#285 What is (or the expected) the policy for minors using the service?

Closed
opened 1 month ago by kreyren · 21 comments
kreyren commented 1 month ago

Currently the ToS doesn’t mention minors which is likely problematic for many countries i.e. US that requires compilance with COPPA https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act

How do you want to handle this situation?


Recommendation

Personally i don’t think we should prevent these from using the service as this service is a great opportunity for them to learn about computer science and programming, but we can’t really store their personal information in database without their guardian’s written permission.

Coudn’t we implement some kind of access token (to make the e-mail not mandatory as that is arguably a personal information depending on the e-mail used) for these scenarios? So that they woudn’t be prevented from submitting merge requests?


Worth mentioning

If we make the service usable for minors then the content should be regulated appropriately where i generally don’t like policing from the maintainers.

Recommend to implement Code of Conduct mentioning what content is allowed to be public and allow community to assign themself a role that allows the repository to be suspended from public so that if there is something inappropriate that Code of Conduct mentiones the repository would be forced private with option for the maintainers to invite members in their organization to provide view access?

This proposal makes it harder for some projects to present themself to the public so to avoid this we could implement some way that allows specifying i.e two README.md files for the project where one should be adapted for minors (censored nudity, adapted language appropriately, etc..) and the other for accounts that are non-minors which would avoid the requirement to keep the repositories private assuming that only the README file is an issue

For the repository content i guess we could make some kind of UI that would allow flagging the relevant files and directories to be inaccesible by the minors without their guardian’s password or alike.

Currently the ToS doesn't mention minors which is likely problematic for many countries i.e. US that requires compilance with COPPA <https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act> How do you want to handle this situation? --- ### Recommendation Personally i don't think we should prevent these from using the service as this service is a great opportunity for them to learn about computer science and programming, but we can't really store their personal information in database without their guardian's written permission. Coudn't we implement some kind of access token (to make the e-mail not mandatory as that is arguably a personal information depending on the e-mail used) for these scenarios? So that they woudn't be prevented from submitting merge requests? --- ### Worth mentioning If we make the service usable for minors then the content should be regulated appropriately where i generally don't like policing from the maintainers. Recommend to implement Code of Conduct mentioning what content is allowed to be public and allow community to assign themself a role that allows the repository to be suspended from public so that if there is something inappropriate that Code of Conduct mentiones the repository would be forced private with option for the maintainers to invite members in their organization to provide view access? This proposal makes it harder for some projects to present themself to the public so to avoid this we could implement some way that allows specifying i.e two README.md files for the project where one should be adapted for minors (censored nudity, adapted language appropriately, etc..) and the other for accounts that are non-minors which would avoid the requirement to keep the repositories private assuming that only the README file is an issue For the repository content i guess we could make some kind of UI that would allow flagging the relevant files and directories to be inaccesible by the minors without their guardian's password or alike.
kreyren changed title from What is (or the expected) the policy for minors using the service? to LEGAL: What is (or the expected) the policy for minors using the service? 1 month ago
kreyren changed title from LEGAL: What is (or the expected) the policy for minors using the service? to LEGAL(FeaReg): What is (or the expected) the policy for minors using the service? 1 month ago
kreyren commented 1 month ago
Poster

FWIW i woudn’t personally mind teaching minor how to contribute in my software, but others might not find it worth their time so maybe we should implement a way for repository maintainers to ban contributions from minors?

FWIW i woudn't personally mind teaching minor how to contribute in my software, but others might not find it worth their time so maybe we should implement a way for repository maintainers to ban contributions from minors?
fnetX commented 1 month ago

One thing I love on the Internet is that you are somewhat anonymous. When I contribute somewhere, all that counts is my contribution and not my age, gender etc. So I strongly disapprove any idea to ban users based on something like that. You can’t ban minors that are coding for years but allow older people who are new to software development to contribute. That’s unfair.

One thing I love on the Internet is that you are somewhat anonymous. When I contribute somewhere, all that counts is my contribution and not my age, gender etc. So I strongly disapprove any idea to ban users based on something like that. You can't ban minors that are coding for years but allow older people who are new to software development to contribute. That's unfair.

It may be worth noting that it is part of our goals laid out in the bylaws to provide equal opportunity for access to education and knowledge.

