Skip to Main Content
Apache Events The Apache Software Foundation
Apache 20th Anniversary Logo

This was extracted (@ 2024-03-20 21:10) from a list of minutes which have been approved by the Board.
Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

WARNING: these pages may omit some original contents of the minutes.
This is due to changes in the layout of the source minutes over the years. Fixes are being worked on.

Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).

Data Privacy

21 Feb 2024 [Christian Grobmeier]

# General

There are no issues that need urgent attention.

# Newly identified tasks

TAC deals with personal data, so a particular form of privacy policy may be needed.

Related to Matomo, one question came up that needs clarification:

In late 2022, it seemed ASF Infra took over responsibility for the Matomo VM:
https://lists.apache.org/thread/6c7dn3ot494pxdlfxfn1pngbcpzj5g08
This issue indicated otherwise:
https://issues.apache.org/jira/browse/INFRA-25432
The DP office will follow up with the Infra team to clarify this situation.

Currently, 42 projects have requested a Matomo code; 1 is about to be created.
Thirty-one projects are actively using Matomo, and 9 of them appear not to include the Matomo code.

# Open tasks

- Follow up on the idea of blocking 3rd party tracking on the infra-level.
 Tracked on: https://issues.apache.org/jira/browse/INFRA-25518
- Add "canned responses" and instructions on how to run the privacy office to the website
- Investigate TAC for data privacy and develop a targeted version for the committee

17 Jan 2024 [Christian Grobmeier]

# General

There are no issues that need urgent attention.

It was confirmed to a board member's question that blocking 3rd party tracking tools on the infra-level is indeed helpful.

The usual requests from automated tools happened.

One person was added to be a moderator for the privacy@
mailing list. They wanted to help with moderating and responding to automated requests.

As a next step, the privacy website will soon see a collection
of canned responses, so other interested persons can help
with handling them.

20 Dec 2023 [Christian Grobmeier]

# General

There are no issues that need urgent attention.

Please see this report for decision to make shortly:
"Should the website policy be enforced? If yes, how?"

## Non-Policy conform websites

The projects using Google Analytics remains almost unchanged:
https://github.com/search?q=org%3Aapache+analytics.com&type=code&p=2

More than 100 projects appear to have Google Analytics on their sites.

On occasional check, I have seen the Apache Beam project is not only using
Google Analytics, but also Hotjar which is used for even more critical user
tracking. I have sent an e-mail with my recommendations to the Beam private
list, but no response:

https://lists.apache.org/thread/hsxpb3j4m3k3gpcj7hysbxv8gsz53q01

This raises an important question to me:

According to the GDPR, the DPO is only responsible for recognizing these kind
of issues, but not for enforcing their correction. Enforcement is done (or
not) by the Board.

I recommend to decide if the website policy should be enforced on projects or
not. If it should be enforced, there needs to be a decision who should enforce
it and how.

## Increased questions around licenses

There has been a spike of questions around our license. All questions are not
related to data privacy and could be ommitted, but demonstrate a confusion on
our license.

Example:

"I have a phone, and I found the Apache license on it. I never allowed you to
 install software. Please remove it."

This is non critical, and will provide the responses I write on the privacy
website for future DPOs soon.

Note: most of these request go to vp-privacy directly and not to the mailing
list.

## Question on SurveyTools from ASF Cordova

The Apache Cordova project raised the question of a survey tool. I recommended
sticking with their idea of Google Forms, but to make it very clear what kind
of tooling is used, that the survey is optional and that not further personal
data is asked.

The Cordova team wrote an excellent invitation to the survey that made it
possible to use Google Forms.

## Confirmation of RingCentral

RingCentral bought Hopin with which we have a DPA. While RingCentral seems not
to be that supportive to the GDPR as Hopin was, I recommended to stick with
the platform for now. The DPA should be still valid.

