This was extracted (@ 2024-08-21 21:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
# General There are no issues that need urgent attention. Currently, 51 tracking codes were requested (+0). 11 Matomo sites don't receive traffic at this point (not yet implemented). A question about using "Kapa AI" was raised and addressed on the mailing list. As the ASF, we are responsible for all websites and services we use and provide to our users. This includes tools such as Kapa AI embedded in our websites. If a project’s website uses this tool, we are accountable for ensuring data privacy compliance. According to my recent assessments, Kapa AI does not support the GDPR. The company does not provide a Data Processing Agreement (DPA). In addition, it also embeds additional tools such as Google Analytics. "Data removal", as required by various privacy frameworks such as the GDPR or the CCPA, is limited to minors. Even then, the privacy terms remain vague. Even if Kapa AI would provide a DPA, we would only be able to sign it when the ASF is convinced that the provider is trustworthy enough to comply. This is generally true for all services we use and is problematic in the GDPR. Extra caution is advised regarding AI services since it is usually unclear how user data is used and processed. At this time, I cannot recommend the use of Kapa AI on our websites. If there is an urgent necessity to use Kapa AI, website maintainers must obtain user consent before loading the tool. This is very similar to embedding YouTube videos as described in the FAQ: https://privacy.apache.org/faq/committers.html A follow-up question asked whether one can use Kapa AI outside the project's website. Generally, the ASF is only responsible for its channels. This includes our websites and services that pay for and operate on our behalf. All websites, tools (such as Discord) or similar which are run and operated by enthusiasts outside the control of the ASF is the operator's responsibility. Very similar to trademark policies, it is advised that all services operated by third parties are easily identified as not being part of the ASF. # Open tasks - Create a list of WordPress sites - Create a list of domains that are allowed to connect because a DPA is covering it (improved Whimsy support) - Better documentation about DPAs - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee - Clarify responsibility for the Matomo VM https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 https://issues.apache.org/jira/browse/INFRA-25432 - Clarify status of "donate.apache.org" - Clarify status of "status.apache.org"
# General There are no issues that need urgent attention. Currently, 50 tracking codes were requested (+1). 10 Matomo sites don't receive traffic at this point (not yet implemented). We signed a DPA with AUTOMATTIC for the WordPress hosting. Multiple questions about embedding resources were handled. # Open tasks - Create a list of WordPress sites - Create a list of domains that are allowed to connect because a DPA is covering it (improved Whimsy support) - Better documentation about DPAs - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee - Clarify responsibility for the Matomo VM https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 https://issues.apache.org/jira/browse/INFRA-25432
# General There are no issues that need urgent attention. Currently, 50 tracking codes were requested (+1). 10 Matomo sites don't receive traffic at this point (not yet implemented). Multiple questions about embedding resources were handled. # Open tasks - Create a list of Wordpress sites and sign a DPA with Wordpress - Create a list of domains that are allowed to connect because a DPA is covering it (improved Whimsy support) - Better documentation about DPAs - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee - Clarify responsibility for the Matomo VM https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 https://issues.apache.org/jira/browse/INFRA-25432
# General There are no issues that need urgent attention. Currently, 49 tracking codes were requested (+2). 10 Matomo sites don't receive traffic at this point (not yet implemented). * After blocking 3rd party dependencies, questions arose about embedding resources. * Concerning DPAs, the ASF currently lets the VP of Data Privacy sign them. However, it's worth mentioning to the board that any authorized (board) member can also sign. To keep overhead low, I recommend to stick with the current process. * New requests for DPAs with previously unsupported companies will be reviewed on the privacy@ mailing list. This process allows for community input on these tools, encourages suggestions for alternatives, and aims to keep our list of providers small. # Open tasks - Create a list of domains that are allowed to connect because a DPA is covering it (improved Whimsy support) - Better documentation about DPAs - Follow up on the idea of blocking 3rd party tracking on the infra-level. Tracked on: https://issues.apache.org/jira/browse/INFRA-25518 - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee - Clarify responsibility for the Matomo VM https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 https://issues.apache.org/jira/browse/INFRA-25432
# General There are no issues that need urgent attention. Currently, 47 projects have requested a Matomo code (+5). 10 Matomo sites don't receive traffic at this point (not yet implemented). # Open tasks - Follow up on the idea of blocking 3rd party tracking on the infra-level. Tracked on: https://issues.apache.org/jira/browse/INFRA-25518 - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee - Clarify responsibility for the Matomo VM https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 https://issues.apache.org/jira/browse/INFRA-25432
# General There are no issues that need urgent attention. # Newly identified tasks TAC deals with personal data, so a particular form of privacy policy may be needed. Related to Matomo, one question came up that needs clarification: In late 2022, it seemed ASF Infra took over responsibility for the Matomo VM: https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08 This issue indicated otherwise: https://issues.apache.org/jira/browse/INFRA-25432 The DP office will follow up with the Infra team to clarify this situation. Currently, 42 projects have requested a Matomo code; 1 is about to be created. Thirty-one projects are actively using Matomo, and 9 of them appear not to include the Matomo code. # Open tasks - Follow up on the idea of blocking 3rd party tracking on the infra-level. Tracked on: https://issues.apache.org/jira/browse/INFRA-25518 - Add "canned responses" and instructions on how to run the privacy office to the website - Investigate TAC for data privacy and develop a targeted version for the committee
# General There are no issues that need urgent attention. It was confirmed to a board member's question that blocking 3rd party tracking tools on the infra-level is indeed helpful. The usual requests from automated tools happened. One person was added to be a moderator for the privacy@ mailing list. They wanted to help with moderating and responding to automated requests. As a next step, the privacy website will soon see a collection of canned responses, so other interested persons can help with handling them.
# General There are no issues that need urgent attention. Please see this report for decision to make shortly: "Should the website policy be enforced? If yes, how?" ## Non-Policy conform websites The projects using Google Analytics remains almost unchanged: https://github.com/search?q=org%3Aapache+analytics.com&type=code&p=2 More than 100 projects appear to have Google Analytics on their sites. On occasional check, I have seen the Apache Beam project is not only using Google Analytics, but also Hotjar which is used for even more critical user tracking. I have sent an e-mail with my recommendations to the Beam private list, but no response: https://lists.apache.org/thread/hsxpb3j4m3k3gpcj7hysbxv8gsz53q01 This raises an important question to me: According to the GDPR, the DPO is only responsible for recognizing these kind of issues, but not for enforcing their correction. Enforcement is done (or not) by the Board. I recommend to decide if the website policy should be enforced on projects or not. If it should be enforced, there needs to be a decision who should enforce it and how. ## Increased questions around licenses There has been a spike of questions around our license. All questions are not related to data privacy and could be ommitted, but demonstrate a confusion on our license. Example: "I have a phone, and I found the Apache license on it. I never allowed you to install software. Please remove it." This is non critical, and will provide the responses I write on the privacy website for future DPOs soon. Note: most of these request go to vp-privacy directly and not to the mailing list. ## Question on SurveyTools from ASF Cordova The Apache Cordova project raised the question of a survey tool. I recommended sticking with their idea of Google Forms, but to make it very clear what kind of tooling is used, that the survey is optional and that not further personal data is asked. The Cordova team wrote an excellent invitation to the survey that made it possible to use Google Forms. ## Confirmation of RingCentral RingCentral bought Hopin with which we have a DPA. While RingCentral seems not to be that supportive to the GDPR as Hopin was, I recommended to stick with the platform for now. The DPA should be still valid. ## Subscription information for every new subscriber Thanks to the good work of our Infra team and @Sebb, we now have subscriber information on every mailing list. https://issues.apache.org/jira/browse/INFRA-23011?filter=-2 While this may not seem like a big deal, this change allows us to justify to *not* delete mailing list messages.
A report was expected, but not received
# General No issue requiring board attention at this time. While more and more websites are using Matomo, provided by our Infrastructure team, we still have plenty of projects using GA: https://github.com/search?q=org%3Aapache+analytics.com&type=code&p=2 I received a proposal for an automated, monthly email report about websites using GA. The idea is to open issues for projects using GA and recommend migration. D&I requested to use existing data for further analysis. Since the purpose is the same and no new data is retrieved, the privacy office agree to the new research. Hopin, our provider for conference related services, was bought by Ring Central. Although Ring Central does not provide DPAs, we still have a DPA with Hopin. Given they refer to current privacy regulations, I consider them safe. However, privacy protecting solutions are preferred in general; the recommendation was to stay for now, and leave whenever we find a better solution.
# General No issue requiring board attention at this time. There have been many unfounded requests to vp-privacy@ related to "privacy requests." These requests look a lot like spam.