It may be worth noting that it is part of our goals laid out in the bylaws to provide equal opportunity for access to education and knowledge.
kreyren commented 1 month ago
Poster

You can’t ban minors that are coding for years but allow older people who are new to software development to contribute. @fnetX

Note that minors include people below 13 years old who sometimes take lot of project resources to be able to contribute and who might abandon their contribution anytime for reasons alike “I am bored!".

Agree that the proposed optional ban for repository maintainers shoudn’t apply to these.

> You can’t ban minors that are coding for years but allow older people who are new to software development to contribute. @fnetX Note that minors include people below 13 years old who sometimes take lot of project resources to be able to contribute and who might abandon their contribution anytime for reasons alike "I am bored!". Agree that the proposed optional ban for repository maintainers shoudn't apply to these.
kreyren commented 1 month ago
Poster

One thing I love on the Internet is that you are somewhat anonymous. @fnetX

FWIW clear internet is not anonymous as anyone can find who you are, where, how are you accesing the internet, when, etc..

I’ve proposed solution to this in https://codeberg.org/Codeberg/build-deploy-gitea/pulls/44

> One thing I love on the Internet is that you are somewhat anonymous. @fnetX FWIW clear internet is not anonymous as anyone can find who you are, where, how are you accesing the internet, when, etc.. I've proposed solution to this in https://codeberg.org/Codeberg/build-deploy-gitea/pulls/44
6543 commented 1 month ago
Collaborator

Just a sidenote: Codeberg is EU hosted not US

Just a sidenote: Codeberg is EU hosted not US
6543 commented 1 month ago
Collaborator

Wikipedia:

“The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age including children outside the U.S., if the company is U.S.-based” ...

So we can ignore this at all.

By the way EU has stronger Prifacy Laws: GDPR witch codeber is as i think already complient

Wikipedia: "The act, effective April 21, 2000, applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age including children outside the U.S., if the company is U.S.-based" ... So we can ignore this at all. By the way EU has stronger Prifacy Laws: [GDPR](https://en.m.wikipedia.org/wiki/General_Data_Protection_Regulation) witch codeber is as i think already complient
kreyren commented 1 month ago
Poster

Just a sidenote: Codeberg is EU hosted not US @6543

DISCLAIMER: This is not a legal advice that would create client to the lawyer relationship. I am also not confident in the presented information and as such it should be peer-reviewed.

I was brainstorming that in a irc.freenode.net/##law and we came to the conclusion that codeberg.org is accesible to the world which includes USA that explicitedly requires compilance with COPPA.

Quotting:

COPPA applies to personal information collected online by operators of both websites and online services. The term “online service” broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network. Examples of online services include services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements, or interact with other online content or services. Mobile applications that connect to the Internet, Internet-enabled gaming platforms, connected toys, smart speakers, voice assistants, voice-over-Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA. (https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0)

The possible implications of this might be codeberg.org being banned in the US or possible subject to the lawsuit (even though there is a good chance that the lawsuit would be dismissed as the information is strictly functional and non-redistributable).

Referenced to the enforcement by FTC: https://www.ftc.gov/tips-advice/business-center/legal-resources?type=case&field_consumer_protection_topics_tid=246

EDIT: Added reference to the enforcement by FTC

> Just a sidenote: Codeberg is EU hosted not US @6543 **DISCLAIMER:** This is not a legal advice that would create client to the lawyer relationship. I am also not confident in the presented information and as such it should be peer-reviewed. I was brainstorming that in a irc.freenode.net/##law and we came to the conclusion that codeberg.org is accesible to the world which includes USA that explicitedly requires compilance with COPPA. Quotting: > COPPA applies to personal information collected online by operators of both websites and online services. The term “online service” broadly covers any service available over the Internet, or that connects to the Internet or a wide-area network. Examples of online services include services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online, receive online advertisements, or interact with other online content or services. Mobile applications that connect to the Internet, Internet-enabled gaming platforms, connected toys, smart speakers, voice assistants, voice-over-Internet protocol services, and Internet-enabled location-based services also are online services covered by COPPA. (https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0) The possible implications of this **might be** codeberg.org being banned in the US or possible subject to the lawsuit (even though there is a good chance that the lawsuit would be dismissed as the information is strictly functional and non-redistributable). Referenced to the enforcement by FTC: https://www.ftc.gov/tips-advice/business-center/legal-resources?type=case&field_consumer_protection_topics_tid=246 EDIT: Added reference to the enforcement by FTC
kreyren commented 1 month ago
Poster

