Skip to Main Content
ApacheCon 2021 Coming Soon! The Apache Software Foundation
Apache 20th Anniversary Logo

Community-led development "The Apache Way"

Apache Support Logo

This was extracted (@ 2021-06-16 22:10) from a list of minutes which have been approved by the Board.

Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).

Data Privacy

19 May 2021

There were no issues requiring board attention so far.


VP Privacy will maintain this directory for now:
It will contain recent requests, TODOs, DPAs and general discussions.
"User requests" should be privacy-committee only.

A basic website was created here which will contain FAQ and policies:

Interesting items:

- one data removal request (Jira) was done without problems
- one data removal requests was denied since the request did not look legit
- discussion about ICLA and how to store it took place, no conclusion so far

Next action items:

- collect more DPAs
- discourage Google Analytics
- Update privacy terms on the main website

21 Apr 2021

A report was expected, but not received

17 Mar 2021

A report was expected, but not received

17 Feb 2021

A report was expected, but not received

20 Jan 2021

A report was expected, but not received

16 Dec 2020

A report was expected, but not received

18 Nov 2020

A report was expected, but not received

21 Oct 2020

A report was expected, but not received

16 Sep 2020

A report was expected, but not received

19 Aug 2020

A report was expected, but not received

15 Jul 2020

A report was expected, but not received

17 Jun 2020

A report was expected, but not received

20 May 2020

Dirk has been recruited as a Special Adviser to the Dutch and EC with regard
to architecture, privacy, anonymity and what not around the Corona response
effort. Including the public oriented app. So, he won't have any available
time for the ASF over the next 3 to 5 weeks.

Christian Grobmeier has volunteered the following report for the privacy

So far, we have one missing report and also one open privacy incident (basic
request from deleting user data from the OOo forums). The incident has not
been responded so far.

I have asked on feedback of how I'd handle this request, but no response. I am
not happy with performing any actions without approval.

Does the board have any input/ideas/suggestions here?

15 Apr 2020

Apologies for a late report - Corona related things took over.

No substancial process on the organisational side.

Few RQ related things got processed in time, commmunicated timely to
requestor, etc. Currently no tickets open that require action or have
deadlines. One ticket 'dead' where the requestors email ceased to work (and it
may have been a fluff/experimental/vigiliante style request).

18 Mar 2020

Operational: First genuine GDPR request (removal) handled; but actual
governance & long term recording not yet sorted properly (e.g. making sure
that the details of this request are automatically purged when they hit
delaware record law limits, etc).

Strategic: Not made as much progress as I wanted - largely due to the chair
(personally) being swamped & not enough delegation.  The latter should become
unstuck as we start creating deliverables.

Next: Define these deliverables/plan; find 3-6 volunteers for the operational
part & write down SOPs; talk to infra to figure out what is practically
possible around retention.

19 Feb 2020

My personal take is that there are now enough people on the list (-and- the 12
`sample' cases discussed sofar seem to all have headed for sufficient
consensus) that it is fair to now draft what should be our GDPR stance from
which we can derive a guideline and policy. And with that concept not coming
as a surprise.

We have about 6 more legal/complex points for expects sofar (such as to what
extent can you push things back for `self service' to the complainant). These
may require legal attention at some point.

Actual GDPR and similar requests: two in flight; neither contentious. Tracked
in JIRA.

15 Jan 2020

Progress: Work rekindled.

- Call for any interested members gone out to subscribe to privacy@; people
 moderated through.

- General approach mail gone out & slowly posting a list of around 20 example
 cases (most collected over the past 12 months).

- Speaking to pro-bono and specialist (but paid) legal folks to get the lay of
 the land (Delaware, but wanting to do this right in CA, EU and UK - despite
 conflicting rules).

- Dealing with one 'want to be forgotten' request; next step here is to get a
 private JIRA set up - or postpone & keep this in a president private SVN
 repo for now.

Problems: None yet

Plan: Go through a set of examples to derive what we value as a community and
then work top down again. Establish a private JIRA or similar. Establish a
private channel to operations. Figure out if some of our existing (iCLA filing
services) can be subverted to also handle the mechanical aspect of things and
what they need (beyond a runbook).

