Hans-Christoph Steiner <hans@guardianproject.info> @ Wed, 13 Jan 2021 10:27:42 +0100:
> The standard log_formats store detailed information which falls under
> data regulations like the EU's GDPR and California's CCPA. This merge
> request adds a suggested "privacy" log_format that generates logs that
> cannot be used to identify users. This has been developed and used by
> Tor Project, Guardian Project, and F-Droid.
IANAL, so: Are there any exceptions in EU's GDPR that allow short-stored logs of user-identifiable information? That would seem useful, as *some* logging is useful when detecting and reporting fraudalent activities and for detecting spam. Logs are rotated and are sometimes useful when a data breach happens.
I've also seen some examples of ISPs having to store info, that would be classified as user data, for 6 months for detecting illegal activities. See [1].
Again, IANAL, but [0] describes some allowances regarding log data. I agree with adding the privacy option, but is that really a must when dealing with EU customers?
Regards!
[0] https://www.termsfeed.com/blog/gdpr-log-data/#Storage_Limitation
[1] https://en.wikipedia.org/wiki/Data_retention#European_Union
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel