Compliance with privacy laws when working with conferences

[thibaudcolas]

👋 I thought this might be more useful for me to raise this here rather than via email. On Conferences – Support for event organizers - Before the event:

We advise that you share the list of attendees with us such that we are able to check it against our list of Code of Conduct offenders. […]

Similarly, before you announce your accepted speakers, you can send us the speaker list to see if any appear on our lists.

We considered doing this as part of DjangoCon Europe 2023 but the DSF Code of conduct committee didn’t seem to us to be set up so this can be done lawfully according to the UK / EU GDPR. Based on my understanding of official UK GDPR guidance by the ICO, the committee (or the organisation the committee is part of) would be considered either a controller, processor, or both.

Specific issues (from my understanding) are:

• Knowing what legal entity the CoC committee is part of, so that entity can be declared by conference organisers as a processor on a privacy policy.
• Knowing how and by which organisations the lists of attendees and speakers are processed, so again this can be declared in a privacy policy
• Having details of any data retention policy / how the CoC committee complies with subject access requests.

After the event

Conferences in the Django community are strongly encouraged to keep reports on all Code of Conduct incidents they handle, and send these reports to the committee after the end of the conference. Reports should include names of people involved and, ideally, a description of the facts determined by the conference team, the review of the incident, actions taken, and responses to actions taken. We also appreciate any screenshots of original slack or twitter messages, or recordings of talks, that show the violation, and copies of message exchanges between the team and any reporters or bad actors.

This side of the committee’s data processing is much better documented and there already are privacy-protecting policies in place, however there are still a few sources of concern as a conference organizer:

• Again knowing what legal entity the CoC committee is part of (is it the DSF? something else?)
• And having a list of data processors for those reports
• Understanding how subject access requests are handled.

---

Again I want to restate the above is all based on my personal understanding of the UK GDPR, and this isn’t my field of expertise. So do take this with a grain of salt!

[jefftriplett]

The committee is part of the DSF, and the DSF President sits on the WG in an advisory role in case that helps. Overall, I think we need to revisit and revise quite a bit of this.

When we revised the PSF's policies (which are different, but some were based on this repo), we were told that GDPR didn't apply possibly because of our org size and some other reasons I'm not remembering. We should probably use this as an excuse to update/revise and get new legal advice.

The second part about reports has firm legal backing both at the DSF and the PSF level from past experience. I believe there was even a case cited where someone harassed someone else and then tried to use GDPR as a defense mechanism for why it couldn't be used in court and it backfired on them (as it should).

I think we should revise policies and address concerns. It's definitely been a while.

[thibaudcolas]

Thanks @jefftriplett, that does help 👍 I did suspect the committee was part of the DSF as it’s referred as such in a few places, but I think I’ve also seen it referred as the "Django" CoC committee too, hence the confusion.

With the caveat that this isn’t my area of expertise – as far as I know there will be exemptions (no need to appoint a Data Protection Officer, potentially ways to opt out of Subject access requests for CoC information involving multiple people), but I’d expect the GDPR to still apply. And even if it didn’t apply to the DSF / CoC committee, it definitely does apply to UK/EU conference organisers in how they handle the personal data of participants, including making sure the CoC committee and any other processor / controller has adequate data protection policies in place.

The second part about reports has firm legal backing both at the DSF and the PSF level from past experience.

That’s exactly the type of thing that would be useful to know! When I asked about this over email, the answer I got was "we don't have any expertise in this area".

[thibaudcolas]

@jefftriplett 👋 I thought I’d check if there’s been movement on this, or if not, what you’d recommend I do to keep the ball rolling? I will be part of the Code of Conduct team for DjangoCon Europe 2024, I’d like to take this further.

Perhaps you could suggest specific contacts at the PSF to follow up on the legal guidance for privacy laws?

Legislation for 2024 edition

DjangoCon Europe 2024 will be in Spain, but with most data processing done by Ad Evolutio (the company of the main organizers), which is registered in Portugal. So we will have to follow either Portuguese or Spanish data protection laws, or both. Which should more or less be direct transpositions of the European Union’s GDPR.

For Spanish legislation, I found these two in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).
• Organic Data Protection Law 3/2018, of 5 December, and guarantee of digital rights.

2024 edition practical steps

There is one practical thing I’d like to see happen for the 2024 edition.

Disclosure of how personal data is used as part of Code of Conduct enforcement

This would be simple information for a "privacy policy" page, so it’s clear we have informed and specific consent from attendees and speakers.

Here is the current draft content:

#### Attendees

For all attendees, we collect personal data when you voluntarily provide such information to the buy ticket services. 

The personal data we may collect includes without limitation your name, email address and any other information that attendees choose to provide and/or that enables attendees to be personally identified. In some cases, we may collect your credit card information (e.g., your credit card number and expiration date, billing address, etc.), some of which may constitute personal data, to secure certain payments.

#### Speakers

If you are a proposal speaker we will need to collect additional personal data from you. And we will requered other information different from your personal data (e.g., a title, a description, abstract, a profile photo, etc.) when you do the submission. This information is essential to select the titles and defined the conference program. 

The DjangoCon Europe 2024 will publicly share the slides from the presentations.

This would need updating. I can come up with some content on my own but it feels like something where I’d expect the DSF CoC committee to advise and ideally make specific recommendations.

Future events

I’d like us to be able to send our list of attendees (and speakers) to the DSF committee, but only if the DSF / CoC committee had a privacy policy including details of data processing, data retention, subject access requests. We will be opening ticket sales for the 2024 edition soon, so I don’t see this being possible for the 2024 edition.

[jefftriplett]

@thibaudcolas I think we should ping the mailing list and get more eyes on it. I think we have ~3 of us in the workgroup and need some more bodies to help. We can also ask the board for assistance in sorting some of this out.

[thibaudcolas]

Sounds good to me! Do you want to initiate that or should I?

[jefftriplett]

@thibaudcolas feel free. I think getting Michael's input and anyone else who is left would be 💯

[thibaudcolas]

I’ve ended up not finding any opportunities to take this further over the year, so I think for DjangoCon Europe 2025 we’ll be in a similar situation (though I’m not planning to be involved with the conference Code of Conduct team this year aside from knowledge handover). Ticket sales are on. The privacy policy wording they went for is:

For handling code of conduct incident reports, we may collect additional information about individuals mentioned in any reports. We may share this information with the Django Software Foundation Code of Conduct Committee. For more information, view our Code of Conduct response guidelines.

The relevant legal framework in Ireland is the EU GDPR and the Irish 2018 Data Protection Act (see Data Protection Legislation overview).

Next steps

I think what I shared above still makes sense. The simplest improvement I think would be to write a list of data processors, or more broadly document data processing by Django / DjangoCon Europe as a data controller. So for example for DjangoCon Europe 2024 as far as Code of Conduct the list of data processors could be something like:

• Pretalx
• Pretix
• Google
• Slack

(then for each of them write their location, use, the data processed there, link to their privacy documentation and list of sub-processors)