## Subscription information for every new subscriber

Thanks to the good work of our Infra team and @Sebb, we now have subscriber
information on every mailing list.
https://issues.apache.org/jira/browse/INFRA-23011?filter=-2

While this may not seem like a big deal, this change allows us to justify to
*not* delete mailing list messages.

15 Nov 2023 [Christian Grobmeier]

A report was expected, but not received

18 Oct 2023 [Christian Grobmeier]

# General

No issue requiring board attention at this time.

While more and more websites are using Matomo, provided by our Infrastructure
team, we still have plenty of projects using GA:
https://github.com/search?q=org%3Aapache+analytics.com&type=code&p=2

I received a proposal for an automated, monthly email report about websites
using GA. The idea is to open issues for projects using GA and recommend
migration.

D&I requested to use existing data for further analysis. Since the purpose is
the same and no new data is retrieved, the privacy office agree to the new
research.

Hopin, our provider for conference related services, was bought by Ring Central.
Although Ring Central does not provide DPAs, we still have a DPA with Hopin.
Given they refer to current privacy regulations, I consider them safe. However,
privacy protecting solutions are preferred in general; the recommendation was
to stay for now, and leave whenever we find a better solution.

20 Sep 2023 [Christian Grobmeier]

# General

No issue requiring board attention at this time.

There have been many unfounded requests to vp-privacy@
related to "privacy requests." These requests look a lot
like spam.

16 Aug 2023 [Christian Grobmeier]

# General

No issue requiring board attention at this time.

- We published our first guide to help with ASF event photography:
 https://privacy.apache.org/guides/event-photography.html

19 Jul 2023 [Christian Grobmeier]

A report was expected, but not received

21 Jun 2023 [Christian Grobmeier]

# General

No issues requiring board attention at this time.

## First online meeting on 28 Jun 2023

One of the roles of the DPO is to educate. I am trying a new format in the
form of an online meeting to respond to all questions committers might have
around their projects, websites or just in general.

# Recommendations

## Add subscription information to every new subscriber of a mailing list

Tracked as: https://issues.apache.org/jira/browse/INFRA-23011?filter=-2
(open since 18/Mar/22)

Adding this kind of information will tell users how mailing lists work and we
can act based on user consent.

## Access to ICLAs should be more restrictive
This task is currently work in progress.

17 May 2023 [Christian Grobmeier]

No issues requiring board attention.

Few emails were received on the VPs address, but most of them were spam

19 Apr 2023 [Christian Grobmeier]

No specific issue which requires board attention.

Usual activities: requests for data erasure requests were responded to, Matomo
IDs were added. There were no conversations that needed specific highlighting.

The ASF Trademarks team has reported a 3rd party has used our logo without
permission after being added to the privacy policy. To avoid these kind of
things, VP privacy will add a note to 3rd parties to contact ASF Trademarks
when there is an idea to use our brands. Also, we will make sure to notify
trademarks@ and operations@ three days before we add a provider to the privacy
policy. This planned change to process will be documented in the privacy
website for future VPs and will probably be adjusted with the input of the
privacy@ mailing list once it will publish it there for discussion.

22 Mar 2023 [Christian Grobmeier]

A report was expected, but not received

15 Feb 2023 [Christian Grobmeier]

There was almost no activity in the past month.

One data removal request was fulfilled.

18 Jan 2023 [Christian Grobmeier]

Privacy Policy:

We have submitted a new try for getting the privacy policy for public websites
ratified. Some projects expressed to only apply those privacy policy if
approved from the board.

As there always might be a language barrier, here is the intent of what I am
trying to achieve: to have a common, generic privacy policy all projects
follow. This of course has some impact. In example, Google Analytics cannot be
used anymore. Instead, the policy provides an alternative in terms of Matomo.

Question:

Updates to this policy may be necessary, when new data processors are added or
services are altered. I would like to send updates to the board so they can be
vetoed in a lazy way. Is this process acceptable for you?