Also relevant for the FTC enforcement of COPPA outside of US: https://www.insideprivacy.com/childrens-privacy/ftc-warns-foreign-mobile-app-developer-to-comply-with-coppa/

EDIT: They are chinese company operating in the US so this is not directly relevant to codeberg’s position

Also relevant for the FTC enforcement of COPPA outside of US: https://www.insideprivacy.com/childrens-privacy/ftc-warns-foreign-mobile-app-developer-to-comply-with-coppa/ EDIT: They are chinese company operating in the US so this is not directly relevant to codeberg's position
kreyren commented 1 month ago
Poster

Also in europe Art. 8 GDPR requires consent by the holder of parental responsibility over the child for children below 16 yo and advises member states to do the same for children over 13 yo (https://gdpr-info.eu/art-8-gdpr/)

Also in europe `Art. 8 GDPR` requires consent by the holder of parental responsibility over the child for children below 16 yo and advises member states to do the same for children over 13 yo (https://gdpr-info.eu/art-8-gdpr/)
kreyren commented 1 month ago
Poster

Also relevant: https://fra.europa.eu/en/publication/2017/mapping-minimum-age-requirements/use-consent

Germany allegedly considers the age of consent for the processing of the own data to be 16 years old.

Also relevant: https://fra.europa.eu/en/publication/2017/mapping-minimum-age-requirements/use-consent Germany allegedly considers the age of consent for the processing of the own data to be 16 years old.
lhinderberger added the
question
label 1 month ago
kreyren changed title from LEGAL(FeaReg): What is (or the expected) the policy for minors using the service? to LEGAL(FeaReq): What is (or the expected) the policy for minors using the service? 1 month ago
lhinderberger added the
legal
label 1 month ago
lhinderberger changed title from LEGAL(FeaReq): What is (or the expected) the policy for minors using the service? to What is (or the expected) the policy for minors using the service? 1 month ago
hw commented 1 month ago
Owner

We do not collect nor process data falling under point (a) of Art. 6(1) GDPR.

We do not collect nor process data falling under point (a) of Art. 6(1) GDPR.
hw commented 1 month ago
Owner

Out of curiosity: do any of the directly compareable commercial services have a similar option? Can you please provide a direct reference?

With respect to COPPA, what paragraph/section in particular do you refer to, which one would affect us as we do not serve ads, nor track nor collect geolocation data etc?

If there is an actual legal requirement we need to adhere to please be very specific.

Out of curiosity: do any of the directly compareable commercial services have a similar option? Can you please provide a direct reference? With respect to COPPA, what paragraph/section in particular do you refer to, which one would affect us as we do not serve ads, nor track nor collect geolocation data etc? If there is an actual legal requirement we need to adhere to please be very specific.
kreyren commented 1 month ago
Poster

Out of curiosity: do any of the directly compareable commercial services have a similar option? Can you please provide a direct reference?

If there is an actual legal requirement we need to adhere to please be very specific.

https://www.gitpod.io/terms/ owned by https://www.typefox.io/imprint-privacy/

https://privacyportal.husqvarnagroup.com/de/privacy-notice/

Unsere Webseite richtet sich nicht an Minderjährige und wir erheben auch nicht wissentlich personenbezogene Daten von Minderjährigen (Ausgenommen Bewerber).

Sofern Personen unter 16 Jahren personenbezogene Daten an uns übermitteln, ist dies nur gestattet, sofern der Erziehungsberechtigte selbst eingewilligt hat oder der Einwilligung des Jugendlichen zugestimmt hat. Hierzu müssen uns gemäß Art. 8 Abs. 2 DSGVO die Kontaktdaten des Erziehungsberechtigten mitgeteilt werden, um uns von der Einwilligung bzw. der Zustimmung des Erziehungsberechtigten zu überzeugen. Diese Daten sowie die Daten des Minderjährigen werden dann entsprechend dieser Datenschutzerklärung verarbeitet.

Sofern wir feststellen, dass ein Minderjähriger unter 16 Jahren personenbezogene Daten an uns gesandt hat, ohne dass der Erziehungsberechtigte selbst eingewilligt oder der Einwilligung des Minderjährigen zugestimmt hat, werden wir die Daten umgehend löschen.


