GDPR: European Data Protection

Company

This is the twenty-second post in the 2017 FastMail Advent Calendar. The previous post was about our new monitoring infrastructure. In the next post we meet Rik, our intrepid CTO.


Some of you may already be aware of the upcoming GPDR legislation. We’ve certainly been getting support tickets and the occasional tweet asking about our plans.

General Data Protection Regulation

The GDPR is a European regulation which affects the processing and collection of data about all European residents, no matter where they are in the world, as well as data about any human physically present in Europe, regardless of residency.

In short – the GDPR affects almost everybody in the world, since Europeans are prone to traveling. It definitely affects FastMail, who sell our services worldwide, and have many customers in the EU.

The big scary part of the GDPR is the fines for non-compliance – 4% of global revenue or $20,000,000 per offense, whichever is greater. They’re not playing around.

FastMail’s products have features that make us both a data controller and a data processor under the definitions of the GDPR.

The GDPR takes force on 25 May 2018, and FastMail intends to be ready.

Australian advice

Australia already has very strong privacy laws, which we take seriously. The Office of the Australian Information Commissioner gave guidance about GDPR for Australian businesses earlier this year, which details similarities and differences between the two laws.

The good news is that we can be GDPR-compliant without a conflict of law. Sadly this isn’t always the case in international law – there exist cases where a person can have no option that does not result in them committing a crime according to somewhere in the world.

In this case, it looks like Australia will be following Europe’s lead, with new laws like the Notifiable Data Breaches scheme coming into effect next year.

Interesting questions

While most parts of the GDPR are good and we implement them already, the European right to be forgotten raises interesting questions about who owns information about a person. Fairly clearly for our FastMail product, the private mailbox of a person is their own personal electronic memory and an email you sent somebody doesn’t count as personal data that we, FastMail the company, hold about you. You shouldn’t be able to take that email back, certainly not just by asking us to do it.

On the other hand, Topicbox groups can be public. Clearly public groups archives could be abused to host spam, phishing, or other nasties. The exact same issue already exists for files published as user websites.

Published information might need to be taken down - due to terms of service violation, DMCA request, GDPR-covered privacy request, or any other legal method. The tension between maintaining an accurate immutable record and allowing permanent removal of material that should never have been published is very real.

Finally, backups contain data for a time after it’s been deleted. Shredding every copy of something is actually really tricky, and guaranteeing that every possible copy has been removed is a tradeoff as well. I have personally dealt with an account for somebody who had obtained power of attorney for his father who was no longer able to remember very well. The father’s email account at FastMail had been unused and unpaid for long enough that it had expired and the backups had been removed. It was very hard to tell this person that they had lost important family data – for somebody who had been a loyal FastMail customer for 10 years none less.

Shredding backups is not always the right choice. We now keep backups longer for lapsed accounts – those where the user had not explicitly asked us to delete anything, than for accounts where the user chooses to close the account. And yet … I've still had ex-users ask if I can dig up an old backup because they forgot to copy some important message before closing their account!

Supporting FastMail’s values

We blogged last year about our values. The GDPR’s requirements about privacy and consent to store and use data are very compatible with our values: “Your data belongs to you” and “We are good stewards of your data”.

We’re working on our support processes to make consent more explicit if we access your account to help you with an issue. As we audit our processes for GDPR next year, we will continue to focus on practical and usable methods to maintain our customers’ privacy.