You are not logged in.
- Topics: Active | Unanswered
#1 2024-08-14 04:43:28
- SeaBee61
- Member
- From: Frederick MD, USA
- Registered: 2024-08-14
- Posts: 2
How to comply with EU Data Protection Laws [SOLVED]
Hello, I have nearly completed writing a GPL3 open source program using C++ and Qt6 and I intend to include it in the Arch Linux AUR. This program will probably be called "Chemical Calculator" or something closely related. This program is intended for scientists and laboratory personnel as it calculates the amount of chemicals need for mixing solutions.
I recently added a feature that allows the user to type in the name of the chemical and obtain the molecular weight from an online database PubChem, run by the US government. I do not collect any data at all, but the program sends the user's IP address and the chemical name to the PubChem database for a search which returns data back to the program which then extracts the molecular weight of the chemical.
Now I am concerned that this feature may need notifications and a way to opt-out of sending this data in order to comply with EU Data Protection Laws, and/or best practices.
The Chemical Calculator program uses a Pubchem interface called "Entrez" which allows scripting quires for fast well-formatted responses (about 1 second), but the user never sees the PubChem website this way and any privacy policy on their website are not seen.
Question 1) Is an IP address alone considered "personal data" in the EU or elsewhere? What about an IP address plus chemical name?
Question 2) What are your opinions about the best practices on how and where to do notifications and opt-outs. Should I just do it once on the first startup or do I need to notify every time before data is transferred? Or can I just put the notification in the help section with directions to opt-out?
Question 3) Can I set the default to allow this data transfer to happen unless the user opts-out, or should the default be no data transferred unless the user opts-in?
Last edited by SeaBee61 (2024-08-15 01:45:31)
Offline
#2 2024-08-14 04:48:13
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,339
- Website
Re: How to comply with EU Data Protection Laws [SOLVED]
I have no legal expertise whatsoever but a quick search confirms that a user's public IP address does fall under the remit of the GDPR: https://www.dbswebsite.com/blog/ip-addresses-gdpr/
Para todos todo, para nosotros nada
Offline
#3 2024-08-14 08:16:38
- seth
- Member
- Registered: 2012-09-03
- Posts: 59,039
Re: How to comply with EU Data Protection Laws [SOLVED]
You're sending your WAN IP to any host when you ping it…
The user needs to be aware that you're querying an external source, not because of any EU legislation but courtesy.
Since it's likely not an expected behavior ("wait, what? ping makes an online query??!!") in your software, I'd inform them when they try to invoke the feature along a checkbox that says "Ok, got it. Please don't spam me again with that" 
Offline
#4 2024-08-15 01:56:57
- SeaBee61
- Member
- From: Frederick MD, USA
- Registered: 2024-08-14
- Posts: 2
Re: How to comply with EU Data Protection Laws [SOLVED]
Thanks for your replies. I'm going to mark this thread as SOLVED.
I think I will have the user opt-in or opt-out (to the data transfer) on the first use of the program, and allow them to change it at any time. After all it is their computer and they should have full control over any data transfers.
Offline
#5 2024-11-23 22:46:09
- Nikolai5
- Member
- From: North West, England, UK
- Registered: 2024-01-27
- Posts: 185
Re: How to comply with EU Data Protection Laws [SOLVED]
I don't know exactly what qualifies as personal data in your instance, that is something for you to interpret alongside the guidance.
This is a useful resource: https://ico.org.uk/for-organisations/
The user should be opting in not, opting out. They must perform an action to opt in, rather than having to perform an action to opt out.
There is however a common loophole in which an opt out box is used with confusing double negatives but that's a gray area. Really it is supposed to be opt-in.
You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions.
The UK GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned. Both methods bundle up consent with other matters by default, and then rely to some extent on inactivity. They also increase the likelihood of confusion and ambiguity.
The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent. You should instead use specific opt-in boxes (or another active opt-in method) to obtain consent.
Last edited by Nikolai5 (2024-11-23 22:48:14)
Desktop: Ryzen 7 1800X | AMD 7800XT | KDE Plasma
MacbookPro-2012 | MATE
Offline