FWIW i am 99% sure that you can’t legally collect the data of children younger then 16 years old without permission of the person with perential responsibility over said invidual assuming that Germany is part of European Union where they have to comply with Art. 8 GDPR which should be mentioned in https://www.gesetze-im-internet.de/englisch_bdsg/ that even states it as one of their tasks: “promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data, paying special attention to measures specifically for children;”

But i am either blind or it doesn’t mentiones it so currently i am taking a pie on it https://www.youtube.com/watch?v=oqGU1DkaA0M and waiting for my german friend to wake up and bother his friend to bother his friend that is a german lawyer. To provide an answer that i am happy with, currently tracked in kreyren/kreyren#10

> Out of curiosity: do any of the directly compareable commercial services have a similar option? Can you please provide a direct reference? > If there is an actual legal requirement we need to adhere to please be very specific. https://www.gitpod.io/terms/ owned by https://www.typefox.io/imprint-privacy/ https://privacyportal.husqvarnagroup.com/de/privacy-notice/ > Unsere Webseite richtet sich nicht an Minderjährige und wir erheben auch nicht wissentlich personenbezogene Daten von Minderjährigen (Ausgenommen Bewerber). > > Sofern Personen unter 16 Jahren personenbezogene Daten an uns übermitteln, ist dies nur gestattet, sofern der Erziehungsberechtigte selbst eingewilligt hat oder der Einwilligung des Jugendlichen zugestimmt hat. Hierzu müssen uns gemäß Art. 8 Abs. 2 DSGVO die Kontaktdaten des Erziehungsberechtigten mitgeteilt werden, um uns von der Einwilligung bzw. der Zustimmung des Erziehungsberechtigten zu überzeugen. Diese Daten sowie die Daten des Minderjährigen werden dann entsprechend dieser Datenschutzerklärung verarbeitet. > > Sofern wir feststellen, dass ein Minderjähriger unter 16 Jahren personenbezogene Daten an uns gesandt hat, ohne dass der Erziehungsberechtigte selbst eingewilligt oder der Einwilligung des Minderjährigen zugestimmt hat, werden wir die Daten umgehend löschen. --- FWIW i am 99% sure that you can't legally collect the data of children younger then 16 years old without permission of the person with perential responsibility over said invidual assuming that Germany is part of European Union where they have to comply with `Art. 8 GDPR` which should be mentioned in https://www.gesetze-im-internet.de/englisch_bdsg/ that even states it as one of their tasks: "promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data, paying special attention to measures specifically for children;" But i am either blind or it doesn't mentiones it so currently i am taking a pie on it <https://www.youtube.com/watch?v=oqGU1DkaA0M> and waiting for my german friend to wake up and bother his friend to bother his friend that is a german lawyer. To provide an answer that i am happy with, currently tracked in https://codeberg.org/kreyren/kreyren/issues/10
kreyren commented 1 month ago
Poster

We do not collect nor process data falling under point (a) of Art. 6(1) GDPR. @hw

DISCLAIMER: Still not confident in the information provided as said in comment above so don’t take me seriously as of yet.

FWIW you are processing e-mail and optionally name and surname which i believe is a ‘personal data’ beyond reasonable doubt as defined by https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0365

which require consent as mentioned in Section 51 of Bundesdatenschutzgesetz https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0413

If personal data may be processed by law on the basis of consent, the controller must be able to present evidence of the data subject’s consent.

Which my best guess is that it’s defined in a different law somewhere (or i am blind) who and how can give such consent.

> We do not collect nor process data falling under point (a) of Art. 6(1) GDPR. @hw **DISCLAIMER:** Still not confident in the information provided as said in comment above so don't take me seriously as of yet. FWIW you are processing e-mail and optionally name and surname which i believe is a 'personal data' beyond reasonable doubt as defined by https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0365 which require consent as mentioned in Section 51 of Bundesdatenschutzgesetz https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.html#p0413 > If personal data may be processed by law on the basis of consent, the controller must be able to present evidence of the data subject’s consent. Which my best guess is that it's defined in a different law somewhere (or i am blind) who and how can give such consent.
kreyren commented 1 month ago
Poster

DISCLAIMER: This is not a legal advise that would create lawyer to client relationship and it is provided “as-is” to the maximum extend permitted by the law.

@hw

So apparently the german companies (like provided Husquarna https://privacyportal.husqvarnagroup.com/de/privacy-notice/) are legally obligated to DSGVO https://dsgvo-gesetz.de/ which is a translation of GDPR in german language that is directly enforcable [https://en.wikipedia.org/wiki/Direct_effect_of_European_Union_law#Regulations] which is why BSDG https://www.gesetze-im-internet.de/englisch_bdsg/ does not mentiones it directly as they chosed not to derogate [https://www.betterinternetforkids.eu/web/portal/practice/awareness/detail?articleId=3017751#DE] from the DSGVO Art. 8 (https://dsgvo-gesetz.de/art-8-dsgvo/) that provides the age of consent for processing their own data as 16 years old which makes you on hook as explained on https://gdpr-info.eu/issues/fines-penalties/.

