How to spam software developers and get away with it?
31 March 2019
(somebody tell me why this doesn't work)
Step 2: Have products and services interact with open source, and collaborate and test upstream. This is also obviously good. Pull open-source Git repositories and run integration testing and metrics and whatever on them. We shouldn't just sit there and pull whatever comes out at the end of the development process, help with the QA, publish peer-reviewed research, whatever.
Step 3: Congratulations, we're now a data controller under Article 14 of the GDPR. Git repositories are full of PII. Every commit includes the developer name and email address.
Oh, no, PII! Does that mean we can't work with open source?
Of course not. Open source is still legal. But we have to comply with our data subject rights obligations under Article 14. We have to contact everyone whose PII we hold, and notify them clearly of what we're doing with their data.
And what are we doing with it? We're using it to do open source QA that feeds into making our product better. And we have to explain what we're doing in our Article 14 notification. So the European Union basically just told us not just that we can send our elevator pitch to a bunch of software developers unsolicited, but that we have to.