Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenShot and the GDPR? #1626

Closed
ferdnyc opened this issue May 30, 2018 · 5 comments
Closed

OpenShot and the GDPR? #1626

ferdnyc opened this issue May 30, 2018 · 5 comments
Labels
question A general question about OpenShot or how to use it. Or visit www.openshot.org/forum/

Comments

@ferdnyc
Copy link
Contributor

ferdnyc commented May 30, 2018

IANAL, but given the flurry of activity over the new GDPR regulations lately, it seems possible to me that OpenShot's metrics collection could warrant some sort of action for European users. Whether it's simply the addition of additional language (whether in the OpenShot help document / About window / opt-in tutorial popup / etc) to more explicitly outline data collection practices, or what have you.

Has anyone looked into that, preferably in consultation with someone who actually IAL?

@peanutbutterandcrackers
Copy link
Contributor

Thank you for pointing this out. I have just posted this on the slack channel. Hope this will be addressed before v2.4.2.

@peanutbutterandcrackers
Copy link
Contributor

So, it seems that the metrics to not have any personal identifiable info and the ip is also anonymyzed. And an opt-out is provided during the first launch of OpenShot (the checkbox in the tutorial window). So, that is that. But Mr. Thomas said he is going to look into updating the privacy policy, if that is needed.

Hope that answers this question. :)

@philiplb
Copy link

philiplb commented Jun 4, 2018

Hi, I recently had to deal with this, so my 2c:
In general, you need the consent of the user by informing him upfront who you are exactly, what exact data you collect, whom the user can reach in case he wants it to be send to him or deleted, how he can get out.
This needs to be opt-in and is the privacy policy.
On the other side, there can be the "eligible/justificable interest" (berechtigtes Interesse, I translated literally) of the company. You have your reasons to collect this data and you have a privacy policy (stating above things), anonymized IPs and an opt-out. So it should be the case that your interest has a higher weight than the one of the user. This balance is here is very similar to Google Analytics or other tracking, so it should be fine.
But those details have to be ruled by the courts, no one knows currently how this turns out.

@DylanC DylanC added the question A general question about OpenShot or how to use it. Or visit www.openshot.org/forum/ label Jun 4, 2018
@DylanC
Copy link
Collaborator

DylanC commented Jun 11, 2018

@ferdnyc - Hope you don't mind me closing this as answered. I'm sure Mr. Thomas will action this in his own time if he needs to do something.

@philiplb - Thanks for providing your 2 cents on the matter.

@DylanC DylanC closed this as completed Jun 11, 2018
@ferdnyc
Copy link
Contributor Author

ferdnyc commented Jun 12, 2018

Yeah, that's fine. I mean, ultimately it's really only a concern for OpenShot Studios the company, I just wanted to be sure the issue was brought up.

@philiplb touched on my main concerns, which were

  1. That we're opt-out rather than opt-in, but it sounds like that's justifiable given that we don't retain any user identifiable data.
    (It's incorrect to say we don't collect any personally identifiable info, because the network connection that delivers the metrics is made from the user's IP address, and the EU considers IP addresses to be personally identifiable information. The metrics can't be received without also receiving the user's IP address. But, if that address is not retained in non-anonymized form in a way that's associated with the collected metrics, then there shouldn't be an issue.)
  2. That the privacy policy isn't presented to the user when they're given the choice to opt out. In fact, it isn't really ever presented to them at all. The user has to take the initiative to seek it out themselves, if they want to examine the privacy policy.

For # 2, I'd feel a lot better about the collection-by-default-with-opt-out behavior being compliant if the Tutorial window where we show the opt-out checkbox included the Privacy Policy right there with it. (Maybe embedded inside a scrolling textbox, it doesn't need to be huge enough to display the whole thing.) Or, failing that, if it at least showed a link to https://www.openshot.org/privacy/ so that the user has the option to read it before deciding whether to opt out or not.

AIUI, and @philiplb 's comments seem to confirm, the GDPR hinges on the notion of "informed consent", meaning you not only have to ask the user's permission but to make them aware of what they're agreeing to. I'm not convinced that OpenShot is really covering the second half of that, as things stand, but like I said it's not really an issue for anyone except those on the business side of OpenShot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question A general question about OpenShot or how to use it. Or visit www.openshot.org/forum/
Projects
None yet
Development

No branches or pull requests

4 participants