Operations:

I have added Scarf and DinoSource ApS to the list of vendors. Scarf is a new
service asked by some project to track their download statistics. The service
supports the GDPR and also was cooperative when working with them. DinoSource
is providing PonyMail and was known as Quenda before. The DPA was filed
earlier, but without signature and adding DinoSource was just a formality.

We had some removal requests. Automated requests where rejected. One person
request was rejected as well since it implied mailinglist removals.

So far, no rejections received any follow ups.

Next goals:

The privacy office will work harder on the committer privacy once the public
privacy policy was ratified. Also, I'd like to find a system to help projects
migrate to the new policy.

21 Dec 2022 [Christian Grobmeier]

There is a proposed privacy resolution on the agenda.

We were receiving many requests for data deletion from a tool called "Mine". I have decided to ignore those requests
as they are unjustified in most cases and automatically sent.

From a privacy perspective, I am also very happy to see the Infrastructure team supporting our efforts greatly
by proactively working on better privacy for LDAP and taking over control of the Matomo (Web Analytics) instance. The latter one will not only lead to more professionally cared services but also help to handle additional load which we might have from applying the privacy policy to our websites.

There is minor activity around a new DPA with Scarf and working on further policies.

16 Nov 2022 [Christian Grobmeier]

A report was expected, but not received

19 Oct 2022 [Christian Grobmeier]

Currently a draft of an upcoming resolution was posted here for review:
https://lists.apache.org/thread/zh3hpzqbk677ttotltjyqqmm3r824kp8
I did not yet submit it yet, since I hope for more feedback first.

A first draft for the committer exists here:
https://privacy.apache.org/policies/privacy-policy-committer.html

I am also trying to collect all open issues in a document now as
current issues are hard to track as it is now.

We keep getting requests from tools like "Mine" which basically
search email inboxes and complain if you ever received an email from the ASF,
like a subscription confirmation or similar. I will need to read if
these kind of "mass complaints" have to be handled or can be ignored.

Apart from that, no unusual activities.

21 Sep 2022 [Christian Grobmeier]

Data Privacy was out of office most of the August and partially in September.
All important messages (mailing list and private messages) were responded too.

I have recognised more messages coming in from tools like "privacy hawk" or
similar. I am in contact with them if we can reduce the often unjustified
messages.

I am also in touch with "Scarf" to complete working on usage of this tooling
too.

Next tasks will be to submit the privacy resolution (as discussed) for the
next board meeting and complete other privacy policy related tasks (committer
policy, members policy etc)

17 Aug 2022 [Christian Grobmeier]

A report was expected, but not received

20 Jul 2022 [Christian Grobmeier]

A report was expected, but not received

15 Jun 2022

 Discuss https://whimsy.apache.org/board/agenda/2022-05-18/Data-Privacy
 with VP Data Privacy

 Privacy has received several "data removal requests" for mailing lists,
 but all of them were denied. In addition, we have asked for feedback for our
 upcoming new mailing policy:
 https://privacy.apache.org/policies/mailinglist-policy.html
 It was received positively and will be put into action very soon.

 The next policy to be done will be the contributors policy.

 The infra team has supported us to improve the wording on Bugzilla:
 https://issues.apache.org/jira/browse/INFRA-23326?filter=-2
 This was necessary due to a request of removal by a Bugzilla user (complaining about an email sent by Bugzilla).

 A similar issue can be found here:
 https://issues.apache.org/jira/browse/INFRA-23011?filter=-2
 which warns users about the public nature of our mailing lists.

 Other than that, no other notable incidents happened.

 @Christian: pursue a resolution for ratifying data privacy policy

15 Jun 2022 [Christian Grobmeier]

A report was expected, but not received

18 May 2022 [Christian Grobmeier]

Privacy has received several "data removal requests", but apart from that, no
bigger issues.