# General No issue requiring board attention at this time. - We published our first guide to help with ASF event photography: https://privacy.apache.org/guides/event-photography.html
A report was expected, but not received
# General No issues requiring board attention at this time. ## First online meeting on 28 Jun 2023 One of the roles of the DPO is to educate. I am trying a new format in the form of an online meeting to respond to all questions committers might have around their projects, websites or just in general. # Recommendations ## Add subscription information to every new subscriber of a mailing list Tracked as: https://issues.apache.org/jira/browse/INFRA-23011?filter=-2 (open since 18/Mar/22) Adding this kind of information will tell users how mailing lists work and we can act based on user consent. ## Access to ICLAs should be more restrictive This task is currently work in progress.
No issues requiring board attention. Few emails were received on the VPs address, but most of them were spam
No specific issue which requires board attention. Usual activities: requests for data erasure requests were responded to, Matomo IDs were added. There were no conversations that needed specific highlighting. The ASF Trademarks team has reported a 3rd party has used our logo without permission after being added to the privacy policy. To avoid these kind of things, VP privacy will add a note to 3rd parties to contact ASF Trademarks when there is an idea to use our brands. Also, we will make sure to notify trademarks@ and operations@ three days before we add a provider to the privacy policy. This planned change to process will be documented in the privacy website for future VPs and will probably be adjusted with the input of the privacy@ mailing list once it will publish it there for discussion.
A report was expected, but not received
There was almost no activity in the past month. One data removal request was fulfilled.
Privacy Policy: We have submitted a new try for getting the privacy policy for public websites ratified. Some projects expressed to only apply those privacy policy if approved from the board. As there always might be a language barrier, here is the intent of what I am trying to achieve: to have a common, generic privacy policy all projects follow. This of course has some impact. In example, Google Analytics cannot be used anymore. Instead, the policy provides an alternative in terms of Matomo. Question: Updates to this policy may be necessary, when new data processors are added or services are altered. I would like to send updates to the board so they can be vetoed in a lazy way. Is this process acceptable for you? Operations: I have added Scarf and DinoSource ApS to the list of vendors. Scarf is a new service asked by some project to track their download statistics. The service supports the GDPR and also was cooperative when working with them. DinoSource is providing PonyMail and was known as Quenda before. The DPA was filed earlier, but without signature and adding DinoSource was just a formality. We had some removal requests. Automated requests where rejected. One person request was rejected as well since it implied mailinglist removals. So far, no rejections received any follow ups. Next goals: The privacy office will work harder on the committer privacy once the public privacy policy was ratified. Also, I'd like to find a system to help projects migrate to the new policy.
There is a proposed privacy resolution on the agenda. We were receiving many requests for data deletion from a tool called "Mine". I have decided to ignore those requests as they are unjustified in most cases and automatically sent. From a privacy perspective, I am also very happy to see the Infrastructure team supporting our efforts greatly by proactively working on better privacy for LDAP and taking over control of the Matomo (Web Analytics) instance. The latter one will not only lead to more professionally cared services but also help to handle additional load which we might have from applying the privacy policy to our websites. There is minor activity around a new DPA with Scarf and working on further policies.
A report was expected, but not received
Currently a draft of an upcoming resolution was posted here for review: https://lists.apache.org/thread/zh3hpzqbk677ttotltjyqqmm3r824kp8 I did not yet submit it yet, since I hope for more feedback first. A first draft for the committer exists here: https://privacy.apache.org/policies/privacy-policy-committer.html I am also trying to collect all open issues in a document now as current issues are hard to track as it is now. We keep getting requests from tools like "Mine" which basically search email inboxes and complain if you ever received an email from the ASF, like a subscription confirmation or similar. I will need to read if these kind of "mass complaints" have to be handled or can be ignored. Apart from that, no unusual activities.