^This is what i was explained by the laweyer who was asked to not be quotted.

Recommend verifying this information with your legal representative and if confirmed then you should consider implementing the Terms of Service appropriately and the recommended checkbox on #286 and if you are aware of a user that is below this age then you should remove it’s account (should have a process in place so that they can migrade their repositories i.e. replacing the e-mail, name and surname with random gibberish and giving them X amount of days to migrade their data). Additionally to that i am proposing implementing a white paper that the child can give to the person who has a parential responsibility over them and give us the consent to use the information.

Said whitepaper should be implemented to be parent friendly so that they don’t freak out and throw it away when they see it.

**DISCLAIMER:** This is not a legal advise that would create lawyer to client relationship and it is provided "as-is" to the maximum extend permitted by the law. @hw So apparently the german companies (like provided Husquarna <https://privacyportal.husqvarnagroup.com/de/privacy-notice/>) are legally obligated to DSGVO <https://dsgvo-gesetz.de/> which is a translation of GDPR in german language that is directly enforcable [https://en.wikipedia.org/wiki/Direct_effect_of_European_Union_law#Regulations] which is why BSDG <https://www.gesetze-im-internet.de/englisch_bdsg/> does not mentiones it directly as they chosed not to derogate [https://www.betterinternetforkids.eu/web/portal/practice/awareness/detail?articleId=3017751#DE] from the `DSGVO Art. 8` (https://dsgvo-gesetz.de/art-8-dsgvo/) that provides the age of consent for processing their own data as 16 years old which makes you on hook as explained on https://gdpr-info.eu/issues/fines-penalties/. ^This is what i was explained by the laweyer who was asked to not be quotted. Recommend verifying this information with your legal representative and if confirmed then you should consider implementing the Terms of Service appropriately and the recommended checkbox on https://codeberg.org/Codeberg/Community/issues/286 and if you are aware of a user that is below this age then you should remove it's account (should have a process in place so that they can migrade their repositories i.e. replacing the e-mail, name and surname with random gibberish and giving them X amount of days to migrade their data). Additionally to that i am proposing implementing a white paper that the child can give to the person who has a parential responsibility over them and give us the consent to use the information. Said whitepaper should be implemented to be parent friendly so that they don't freak out and throw it away when they see it.
kreyren commented 1 month ago
Poster

FWIW to elaborate on the confusion about the effectivity of the European law i am czech and i was taugh to consider GDPR as a somewhat reference for the law makers to implement the law locally as in Czech republic we have 11/2019 Sb. § 7 that explicitely specified that children have the consent above 15 years of age, but i was told from multiple people (and the lawyer who taugh me that apologized as i was literally calling them 4:30 AM to verify this and said that i was right) that the european law is effective europe-wide.

FWIW to elaborate on the confusion about the effectivity of the European law i am czech and i was taugh to consider GDPR as a somewhat reference for the law makers to implement the law locally as in Czech republic we have `11/2019 Sb. § 7` that explicitely specified that children have the consent above 15 years of age, but i was told from multiple people (and the lawyer who taugh me that apologized as i was literally calling them 4:30 AM to verify this and said that i was right) that the european law is effective europe-wide.
kreyren commented 1 month ago
Poster

With respect to COPPA, what paragraph/section in particular do you refer to, which one would affect us as we do not serve ads, nor track nor collect geolocation data etc? @hw

DISCLAIMER: This is not a legal advise that would create lawyer to client relationship and it is provided “as-is” to the maximum extend permitted by the law.

AFAIK it’s irelevant that you do not serve ads nor track the end-users as name, surname and e-mail is considered a private information, but i can verify if you want (i am taking pie on reading anything legal atm bcs i read BSDG like 3 times and my head hurts af)

EDIT: i hate myself too much already, lets research..

So the full thing is allegedly on https://www.ftc.gov/system/files/2012-31341.pdf .. and they don’t have a way for legal quick read.. nice..They have a summary though..

