Open Bug 1459489 Opened 7 years ago Updated 5 years ago

Bugzilla should conform to GDPR (EU General Data Protection Regulation)

Categories

(Bugzilla :: Bugzilla-General, enhancement)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: LpSolit, Unassigned)

References

(Depends on 2 open bugs,
URL
)

Details

If I understand the European Union General Data Protection Regulation (GDPR) correctly [1], Bugzilla users should be allowed to delete their account (bug 392184), but bugs they reported and comments they wrote can stay. Could someone with better skills in the GDPR confirm? I don't know if bug 392184 is all that is needed to conform to the GDPR. Maybe bug 218917 is required too? But this one is already fixed in Bugzilla 6.0, which is good. [1] http://www.privacy-regulation.eu/en/article-17-right-to-erasure-'right-to-be-forgotten'-GDPR.htm
Summary: Bugzilla should conform to GDRP (EU General Data Protection Regulation) → Bugzilla should conform to GDPR (EU General Data Protection Regulation)
You'd need to have some way for Mozilla to respond to data subject access requests (https://gdpr-info.eu/art-15-gdpr/) which your require you to disclose all of the data you hold about an individual, not just in Bugzilla but in Mozillians and any and all databases that hold personally identifiable information. Even IP addresses are personally identifiable information so you might find that you would need to include server logs.
This bug is really about Bugzilla itself, not BMO nor any Mozilla-related stuff.
I would like to entertain the idea of back porting the resulting changes here on all supported branches to include in a release by May 25 if possible. My understanding is that BMO already has something in the works for this, so hopefully they'll share. I believe BMO's is an admin tool to make it easy on the admin side. I don't believe the directive requires self service, it just requires it be done on request. That said, if someone does a self-serve I've got no objection to including it with an admin pref.
Bug 392184 can probably be handled by porting bug 1171806. I'll be talking to Mozilla legal people about requirements for BMO, but I'll broaden the question to figure out what we need to do upstream; Even if not for this we need a new point release this month. The specific question I'm going to ask is if we need to anonymize author names/emails in comments. Let me know if there's more nuance required for upstream.

Bugzilla STILL doesn't conform to GDPR. Is there another more up to date bug I've missed?
My main issue is that my email address is leaked to anyone and everyone and there are zero privacy options.

Depends on: 1461107

I think we can demand account deletion. Mozilla does not have rights to store data anymore since we decided to leave the system.

Comments from European Commission:

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/do-we-always-have-delete-personal-data-if-person-asks_en

Nothing of that is actual for bugzilla accounts:

  • the personal data your company/organisation holds is needed to exercise the right of freedom of expression;
  • there is a legal obligation to keep that data;
  • for reasons of public interest (for example public health, scientific, statistical or historical research purposes).
You need to log in before you can comment on or make changes to this bug.