considered lawful processing. One of those items that makes the
>>> processing lawful is consent.
>>
>> Not necessarily.
>>
>> An action that would not be lawful without consent is not
>> automatically made lawful with consent, including under GDPR.
>
> Correct there could be other reasons that make processing unlawful.

Indeed.


> However, GDPR will allow processing if the data subject consents [..]

Not necessarily.  The consent must meet four tests before it is valid
for GDPR purposes.  It must be:

-   freely given,

-   specific,

-   informed, and

-   unambiguous.

See https://gdpr.eu/gdpr-consent-requirements/



>>> If I send an email to a public mailing list I think it's fair to say
>>> that I am providing consent.
>>
>> Again, not necessarily.
>>
>> First of all, consent cannot necessarily be assumed.
>
> Correct that it cannot necessarily be assumed.  But in this case I
> think it would be fair to assume it when someone sends an email to a
> public mailing list that consent has been given.  I cannot see how
> having sent an email to a public mailing list I can then object to
> people processing it.  [..]

You say you cannot see it, but I gave an example below, in my previous
email:


>> Secondly, a person sending an email to a mailing list might very well
>> consent for the mailing list's recipients to receive the content,
>> subject, and reply address of that email - but *not* the IP address
>> from which it was sent.
>
> Correct. That is why I mentioned as an alternative "request that your
> users consent to the processing of the data".

The IP address is a different kind of datum to the content, subject, and
reply address.

For instance:

-   The IP address is likely to allow the user's location (city or
    region) to be inferred, in a manner typically outside the user's
    control.  As such, disseminating the IP address unnecessarily  would
    reduce the user's privacy.

-   The sender of an email is likely to be aware of the content,
    subject, and sender address of an email that they send, because MUA
    UIs typically make this clear.  But many (most?) email users don't
    know what IP addresses are or what can be inferred from them, and so
    *cannot* (without being provided with a clear explanation) give
    informed consent about divulging their IP addresses unnecessarily.


So, unless a service provider obtains user consents meeting the four
tests above, in respect of *each kind* of datum they intend to process,
then the service provider would on the face of it be in breach of the
GDPR in respect of that kind of datum.

In particular, the "freely given" consent means that provision of a
service, etc, should not be contingent upon consent.  I.e. if it is not
*necessary* (which it isn't, by definition) for some kind of datum (e.g.
users' IP addresses) to be disseminated more widely than necessary, then
a service provider cannot validly under the GDPR require a user to
consent to such dissemination in order to receive the service.  Such
contingency would render the consent not freely given.

Sam

-- 
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.


More information about the dovecot mailing list