My understanding (and I am not a lawyer) is that under European data protection law the important thing is to obtain user consent for this; I think there's a very reasonable argument that informing the user that you collect telemetry and that if they wish to avoid this they should just build their own copy of the software (which provides a very easy to access opt out which should satisfy everyone).
Although EU privacy and technology regulation is generally pretty ok, this seems to be one of those cases where their lack of technical skill or knowledge really shines through (other examples include the endless cookie banners and https://www.euronews.com/next/2024/07/22/microsoft-says-eu-t...)
Consent needs to be freely given; you can't nudge users into it and you can't hold access ransom over it. There's no way what you're suggesting would fly.
I don't think a "reasonable person" from the perspective of a court (non-developer, non-technical, end-user) can be expected to know (or even learn) how to compile software in this way, not to mention other downsides it has (like lack of updates and possibility to create new bugs) so I don't think this would be allowed, but it's up to a judge to decide on a case by case basis, not us armchair experts.
"Click yes to consent and continue installation, click no to exit the installer and be redirected to a manual on how to build your own copy" would be in violation of the "consent must be freely given" stipulation of the GDPR.
You are more likely to get a regulator to agree to a version without consent (by minimizing personal data and arguing that your legitimate interest outweighs the weight of the little PII) than getting them to agree to your hostage situation
I don't know how American data protection laws work in this sense, I've only read up on the GDPR. I don't think American data protection laws are any more strict than their European counterparts though.
You don't need to share this information for Manjaro's software to do its work so it's not necessary for the product. If it's strictly necessary, they may need to inform EU users, but don't need consent.
The edges of the law are pretty sharp. There are a few reasons for which data may be collected without consent, and "I want to see what kind of computers visit my website" isn't one of them. Most of the time, you'll need explicit consent (can't hide consent in the EULA or T&C).
This goes for anything containing PII. And, for the record, an IP address is considered PII in many cases. Pseudonyms also don't protect you.
Even with consent, collecting PII like this also adds a ton of extra overhead (suddenly you need to encrypt your database, serve information/correction/deletion requests from the people you've collected data about, not being allowed to host such data in the US, etc.) to the point I wouldn't even bother collecting this info from EU users. Foreign companies break the GDPR all the time and very few of them ever get fined, but when it comes to communities trying to do the right thing, the GDPR rightfully succeeds in making data collection expensive.
Manjaro doesn't have region specific isos, so it sounds like this will end up being the global policy. However international compliance isn't something every developer is aware of so it may take time before the project is releases a compliant version.
IMO asking for consent (or not collecting data at all) is always the right move, regardless of legal obligations. Might as well just ask everyone for consent.
sealeck|1 year ago
Although EU privacy and technology regulation is generally pretty ok, this seems to be one of those cases where their lack of technical skill or knowledge really shines through (other examples include the endless cookie banners and https://www.euronews.com/next/2024/07/22/microsoft-says-eu-t...)
Nullabillity|1 year ago
failbuffer|1 year ago
ranger_danger|1 year ago
bombela|1 year ago
MS Windows with crowdstrike BSOD'd for American airlines on the American soil afterall.
wongarsu|1 year ago
You are more likely to get a regulator to agree to a version without consent (by minimizing personal data and arguing that your legitimate interest outweighs the weight of the little PII) than getting them to agree to your hostage situation
_heimdall|1 year ago
Either way I expect Manjaro's collection would be an issue if its opt-out, just curious how those edges of that law are defined.
jeroenhd|1 year ago
You don't need to share this information for Manjaro's software to do its work so it's not necessary for the product. If it's strictly necessary, they may need to inform EU users, but don't need consent.
The edges of the law are pretty sharp. There are a few reasons for which data may be collected without consent, and "I want to see what kind of computers visit my website" isn't one of them. Most of the time, you'll need explicit consent (can't hide consent in the EULA or T&C).
This goes for anything containing PII. And, for the record, an IP address is considered PII in many cases. Pseudonyms also don't protect you.
Even with consent, collecting PII like this also adds a ton of extra overhead (suddenly you need to encrypt your database, serve information/correction/deletion requests from the people you've collected data about, not being allowed to host such data in the US, etc.) to the point I wouldn't even bother collecting this info from EU users. Foreign companies break the GDPR all the time and very few of them ever get fined, but when it comes to communities trying to do the right thing, the GDPR rightfully succeeds in making data collection expensive.
hx8|1 year ago
jeroenhd|1 year ago
jeroenhd|1 year ago