Data Privacy was out of office most of the August and partially in September. All important messages (mailing list and private messages) were responded too. I have recognised more messages coming in from tools like "privacy hawk" or similar. I am in contact with them if we can reduce the often unjustified messages. I am also in touch with "Scarf" to complete working on usage of this tooling too. Next tasks will be to submit the privacy resolution (as discussed) for the next board meeting and complete other privacy policy related tasks (committer policy, members policy etc)
A report was expected, but not received
A report was expected, but not received
Discuss https://whimsy.apache.org/board/agenda/2022-05-18/Data-Privacy with VP Data Privacy Privacy has received several "data removal requests" for mailing lists, but all of them were denied. In addition, we have asked for feedback for our upcoming new mailing policy: https://privacy.apache.org/policies/mailinglist-policy.html It was received positively and will be put into action very soon. The next policy to be done will be the contributors policy. The infra team has supported us to improve the wording on Bugzilla: https://issues.apache.org/jira/browse/INFRA-23326?filter=-2 This was necessary due to a request of removal by a Bugzilla user (complaining about an email sent by Bugzilla). A similar issue can be found here: https://issues.apache.org/jira/browse/INFRA-23011?filter=-2 which warns users about the public nature of our mailing lists. Other than that, no other notable incidents happened. @Christian: pursue a resolution for ratifying data privacy policy
A report was expected, but not received
Privacy has received several "data removal requests", but apart from that, no bigger issues. We have published our privacy policy for public services (for all visitors on websites): https://privacy.apache.org/policies/privacy-policy-public.html With the announcement we have received generally good feedback. At this point, already 22 projects have migrated to Matomo, the new ASF service we provide: https://analytics.apache.org/ VP Data Privacy is grateful for the help of some volunteers, specifically Martijn Visser, who was recently elected as committer, but also helps a lot with creating new accounts on Matomo. One interesting question was raised on the mailing list regarding the "enforcement" of those policies. If interested in the context: https://lists.apache.org/thread/vf4drk82so4k4tcw188h9370grzy8wz1 As it was explained, the privacy office can only give recommendations to apply privacy practices, but cannot enforce it. As per GDPR, the board is responsible for ultimately enforcing the privacy policy. This is a duty which cannot be outsourced. If the privacy policy is not enforced to all projects, we cannot consider our organisation GDPR compliant. I ask the board to give a recommendation how the privacy policies worked on in the privacy office (as part of the president office) should be enforced (or if). At the moment privacy list is not yet cleared of all open requests, but once the number of requests goes down, a proposal for the new "mailing list policy" and also "committer policies" will follow. Policy-wise, end of summer might be a good time think of the ASF as GDPR compliant. Implementation wise, it will be difficult to convince all projects to support the new privacy policy or have the work done. An answer to the above question about enforcement of the GDPR will definitely help.
A report was expected, but not received
The ASF is on it's way to remove Google Analytics. As a replacement for projects who need website analytics we have discussed to use Matomo. The new Matomo instance is running (in beta) for some projects: https://matomo.privacy.apache.org/ Thanks to Martijn Visser and Benjamin Marwell to make this happen. A draft for the message of website policy changes can be found here: https://docs.google.com/document/d/1HQibaSbfoioGAW4ugvo8meA_oDJ6Lz6VNUeOXtvnd7Y/edit Some feedback was already worked in. In a few days this message will be sent, except there is further feedback. We have been granted with a "premium" account for free for a tool called "Mine", which sends us user complaints. I am still undecided if this is a good thing to use or if it is necessary to use it. Usual discussions and daily operations aside, there is nothing more to report. Once the above mentioned email is out, I expect the privacy list will have to handle support questions.
We have installed Matomo (Google Analytics replacement) on a Privacy maintained VM. Two projects are currently trying out if the software is meeting our requirements (Apache Flink and Apache Shiro). Once we learn more about the system, VP Privacy will send out a first email informing the projects about the upcoming changes to privacy (and asking for feedback). On another note we have received many privacy complaints from users who used the Mine software (saymine.com). This software analyses emails and makes assumption on unused "accounts". Because some users received emails from our email lists, Mine recommended to contact us. These emails mentioned there "is proof". I have looked into Mine and tried the "free account". All emails I found where "false positives" and it looked like people unsubscribed at some point. I contacted Mine so they don't recommend sending us further emails; outcome is still open. Another request to sign a DPA with Warner Bros was rejected; the law firm contacting us where searching for "Apache Solutions Ltd". Apart from that only routine work was done.
Data Privacy is currently in the process of finishing the webpage privacy statement. We are currently working in feedback and try to find a way to roll out the new policy. The board can expect more on this in the next two, three weeks. According to the austrian and german DSB (data privacy agencies), Google Analytics is no longer allowed in the EU because it is not compliant to the GDPR: https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257_(D155.027) For this reason, I believe it is necessary to remove Google Analytics from our websites. There is a proposal to use Matomo, which is compliant. The current idea is to add ASF volunteers to a privacy committee, which is responsible for maintaining and supporting a VM running Matomo for the whole ASF. Apart from these next steps, there is only "business as usual". Some requests for data removal, all of them not valid were made. A higher level of spam was observed with moderation.
