Re: [93attendees] Network experiment during the meeting

"McDonald, Alex" <> Wed, 15 July 2015 20:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 12A941ACDF7 for <>; Wed, 15 Jul 2015 13:01:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R_-NzyONozYr for <>; Wed, 15 Jul 2015 13:01:34 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E37BA1ACDE1 for <>; Wed, 15 Jul 2015 13:01:33 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.15,482,1432623600"; d="scan'208";a="56144772"
Received: from ([]) by with ESMTP; 15 Jul 2015 12:56:32 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 15 Jul 2015 12:56:31 -0700
Received: from ([::1]) by ([fe80::dc1c:7054:32f6:3f6b%21]) with mapi id 15.00.1076.000; Wed, 15 Jul 2015 12:56:31 -0700
From: "McDonald, Alex" <>
To: Randall Gellens <>, Rolf Winter <>, "" <>
Thread-Topic: [93attendees] Network experiment during the meeting
Thread-Index: AQHQvahrmasx0wTXiky9rUNb61MX1Z3bEeMQgAJSzQD//41cEA==
Date: Wed, 15 Jul 2015 19:56:30 +0000
Message-ID: <>
References: <> <> <p06240602d1cc663b8d3c@[]>
In-Reply-To: <p06240602d1cc663b8d3c@[]>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Approved-At: Wed, 15 Jul 2015 14:53:09 -0700
Subject: Re: [93attendees] Network experiment during the meeting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list of IETF 93 attendees that have opted in on this list. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jul 2015 20:01:36 -0000

Opinion on the notion of legitimate interests of the data controller etc

Example 24: Information website for teenagers

An NGO website offering advice to teenagers regarding issues such as drug abuse, unwanted pregnancy and alcohol abuse collects data via its own server about visitors to the site. It then immediately anonymises these data and turns them into general statistics about which parts of the  website  are  most  popular  among  visitors  coming  from  different  geographical  regions  of the country.
Article 7(f) could be used as a legal ground even if data concerning vulnerable individuals are concerned,  because  the  processing  is  in  the  public  interest  and  strict  safeguards  are  put  in place  (the  data  are  immediately  rendered  anonymous  and  only  used  for  the  creation  of statistics), which helps tipping the balance in favour of the controller.

So the answer is perhaps yes, if caveats re anonymization and use are adhered to.

(As a general note, I didn't raise this with the intent of having "I am not a lawyer but..." discussions. It's just that this stuff has a tendency to bite hard when it does bite. The EU doesn't mess around, especially in light of recent events around Snowden and the leak of US clearance information, and with bodies or companies it thinks should know better.)

Alex McDonald
Standards & Industry Associations Group
CTO Office
+44 7795 046686 Mobile Phone
twitter: @alextangent
Follow us: 

> -----Original Message-----
> From: Randall Gellens []
> Sent: 15 July 2015 20:35
> To: McDonald, Alex; Rolf Winter;
> Subject: Re: [93attendees] Network experiment during the meeting
> At 3:33 PM +0000 7/14/15, Alex McDonald wrote:
> >      if processing is necessary to perform tasks of public interests
> > or tasks carried out by government, tax authorities, the police or
> > other public bodies; or
> >      if the data controller or a third party has a legitimate interest
> > in doing so, as long as this interest does not affect the interests of
> > the data subject, or infringe on his or her fundamental rights, in
> > particular the right to privacy. This provision establishes the need
> > to strike a reasonable balance between the data controllers' business
> > interests and the privacy of data subjects.
> >  <<----
> >
> >  The last clause is the only clause under which you can collect and
> > process this data.
> What about the "public interest" clause?
> --
> Randall Gellens
> Opinions are personal;    facts are suspect;    I speak for myself only
> -------------- Randomly selected tag: --------------- To iterate is human; to
> recurse, divine.  --Robert Heller