18 Dec 2019 [John Kinsella / Shane]

Having been unable to devote enough time to the role John Kinsella has
indicated privately that he wishes to stand down. Given the need for action to
unblock operational risks a proposal to move the VP role to the President has
been added to the agenda as item 7B. Dirk-Willem van Gulik has agreed to
volunteer. (danny@)

20 Nov 2019

A report was expected, but not received

16 Oct 2019 [John Kinsella / Shane]

(Apologies for delay in getting this report in. Setting reminder to go off a
 little earlier next month)

October was quieter than intended - got initial wiki page and call for
volunteers out. Intention is doing a "soft launch" to members@, then after a
week or two of hopefully wise Member feedback, opening volunteer call to wider

Outside, engaging with privacy/legal contacts with hope of getting them to
contribute in some manner, as well.

As requested in last month's (good) feedback, will list goals for the coming
months for the next quarter or so as momentum is established.

October Goals
* Grow privacy-discuss subscribers
* Gather feedback on initial topics/priorities for Data Privacy to address
* Build out wiki with assistance from others - I can write this, but intent is
  to get community to contribute.

Stats for September 2019:
* 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
* 0 closed issues
* Next report will start to report on subscription/discussion stats.

18 Sep 2019 [John Kinsella / Ted]

After too long a period of silence (emailed last report April 2019[1] - just
noticed it doesn’t seem to have made it to whimsy), renewing push to get Data
Privacy up and running.

Structure for data-privacy has been set up - mailing lists[2][3], jira
group[4], and wiki[5] created.

Since last board report, have talked with others with previous
experience/thoughts on ASF data privacy topics. Short-term goal is to start
outlining topics to address and areas of help needed on the wiki, then send
call for volunteers to members@a.o.

Goal right now is to start to get volunteers involved, come up with list of
priorities, and start being more useful to requests from projects.

I've been reviewing report formats from others, will be adding a bit more
structure to this in coming months, along with several calendar reminders.
Also planning a chat room for more interactive and regularly scheduled
discussions to continue to drive movement.

Stats for August, 2019:
 * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
 * 0 closed issues

2: - 1 person has already organically found and subscribed.

21 Aug 2019 [John Kinsella / Joan]

There has been no report from the VP.

Activity: I have kicked off call for volunteers on board@ and reached out to
incumbent VP today 21-Aug

Next steps: Engage volunteers and agree definition of done, define next
steps/mechanism to clarify the role, report back to the board.


17 Jul 2019

A report was expected, but not received

19 Jun 2019

A report was expected, but not received

15 May 2019 [John Kinsella / Roman]

Working on setting up structure for data-privacy. Modified
personnel-duties/vp-data-privacy.txt, will update further once mailing lists
are set up. Stalled on setting up mailing lists as I was going to start
conversation on legal ML first, but just going to create lists and run with

Working on syncing up with others who have worked on data-privacy matters over
the last year and talked to counsel. Once that's accomplished, will stat work
to review data privacy policy and engage with projects looking for assistance.

Stats for April, 2019:
 * 2 open Jira tickets
 * 0 closed issues

17 Apr 2019

A report was expected, but not received

20 Mar 2019

A report was expected, but not received

20 Feb 2019

A report was expected, but not received

16 Jan 2019

A report was expected, but not received

19 Dec 2018

A report was expected, but not received

21 Nov 2018 [Chris Mattmann / Shane]

The RFC period is underway for our draft privacy policy. Several members and
VP infrastructure have weighed in. I will continue to collect feedback through
the CY, and publish the draft in Jan 2019 with whatever feedback and comments
received by then. Keep them coming.

17 Oct 2018 [Chris Mattmann / Rich]

This month we will send an RFC to the board and legal on our updates to the
ASF data privacy policy that VPs Infrastructure and Privacy worked on. The
draft is currently in GDocs and we should move it to a draft ASF page on the
web site.

19 Sep 2018 [Chris Mattmann / Isabel]

Nothing much to report this month other than still working on the Privacy
Draft. For those interested, contact myself or VP, Infra to see a draft.

15 Aug 2018 [Chris Mattmann / Phil]

VP, Infra, VP, Data Privacy & Legal, and our counsel had a telecon on 7/19 and
discussed ASF strategy with respect to the EU's General Data Protection
Regulation (GDPR).

We have decided to continue with our updates to the infrastructure
team's mail archival policy and our policy and procedures for how we deal
with removal requests. The policy updates are currently under review by
Legal, and Data Privacy and we expect to publish them in the next month.

We have received a few GDPR requests, with only one current request being
actively worked, and few queued as far as I can tell (less than 5).