We have published our privacy policy for public services (for all visitors on
websites): https://privacy.apache.org/policies/privacy-policy-public.html

With the announcement we have received generally good feedback. At this point,
already 22 projects have migrated to Matomo, the new ASF service we provide:
https://analytics.apache.org/

VP Data Privacy is grateful for the help of some volunteers, specifically
Martijn Visser, who was recently elected as committer, but also helps a lot
with creating new accounts on Matomo.

One interesting question was raised on the mailing list regarding the
"enforcement" of those policies. If interested in the context:
https://lists.apache.org/thread/vf4drk82so4k4tcw188h9370grzy8wz1

As it was explained, the privacy office can only give recommendations to apply
privacy practices, but cannot enforce it. As per GDPR, the board is
responsible for ultimately enforcing the privacy policy. This is a duty which
cannot be outsourced.

If the privacy policy is not enforced to all projects, we cannot consider our
organisation GDPR compliant. I ask the board to give a recommendation how the
privacy policies worked on in the privacy office (as part of the president
office) should be enforced (or if).

At the moment privacy list is not yet cleared of all open requests, but once
the number of requests goes down, a proposal for the new "mailing list policy"
and also "committer policies" will follow.

Policy-wise, end of summer might be a good time think of the ASF as GDPR
compliant. Implementation wise, it will be difficult to convince all projects
to support the new privacy policy or have the work done. An answer to the
above question about enforcement of the GDPR will definitely help.

20 Apr 2022 [Christian Grobmeier]

A report was expected, but not received

16 Mar 2022 [Christian Grobmeier]

The ASF is on it's way to remove Google Analytics. As a replacement for
projects who need website analytics we have discussed to use Matomo.

The new Matomo instance is running (in beta) for some projects:
https://matomo.privacy.apache.org/

Thanks to Martijn Visser and Benjamin Marwell to make this happen.

A draft for the message of website policy changes can be found here:
https://docs.google.com/document/d/1HQibaSbfoioGAW4ugvo8meA_oDJ6Lz6VNUeOXtvnd7Y/edit
Some feedback was already worked in. In a few days this message will be sent,
except there is further feedback.

We have been granted with a "premium" account for free for a tool called
"Mine", which sends us user complaints. I am still undecided if this is a good
thing to use or if it is necessary to use it.

Usual discussions and daily operations aside, there is nothing more to report.
Once the above mentioned email is out, I expect the privacy list will have to
handle support questions.

16 Feb 2022 [Christian Grobmeier]

We have installed Matomo (Google Analytics replacement) on a Privacy
maintained VM. Two projects are currently trying out if the software is
meeting our requirements (Apache Flink and Apache Shiro). Once we learn more
about the system, VP Privacy will send out a first email informing the
projects about the upcoming changes to privacy (and asking for feedback).

On another note we have received many privacy complaints from users who used
the Mine software (saymine.com). This software analyses emails and makes
assumption on unused "accounts". Because some users received emails from our
email lists, Mine recommended to contact us. These emails mentioned there "is
proof". I have looked into Mine and tried the "free account". All emails I
found where "false positives" and it looked like people unsubscribed at some
point. I contacted Mine so they don't recommend sending us further emails;
outcome is still open.

Another request to sign a DPA with Warner Bros was rejected; the law firm
contacting us where searching for "Apache Solutions Ltd".

Apart from that only routine work was done.

19 Jan 2022 [Christian Grobmeier]

Data Privacy is currently in the process of finishing the webpage privacy
statement. We are currently working in feedback and try to find a way to roll
out the new policy. The board can expect more on this in the next two, three
weeks.

According to the austrian and german DSB (data privacy agencies), Google
Analytics is no longer allowed in the EU because it is not compliant to the
GDPR:
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257_(D155.027)

For this reason, I believe it is necessary to remove Google Analytics from our
websites. There is a proposal to use Matomo, which is compliant. The current
idea is to add ASF volunteers to a privacy committee, which is responsible for
maintaining and supporting a VM running Matomo for the whole ASF.

Apart from these next steps, there is only "business as usual". Some requests
for data removal, all of them not valid were made. A higher level of spam was
observed with moderation.