The COPPA Rule, 16 CFR part 312, issued pursuant to the Children’s Online Privacy Protection Act (‘‘COPPA’’ or ‘‘COPPA statute’’), 15 U.S.C. 6501 et seq., became effective on April 21, 2000. The Rule imposes certain requirements on operators of Web sites or online services directed to children under 13 years of age, and on operators of other Web sites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, ‘‘operators‘‘)

In summary the law is applicable to anyone who is an operator of a web site that knownfully processes a personal information of a children under the 13 years of age (I believe that would apply to you if you were US-based company beyond reasonable degree).

Web site or online service directed to children to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child- directed Web site or online service; Web site or online service directed to children to allow a subset of child- directed sites and services to differentiate among users, and requiring such properties to provide notice and obtain parental consent only for users who self-identify as under age 13;

So if you had someone who self-identifies as under 13 years of age then you need to get a consent from the person who holds parential responsibility over them.. Basically same as GDPR Art. 8 in my humble and uneducated opinion in the subject.

> With respect to COPPA, what paragraph/section in particular do you refer to, which one would affect us as we do not serve ads, nor track nor collect geolocation data etc? @hw **DISCLAIMER:** This is not a legal advise that would create lawyer to client relationship and it is provided “as-is” to the maximum extend permitted by the law. AFAIK it's irelevant that you do not serve ads nor track the end-users as name, surname and e-mail is considered a private information, but i can verify if you want (i am taking pie on reading anything legal atm bcs i read BSDG like 3 times and my head hurts af) **EDIT:** i hate myself too much already, lets research.. So the full thing is allegedly on https://www.ftc.gov/system/files/2012-31341.pdf .. and they don't have a way for legal quick read.. nice..They have a summary though.. > The COPPA Rule, 16 CFR part 312, issued pursuant to the Children’s Online Privacy Protection Act (‘‘COPPA’’ or ‘‘COPPA statute’’), 15 U.S.C. 6501 et seq., became effective on April 21, 2000. The Rule imposes certain requirements on operators of Web sites or online services directed to children under 13 years of age, and on operators of other Web sites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age (collectively, ‘‘operators‘‘) In summary the law is applicable to anyone who is an operator of a web site that knownfully processes a personal information of a children under the 13 years of age (I believe that would apply to you if you were US-based company beyond reasonable degree). > Web site or online service directed to children to clarify that the Rule covers a plug-in or ad network when it has actual knowledge that it is collecting personal information through a child- directed Web site or online service; Web site or online service directed to children to allow a subset of child- directed sites and services to differentiate among users, and requiring such properties to provide notice and obtain parental consent only for users who self-identify as under age 13; So if you had someone who self-identifies as under 13 years of age then you need to get a consent from the person who holds parential responsibility over them.. Basically same as `GDPR Art. 8` in my humble and uneducated opinion in the subject.
kreyren commented 1 month ago
Poster

#285

Also when it comes to COPPA as far as i was told the FTC contacted them, because they were using US-hosted service (allegedly Google Play) for their android application.

> https://codeberg.org/Codeberg/Community/issues/285#issuecomment-81827 Also when it comes to COPPA as far as i was told the FTC contacted them, because they were using US-hosted service (allegedly Google Play) for their android application.
hw commented 1 month ago
Owner

Let’s read the text carefully before jumping to conclusions:

  • GDPR applies to all EU member states equally and directs local legislation. Both GDPR/DSGVO and BDSG put children under special protection, “as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child”. Other law may or may not apply and add additional restrictions.
  • Personal data is pretty much everything relating to a person, including name, email, etc.

GDPR Article 6 elaborates Lawfulness of processing. This is the list of legitmate use cases, all that is not listed is forbidden.

Article 6
Lawfulness of processing

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

So generally, data processing is considered lawful, iff it is either necessary under very strict conditions in one or more of the listed cases (due to contract or due to law or due to public interest), or, due to explicit consent an individual is giving to a data processor.

One can legitimately argue that Codeberg e.V. is storing and processing data according to (c), (d) and (e), because we:

  • We ask users to create a profile so that origin of content is identifiable and transparent, and enables compliance with law and vital interests of data subjects and other persons, this is (c) and (d).
  • Codeberg e.V. is acknowledged “gemeinnütziger Verein” (non-profit NGO serving the public interest). To be able to carry the tasks needed to achieve the bylaw objective, we need to ensure stability and reliance of the platform. For this we are logging incidents according to our Terms of Use. Also we cooperate with official authorities where necessary. This is (e).