A report was expected, but not received
No items requiring board attention for now. Discussion around "user website tracking" alá Google Analytics started at the mailing list.
A report was expected, but not received
Due to relocation no progress policy-wise was made this month. The mailing list was moderated and responses to deletion requests were given. No other requests were made so far.
Due to holiday seasons and personal changes not much has changed since the last report and nothing which requires board attention. For the next report I expect movement in applying the new policies mentioned in the previous report.
Data removals: There was one serious request to remove data; however, it turned out the 18 year old emails are not hosted by the ASF. General activities: We have drafted the new website policy: https://privacy.apache.org/policies/privacy-policy-public.html There are also new draft versions of internal policies for mailing lists and websites: https://privacy.apache.org/policies/ Initial work on the catalog of services was done as well (with focus on public facing services). Several data protection agreements (DPAs) were collected. We are well on our way to have working privacy policies for our public webpages soon. Next action items: - complete and communicate new policies - clarify with infra if self hosted plausible.io is a possible alternative to Google Analytics - work on contributor and committer privacy policies
There is nothing new to report in this period. Interesting items: - We had one data removal request, but the requestor did not clarify their country of origin Next action items: - A discussion about member PI was "finished", but has not had any consequences yet. - collect more DPAs - discourage Google Analytics - Update privacy terms on the main website
There were no issues requiring board attention so far. Changes: VP Privacy will maintain this directory for now: https://svn.apache.org/repos/private/foundation/dataprivacy/ It will contain recent requests, TODOs, DPAs and general discussions. "User requests" should be privacy-committee only. A basic website was created here which will contain FAQ and policies: https://privacy.apache.org/ Interesting items: - one data removal request (Jira) was done without problems - one data removal requests was denied since the request did not look legit - discussion about ICLA and how to store it took place, no conclusion so far Next action items: - collect more DPAs - discourage Google Analytics - Update privacy terms on the main website
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
Dirk has been recruited as a Special Adviser to the Dutch and EC with regard to architecture, privacy, anonymity and what not around the Corona response effort. Including the public oriented app. So, he won't have any available time for the ASF over the next 3 to 5 weeks. Christian Grobmeier has volunteered the following report for the privacy effort: So far, we have one missing report and also one open privacy incident (basic request from deleting user data from the OOo forums). The incident has not been responded so far. I have asked on feedback of how I'd handle this request, but no response. I am not happy with performing any actions without approval. Does the board have any input/ideas/suggestions here?
Apologies for a late report - Corona related things took over. No substancial process on the organisational side. Few RQ related things got processed in time, commmunicated timely to requestor, etc. Currently no tickets open that require action or have deadlines. One ticket 'dead' where the requestors email ceased to work (and it may have been a fluff/experimental/vigiliante style request).
Operational: First genuine GDPR request (removal) handled; but actual governance & long term recording not yet sorted properly (e.g. making sure that the details of this request are automatically purged when they hit delaware record law limits, etc). Strategic: Not made as much progress as I wanted - largely due to the chair (personally) being swamped & not enough delegation. The latter should become unstuck as we start creating deliverables. Next: Define these deliverables/plan; find 3-6 volunteers for the operational part & write down SOPs; talk to infra to figure out what is practically possible around retention.
My personal take is that there are now enough people on the list (-and- the 12 `sample' cases discussed sofar seem to all have headed for sufficient consensus) that it is fair to now draft what should be our GDPR stance from which we can derive a guideline and policy. And with that concept not coming as a surprise. We have about 6 more legal/complex points for expects sofar (such as to what extent can you push things back for `self service' to the complainant). These may require legal attention at some point. Actual GDPR and similar requests: two in flight; neither contentious. Tracked in JIRA.
Progress: Work rekindled. - Call for any interested members gone out to subscribe to privacy@; people moderated through. - General approach mail gone out & slowly posting a list of around 20 example cases (most collected over the past 12 months). - Speaking to pro-bono and specialist (but paid) legal folks to get the lay of the land (Delaware, but wanting to do this right in CA, EU and UK - despite conflicting rules). - Dealing with one 'want to be forgotten' request; next step here is to get a private JIRA set up - or postpone & keep this in a president private SVN repo for now. Problems: None yet Plan: Go through a set of examples to derive what we value as a community and then work top down again. Establish a private JIRA or similar. Establish a private channel to operations. Figure out if some of our existing (iCLA filing services) can be subverted to also handle the mechanical aspect of things and what they need (beyond a runbook).
