Re: [93attendees] Network experiment during the meeting

Leif Johansson <> Tue, 14 July 2015 17:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 69D191AD0B9 for <>; Tue, 14 Jul 2015 10:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.039
X-Spam-Level: *
X-Spam-Status: No, score=1.039 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NanhV8NnMDEu for <>; Tue, 14 Jul 2015 10:53:47 -0700 (PDT)
Received: from ( [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DCCE1AD0A3 for <>; Tue, 14 Jul 2015 10:53:46 -0700 (PDT)
Received: from ( []) by (8.14.4/8.14.4/Debian-4) with ESMTP id t6EHrivw020197 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <>; Tue, 14 Jul 2015 19:53:44 +0200
Received: from ( []) by (8.14.9/8.14.7) with ESMTP id t6EHrflQ001181 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Tue, 14 Jul 2015 19:53:43 +0200 (CEST)
VBR-Info:; mc=all;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1436896423; bh=C2R2qkfQVGSTKTGF9nSOljhZ9jxnPiOl8nOQtQ/Ak1E=; h=Date:From:To:Subject:References:In-Reply-To; b=CFEM4Fl4AtQhwLsZGHPTO2Ff0GhD1cvOfOgjhh5oEIe8ehH4cpNEK7BwKf3LMM6di ORlwliICstA95UqowB85CXZD/wdf9qFo4g8mhcs6yYQdg/uvtbecEra8tmFmvhF3zh I5Aw4qe6wdB9h5Y2W5xo/kPjWQaNcCdp2Vq3Qlto=
X-Footer: c3VuZXQuc2U=
Received: from [] ([]) (authenticated user by (Kerio Connect 8.3.4 patch 1) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256 bits)) for; Tue, 14 Jul 2015 19:53:40 +0200
Message-ID: <>
Date: Tue, 14 Jul 2015 19:53:40 +0200
From: Leif Johansson <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=; country=SE; latitude=59.3294; longitude=18.0686;,18.0686&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09OQhRIWf - aa1aecd0fb8b - 20150714
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral ( is neither permitted nor denied by domain; client-ip=; envelope-from=<>;; identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com) on
Archived-At: <>
Subject: Re: [93attendees] Network experiment during the meeting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jul 2015 17:53:49 -0000

On 2015-07-14 17:33, McDonald, Alex wrote:
> I am not a lawyer, but I have done some research in this area.
> Please be aware that (a) the Czech Republic is in the EU (b) according to EU law you are collecting personal identifiable data.
> Therefore (from
> ---->>
> Under the Data Protection Directive, collecting and processing the personal data of individuals is only legitimate in one of the following circumstances laid down by Article 7 of the Directive:
>     Where the individual concerned, (the 'data subject'), has unambiguously given his or her consent, after being adequately informed; or
>     if data processing is needed for a contract, for example, for billing, a job application or a loan request; or
>     if processing is required by a legal obligation; or
>     if processing is necessary in order to protect the vital interest of the data subject, for example, processing of medical data of a victim of a car accident; or
>     if processing is necessary to perform tasks of public interests or tasks carried out by government, tax authorities, the police or other public bodies; or
>     if the data controller or a third party has a legitimate interest in doing so, as long as this interest does not affect the interests of the data subject, or infringe on his or her fundamental rights, in particular the right to privacy. This provision establishes the need to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects.
> <<----
> The last clause is the only clause under which you can collect and process this data. To that end;

I am not a lawyer either but I've dealt with a few cases similar
to this in my $dayjob.

In some countries research is considered to be a task of public
interest and fall under the last but one clause but then often
coupled with an ethics review function.

For the heck of it I just reviewed the Swedish research ethics board
note on PII and they cite the public interest clause [1] (Swedish
readers only I'm afraid).

To make things worse, EU regulation is changing from a directive to
"federal" EU law so national law may not even apply (or at least not
for very long) in this area.

I'm pretty sure that under (current) Swedish law you'd be required
to do a formal review by the human research ethics review board
for this type of research.


 	Cheers Leif