If we would for example track users, serve ads, (...insert other commercial interests here...), Article 6(1)(a) would require us to get consent for data processing to be legal. But we don’t process any data for purposes that require consent.

Now move on to Article 8 (“Conditions applicable to child’s consent..."). Article 8(1) starts with the sentence:

Article 8
Conditions applicable to child’s consent in relation to information society services

  1. Where point (a) of Article 6(1) applies [...]

As point (a) of article 6(1) does not apply (no data processed that requires consent), the entire paragraph (applicable to child’s consent) does not apply.

Hope that settles the question with respect to GDPR. If we get notified that there are other applicable regulations we need to adhere to, we will appropriately adjust service.

Please open a separate issue for COPPA iff there is strong evidence that this is applicable, citing and/or linking (short, brief! and precise) the relevant section only.

Let's read the text carefully before jumping to conclusions: - GDPR applies to all EU member states equally and directs local legislation. Both GDPR/DSGVO and BDSG put children under special protection, "as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child". Other law may or may not apply and add additional restrictions. - Personal data is pretty much everything relating to a person, including name, email, etc. GDPR Article 6 elaborates Lawfulness of processing. This is the list of legitmate use cases, all that is not listed is forbidden. > Article 6 > Lawfulness of processing > > 1. Processing shall be lawful only if and to the extent that at least one of the following applies: > > (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; > (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; > (c) processing is necessary for compliance with a legal obligation to which the controller is subject; > (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; > (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; > (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. So generally, data processing is considered lawful, iff it is either necessary under very strict conditions in one or more of the listed cases (due to contract or due to law or due to public interest), or, due to explicit consent an individual is giving to a data processor. One can legitimately argue that Codeberg e.V. is storing and processing data according to (c), (d) and (e), because we: - We ask users to create a profile so that origin of content is identifiable and transparent, and enables compliance with law and vital interests of data subjects and other persons, this is (c) and (d). - Codeberg e.V. is acknowledged "gemeinnütziger Verein" (non-profit NGO serving the public interest). To be able to carry the tasks needed to achieve the bylaw objective, we need to ensure stability and reliance of the platform. For this we are logging incidents according to our Terms of Use. Also we cooperate with official authorities where necessary. This is (e). If we *would* for example track users, serve ads, (...insert other commercial interests here...), Article 6(1)(a) *would* require us to get consent for data processing to be legal. But we don't process any data for purposes that require consent. Now move on to Article 8 ("Conditions applicable to child's consent..."). Article 8(1) starts with the sentence: > Article 8 > Conditions applicable to child's consent in relation to information society services > 1. Where point (a) of Article 6(1) applies [...] As point (a) of article 6(1) does not apply (no data processed that requires consent), the entire paragraph (applicable to child's consent) does not apply. Hope that settles the question with respect to GDPR. If we get notified that there are other applicable regulations we need to adhere to, we will appropriately adjust service. Please open a separate issue for COPPA iff there is strong evidence that this is applicable, citing and/or linking (short, brief! and precise) the relevant section only.
hw closed this issue 1 month ago
kreyren commented 1 month ago
Poster

DISCLAIMER: This is not a legal advise that would create lawyer to client relationship and it is provided “as-is” to the maximum extend permitted by the law.
DISCLAIMER: I am quite tired as i was working on this for 5 hours so the quality of provided info might be lower.

GDPR applies to all EU me... @hw

Provide reference to the quote

Personal data is pretty much everything relating to a person, including name, email, etc. @hw

Not neccesary related. Better summary would be any data that can be used to identify the person (note that IP address, Cookies may also be relevant).

See BSDG Section 46 (Definitions) point no. 1.

So generally, data processing is considered lawful, iff it is either nece... @hw

I am quite confident that you are misrepresenting the text as nothing but GDPR Art. 6 (a) to my knowledge grants you the legal permission to process the personal informations of the data subject.

Namely in your example processing ads and commercial use -> data subject has to give you the consent

Same would apply for any other information that can be used to identify the data subject as explained by BSDG Section 46 (Definitions) point no. 1.

So to collect the personal information of a person younger then 16 years old you need their consent -> They don’t have the legal right to give you such consent as explained by GDPR Art. 8 point 2 so you have to get consent from a person who has parential responsibility over them.


You also mentioned:

We ask users to create a profile so that origin of content is identifiable and transparent, and enables compliance with law and vital interests of data subjects and other persons, this is (c) and (d).