15 Dec 2021 [Christian Grobmeier]

A report was expected, but not received

17 Nov 2021 [Christian Grobmeier]

No items requiring board attention for now.

Discussion around "user website tracking" alá Google Analytics started at the
mailing list.

20 Oct 2021 [Christian Grobmeier]

A report was expected, but not received

15 Sep 2021 [Christian Grobmeier]

Due to relocation no progress policy-wise was made this month.

The mailing list was moderated and responses to deletion requests were given.

No other requests were made so far.

18 Aug 2021 [Christian Grobmeier]

Due to holiday seasons and personal changes not much has changed since the
last report and nothing which requires board attention.

For the next report I expect movement in applying the new policies mentioned
in the previous report.

21 Jul 2021 [Christian Grobmeier]

Data removals:

There was one serious request to remove data; however, it turned out the 18
year old emails are not hosted by the ASF.

General activities:

We have drafted the new website policy:
https://privacy.apache.org/policies/privacy-policy-public.html

There are also new draft versions of internal policies for mailing lists and
websites: https://privacy.apache.org/policies/

Initial work on the catalog of services was done as well
(with focus on public facing services).

Several data protection agreements (DPAs) were collected. We are well on our
way to have working privacy policies for our public webpages soon.

Next action items:

 - complete and communicate new policies
 - clarify with infra if self hosted plausible.io is a possible alternative to
   Google Analytics
 - work on contributor and committer privacy policies

16 Jun 2021 [Christian Grobmeier]

There is nothing new to report in this period.

Interesting items:

 - We had one data removal request, but the requestor did not clarify their
   country of origin

Next action items:

 - A discussion about member PI was "finished", but has not had any
   consequences yet.
 - collect more DPAs
 - discourage Google Analytics
 - Update privacy terms on the main website

19 May 2021 [Christian Grobmeier]

There were no issues requiring board attention so far.

Changes:

VP Privacy will maintain this directory for now:
https://svn.apache.org/repos/private/foundation/dataprivacy/
It will contain recent requests, TODOs, DPAs and general discussions.
"User requests" should be privacy-committee only.

A basic website was created here which will contain FAQ and policies:
https://privacy.apache.org/

Interesting items:

- one data removal request (Jira) was done without problems
- one data removal requests was denied since the request did not look legit
- discussion about ICLA and how to store it took place, no conclusion so far

Next action items:

- collect more DPAs
- discourage Google Analytics
- Update privacy terms on the main website

21 Apr 2021 [Christian Grobmeier]

A report was expected, but not received

17 Mar 2021 [Christian Grobmeier]

A report was expected, but not received

17 Feb 2021 [Christian Grobmeier]

A report was expected, but not received

20 Jan 2021 [Christian Grobmeier]

A report was expected, but not received

16 Dec 2020 [Christian Grobmeier]

A report was expected, but not received

18 Nov 2020 [Christian Grobmeier]

A report was expected, but not received

21 Oct 2020 [Christian Grobmeier]

A report was expected, but not received

16 Sep 2020 [Dirk-Willem van Gulik]

A report was expected, but not received

19 Aug 2020 [Dirk-Willem van Gulik]

A report was expected, but not received

15 Jul 2020 [Dirk-Willem van Gulik]

A report was expected, but not received

17 Jun 2020 [Dirk-Willem van Gulik]

A report was expected, but not received

20 May 2020 [Dirk-Willem van Gulik]

Dirk has been recruited as a Special Adviser to the Dutch and EC with regard
to architecture, privacy, anonymity and what not around the Corona response
effort. Including the public oriented app. So, he won't have any available
time for the ASF over the next 3 to 5 weeks.

Christian Grobmeier has volunteered the following report for the privacy
effort:

So far, we have one missing report and also one open privacy incident (basic
request from deleting user data from the OOo forums). The incident has not
been responded so far.

