As many people know the EU’s GDPR regulations come into effect on May 25th. While Monal is privacy focused, it is also free, open source and run by a single person — me. I simply do not have the resources or the time to jump through the regulatory hoops required by the EU. While I do not live in the EU, I frequent Europe and do not want to get into legal trouble on vacation. As GDPR approaches, I get the impression that it is an end of an era for the internet. The days of someone making something, putting it on the internet and offering it to the world seem to be over. EU users can always download the source on GitHub and compile the iOS app but they will be blocked from using push when I deploy it.
The problems below are likely not unique to me and there are many other issues. Other open source projects may want to consider their fate under GDPR as well.
Data Protection Officer
I do not have the resources to hire a Data Protection Officer (DPO) or EU Representative as required by GDPR. I do not have designated EU contacts.
Tracking crashes with Crashlytics introduces new issues because it is posted to Fabric from a user’s device, IP addresses are in the logs this is personally identifiable information (PII). Crashlytics is GDPR compliant but the burden is on me to show regulators that I am compliant points back to the need for DPO.
Even though no message traffic passes through Monal’s sever, registering for a push does make an HTTP call which logs a user’s IP and this requires GDPR compliance. APNS push tokens are associated with devices which can be traced back to a user if combined with info on the originating XMPP server. Obviously, this is needed for a notification to be delivered to the right person. However,the fact that it can be combined to identify a person makes it PII. I believe in privacy but I do not have the resources to meet the letter of the law for compliance especially with respect to retention and processing these tokens.
XMPP Federation in General
Honestly, I do not know if XMPP federation is legal anymore in the EU with GDPR. EU user data is sent out of Europe constantly. GDPR is written such that a user cannot agree to a user agreement that gives up GDPR requirements it’s not a matter of saying you agree to X by using this service. GDPR compliance is something the XSF is talking about right now.