Seems sane to me to collect the data to verify that the data subject is older then 16 years old as you are legally obligated by GDRP Art.6 (a)

In practice i don’t see how you want to perform that.. Making some kind of form prior to the registration form? Or do you want to collect the birthday of the data subject?

Codeberg e.V. is acknowledged “gemeinnütziger Verein” (non-profit NGO serving the public interest). To be able to carry the tasks needed to achieve the bylaw objctive, we need to ensure stability and reliance of the platform. For this we are logging incidents according to our Terms of Use. Also we cooperate with official authorities where necessary. This is (e).

Based on informations further provided i believe that you are misinterpreting a public interest.

See BDSG Section 22 (Processing of special categories of personal data) point no.1 (c) and (d):

c) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; in addition to the measures referred to in subsection 2, in particular occupational and criminal law provisions to ensure professional secrecy shall be complied with; or
d) processing is urgently necessary for reasons of substantial public interest;

I could trust you that d) applies to Codeberg e.V. but i doubt you will be able to convince the Federal Commissioner with that especially when i don’t see a strong defense for urgent need of such processing.


In case it’s not obvious:

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

Meaning that if there is a law that requires you to process the data the way that it is specified within the law.. I don’t know of any other law then the mentioned which process of processing has been outlined.

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

I don’t see how does your argument apply to this.

Note that in the relevant law you are identified as controller, operator and/or data processor.

Data subject == Your users

or of another natureal person == an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; [BSDG section 46 (Definition) no. 1.]

**DISCLAIMER:** This is not a legal advise that would create lawyer to client relationship and it is provided “as-is” to the maximum extend permitted by the law. **DISCLAIMER:** I am quite tired as i was working on this for 5 hours so the quality of provided info might be lower. > GDPR applies to all EU me... @hw Provide reference to the quote > Personal data is pretty much everything relating to a person, including name, email, etc. @hw Not neccesary related. Better summary would be any data that **can be used to identify the person** (note that IP address, Cookies may also be relevant). See BSDG Section 46 (Definitions) point no. 1. > So generally, data processing is considered lawful, iff it is either nece... @hw I am quite confident that you are misrepresenting the text as nothing but GDPR Art. 6 (a) to my knowledge grants you the legal permission to process the personal informations of the data subject. Namely in your example processing ads and commercial use -> data subject has to give you the consent Same would apply for any other information that can be used to identify the data subject as explained by BSDG Section 46 (Definitions) point no. 1. So to collect the personal information of a person younger then 16 years old you need their consent -> They don't have the legal right to give you such consent as explained by GDPR Art. 8 point 2 so you have to get consent from a person who has parential responsibility over them. --- You also mentioned: > We ask users to create a profile so that origin of content is identifiable and transparent, and enables compliance with law and vital interests of data subjects and other persons, this is (c) and (d). Seems sane to me to collect the data to verify that the data subject is older then 16 years old as you are legally obligated by GDRP Art.6 (a) In practice i don't see how you want to perform that.. Making some kind of form prior to the registration form? Or do you want to collect the birthday of the data subject? > Codeberg e.V. is acknowledged “gemeinnütziger Verein” (non-profit NGO serving the public interest). To be able to carry the tasks needed to achieve the bylaw objctive, we need to ensure stability and reliance of the platform. For this we are logging incidents according to our Terms of Use. Also we cooperate with official authorities where necessary. This is (e). Based on informations further provided i believe that you are misinterpreting a public interest. See BDSG Section 22 (Processing of special categories of personal data) point no.1 (c) and (d): > c) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; in addition to the measures referred to in subsection 2, in particular occupational and criminal law provisions to ensure professional secrecy shall be complied with; or > d) processing is urgently necessary for reasons of substantial public interest; I could trust you that d) applies to Codeberg e.V. but i doubt you will be able to convince the Federal Commissioner with that especially when i don't see a strong defense for urgent need of such processing. --- In case it's not obvious: > (c) processing is necessary for compliance with a legal obligation to which the controller is subject; Meaning that if there is a law that requires you to process the data the way that it is specified within the law.. I don't know of any other law then the mentioned which process of processing has been outlined. > (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; I don't see how does your argument apply to this. Note that in the relevant law you are identified as controller, operator and/or data processor. Data subject == Your users or of another natureal person == an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; [BSDG section 46 (Definition) no. 1.]
Sign in to join this conversation.
No Milestone
No Assignees
5 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.