I have asked on feedback of how I'd handle this request, but no response. I am
not happy with performing any actions without approval.

Does the board have any input/ideas/suggestions here?

15 Apr 2020 [Dirk-Willem van Gulik]

Apologies for a late report - Corona related things took over.

No substancial process on the organisational side.

Few RQ related things got processed in time, commmunicated timely to
requestor, etc. Currently no tickets open that require action or have
deadlines. One ticket 'dead' where the requestors email ceased to work (and it
may have been a fluff/experimental/vigiliante style request).

18 Mar 2020 [Dirk-Willem van Gulik]

Operational: First genuine GDPR request (removal) handled; but actual
governance & long term recording not yet sorted properly (e.g. making sure
that the details of this request are automatically purged when they hit
delaware record law limits, etc).

Strategic: Not made as much progress as I wanted - largely due to the chair
(personally) being swamped & not enough delegation.  The latter should become
unstuck as we start creating deliverables.

Next: Define these deliverables/plan; find 3-6 volunteers for the operational
part & write down SOPs; talk to infra to figure out what is practically
possible around retention.

19 Feb 2020 [Dirk-Willem van Gulik]

My personal take is that there are now enough people on the list (-and- the 12
`sample' cases discussed sofar seem to all have headed for sufficient
consensus) that it is fair to now draft what should be our GDPR stance from
which we can derive a guideline and policy. And with that concept not coming
as a surprise.

We have about 6 more legal/complex points for expects sofar (such as to what
extent can you push things back for `self service' to the complainant). These
may require legal attention at some point.

Actual GDPR and similar requests: two in flight; neither contentious. Tracked
in JIRA.

15 Jan 2020 [Dirk-Willem van Gulik]

Progress: Work rekindled.

- Call for any interested members gone out to subscribe to privacy@; people
 moderated through.

- General approach mail gone out & slowly posting a list of around 20 example
 cases (most collected over the past 12 months).

- Speaking to pro-bono and specialist (but paid) legal folks to get the lay of
 the land (Delaware, but wanting to do this right in CA, EU and UK - despite
 conflicting rules).

- Dealing with one 'want to be forgotten' request; next step here is to get a
 private JIRA set up - or postpone & keep this in a president private SVN
 repo for now.

Problems: None yet

Plan: Go through a set of examples to derive what we value as a community and
then work top down again. Establish a private JIRA or similar. Establish a
private channel to operations. Figure out if some of our existing (iCLA filing
services) can be subverted to also handle the mechanical aspect of things and
what they need (beyond a runbook).

18 Dec 2019 [John Kinsella / Shane]

Having been unable to devote enough time to the role John Kinsella has
indicated privately that he wishes to stand down. Given the need for action to
unblock operational risks a proposal to move the VP role to the President has
been added to the agenda as item 7B. Dirk-Willem van Gulik has agreed to
volunteer. (danny@)

20 Nov 2019 [John Kinsella]

A report was expected, but not received

16 Oct 2019 [John Kinsella / Shane]

(Apologies for delay in getting this report in. Setting reminder to go off a
 little earlier next month)

October was quieter than intended - got initial wiki page and call for
volunteers out. Intention is doing a "soft launch" to members@, then after a
week or two of hopefully wise Member feedback, opening volunteer call to wider
committers@.

Outside, engaging with privacy/legal contacts with hope of getting them to
contribute in some manner, as well.

As requested in last month's (good) feedback, will list goals for the coming
months for the next quarter or so as momentum is established.

October Goals
* Grow privacy-discuss subscribers
* Gather feedback on initial topics/priorities for Data Privacy to address
* Build out wiki with assistance from others - I can write this, but intent is
  to get community to contribute.

Stats for September 2019:
* 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
* 0 closed issues
* Next report will start to report on subscription/discussion stats.

18 Sep 2019 [John Kinsella / Ted]

After too long a period of silence (emailed last report April 2019[1] - just
noticed it doesn’t seem to have made it to whimsy), renewing push to get Data
Privacy up and running.