Having been unable to devote enough time to the role John Kinsella has indicated privately that he wishes to stand down. Given the need for action to unblock operational risks a proposal to move the VP role to the President has been added to the agenda as item 7B. Dirk-Willem van Gulik has agreed to volunteer. (danny@)
A report was expected, but not received
(Apologies for delay in getting this report in. Setting reminder to go off a little earlier next month) October was quieter than intended - got initial wiki page and call for volunteers out. Intention is doing a "soft launch" to members@, then after a week or two of hopefully wise Member feedback, opening volunteer call to wider committers@. Outside, engaging with privacy/legal contacts with hope of getting them to contribute in some manner, as well. As requested in last month's (good) feedback, will list goals for the coming months for the next quarter or so as momentum is established. October Goals * Grow privacy-discuss subscribers * Gather feedback on initial topics/priorities for Data Privacy to address * Build out wiki with assistance from others - I can write this, but intent is to get community to contribute. Stats for September 2019: * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY) * 0 closed issues * Next report will start to report on subscription/discussion stats.
After too long a period of silence (emailed last report April 2019[1] - just noticed it doesn’t seem to have made it to whimsy), renewing push to get Data Privacy up and running. Structure for data-privacy has been set up - mailing lists[2][3], jira group[4], and wiki[5] created. Since last board report, have talked with others with previous experience/thoughts on ASF data privacy topics. Short-term goal is to start outlining topics to address and areas of help needed on the wiki, then send call for volunteers to members@a.o. Goal right now is to start to get volunteers involved, come up with list of priorities, and start being more useful to requests from projects. I've been reviewing report formats from others, will be adding a bit more structure to this in coming months, along with several calendar reminders. Also planning a chat room for more interactive and regularly scheduled discussions to continue to drive movement. Stats for August, 2019: * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY) * 0 closed issues 1: https://lists.apache.org/thread.html/6ac38660931f60d3634aaab569967c5261004c78ff070a56a1be3655@%3Coperations.apache.org%3E 2: privacy@apache.org - 1 person has already organically found and subscribed. 3: privacy-discuss@apache.org 4: https://issues.apache.org/jira/projects/PRIVACY/issues 5: https://cwiki.apache.org/confluence/display/PRIVACY/Home
There has been no report from the VP. Activity: I have kicked off call for volunteers on board@ and reached out to incumbent VP today 21-Aug Next steps: Engage volunteers and agree definition of done, define next steps/mechanism to clarify the role, report back to the board. danny@
A report was expected, but not received
A report was expected, but not received
Working on setting up structure for data-privacy. Modified personnel-duties/vp-data-privacy.txt, will update further once mailing lists are set up. Stalled on setting up mailing lists as I was going to start conversation on legal ML first, but just going to create lists and run with it. Working on syncing up with others who have worked on data-privacy matters over the last year and talked to counsel. Once that's accomplished, will stat work to review data privacy policy and engage with projects looking for assistance. Stats for April, 2019: * 2 open Jira tickets * 0 closed issues
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
A report was expected, but not received
The RFC period is underway for our draft privacy policy. Several members and VP infrastructure have weighed in. I will continue to collect feedback through the CY, and publish the draft in Jan 2019 with whatever feedback and comments received by then. Keep them coming.
This month we will send an RFC to the board and legal on our updates to the ASF data privacy policy that VPs Infrastructure and Privacy worked on. The draft is currently in GDocs and we should move it to a draft ASF page on the web site.
Nothing much to report this month other than still working on the Privacy Draft. For those interested, contact myself or VP, Infra to see a draft.
VP, Infra, VP, Data Privacy & Legal, and our counsel had a telecon on 7/19 and discussed ASF strategy with respect to the EU's General Data Protection Regulation (GDPR). We have decided to continue with our updates to the infrastructure team's mail archival policy and our policy and procedures for how we deal with removal requests. The policy updates are currently under review by Legal, and Data Privacy and we expect to publish them in the next month. We have received a few GDPR requests, with only one current request being actively worked, and few queued as far as I can tell (less than 5).