Structure for data-privacy has been set up - mailing lists[2][3], jira
group[4], and wiki[5] created.

Since last board report, have talked with others with previous
experience/thoughts on ASF data privacy topics. Short-term goal is to start
outlining topics to address and areas of help needed on the wiki, then send
call for volunteers to members@a.o.

Goal right now is to start to get volunteers involved, come up with list of
priorities, and start being more useful to requests from projects.

I've been reviewing report formats from others, will be adding a bit more
structure to this in coming months, along with several calendar reminders.
Also planning a chat room for more interactive and regularly scheduled
discussions to continue to drive movement.

Stats for August, 2019:
 * 1 still open Jira ticket (Intention is to move LEGAL-383 to PRIVACY)
 * 0 closed issues

1: https://lists.apache.org/thread.html/6ac38660931f60d3634aaab569967c5261004c78ff070a56a1be3655@%3Coperations.apache.org%3E
2: privacy@apache.org - 1 person has already organically found and subscribed.
3: privacy-discuss@apache.org
4: https://issues.apache.org/jira/projects/PRIVACY/issues
5: https://cwiki.apache.org/confluence/display/PRIVACY/Home

21 Aug 2019 [John Kinsella / Joan]

There has been no report from the VP.

Activity: I have kicked off call for volunteers on board@ and reached out to
incumbent VP today 21-Aug

Next steps: Engage volunteers and agree definition of done, define next
steps/mechanism to clarify the role, report back to the board.

danny@

17 Jul 2019 [John Kinsella]

A report was expected, but not received

19 Jun 2019 [John Kinsella]

A report was expected, but not received

15 May 2019 [John Kinsella / Roman]

Working on setting up structure for data-privacy. Modified
personnel-duties/vp-data-privacy.txt, will update further once mailing lists
are set up. Stalled on setting up mailing lists as I was going to start
conversation on legal ML first, but just going to create lists and run with
it.

Working on syncing up with others who have worked on data-privacy matters over
the last year and talked to counsel. Once that's accomplished, will stat work
to review data privacy policy and engage with projects looking for assistance.

Stats for April, 2019:
 * 2 open Jira tickets
 * 0 closed issues

17 Apr 2019 [John Kinsella]

A report was expected, but not received

20 Mar 2019 [Chris Mattmann]

A report was expected, but not received

20 Feb 2019 [Chris Mattmann]

A report was expected, but not received

16 Jan 2019 [Chris Mattmann]

A report was expected, but not received

19 Dec 2018 [Chris Mattmann]

A report was expected, but not received

21 Nov 2018 [Chris Mattmann / Shane]

The RFC period is underway for our draft privacy policy. Several members and
VP infrastructure have weighed in. I will continue to collect feedback through
the CY, and publish the draft in Jan 2019 with whatever feedback and comments
received by then. Keep them coming.

17 Oct 2018 [Chris Mattmann / Rich]

This month we will send an RFC to the board and legal on our updates to the
ASF data privacy policy that VPs Infrastructure and Privacy worked on. The
draft is currently in GDocs and we should move it to a draft ASF page on the
web site.

19 Sep 2018 [Chris Mattmann / Isabel]

Nothing much to report this month other than still working on the Privacy
Draft. For those interested, contact myself or VP, Infra to see a draft.

15 Aug 2018 [Chris Mattmann / Phil]

VP, Infra, VP, Data Privacy & Legal, and our counsel had a telecon on 7/19 and
discussed ASF strategy with respect to the EU's General Data Protection
Regulation (GDPR).

We have decided to continue with our updates to the infrastructure
team's mail archival policy and our policy and procedures for how we deal
with removal requests. The policy updates are currently under review by
Legal, and Data Privacy and we expect to publish them in the next month.

We have received a few GDPR requests, with only one current request being
actively worked, and few queued as far as I can tell (less than 5).