Hi Andreas,
Thanks for dealing with this
On Fri, Jan 02, 2026 at 08:51:00AM +0100, Andreas Tille wrote:

The Data Protection Team was started in 2018 in the light of new
European data protection legislation, to provide a point of contact for external queries about what data Debian holds, and to advise Debian
members about the project's data protection obligations. The team drew
up the public privacy policy[0], and has passed on requests from
individuals as appropriate.

All three delegated members of the Data Protection Team have now stepped
back from this task. I would like to sincerely thank Jonathan McDowell (noodles), Tollef Fog Heen (tfheen), and Matthew Vernon (matthew) for
their work on the team. As they have stepped back from the role, their delegation is hereby revoked.

The fact that all team members have stepped back at the same time should
make it clear that we urgently need new volunteers to fulfil this role.

Despite a constructive discussion at Debconf this year, no-one has come forward to join the Data Protection Team, and the existing team have all resigned. This means that currently any data protection enquiries come
to the DPL, who already has too much to do.

If you're interested in data protection / privacy, and would be
interested in improving the existing privacy policy and working with
teams who process personal data to improve the workflows for handling
data protection-related requests, then please get in touch!

Looking at the current delegation text this smells like a burnout job to me (definition: high expectation + low control).
While I don't think I have the capacity to help with the ongoing work here
I'd love to help you re-draft the delegation to try and make the work of a future team more rewarding going forward.
What do you think about scheduling a (semi-?)public jitsi call to discuss
this?
I the meantime providing an answer to the all important workload question
could help people decide if they want to volunteer for this:
- How many GDPR inquiries did the existing team receive in the last year?
(or month if that's easier to check)
Thanks,
--Daniel
PS: I'm moving my reply to debian-project@d.o instead of devel since it's organizational matters.


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi Daniel,

Am Fri, Jan 02, 2026 at 09:51:25AM +0100 schrieb Daniel Gr?ber:

Looking at the current delegation text this smells like a burnout job to me (definition: high expectation + low control).

I was asking back to the old team and will publish the result in my next
bits soon. I do not think that burnout is the correct description if my interpretation of the answers is correct.

While I don't think I have the capacity to help with the ongoing work here I'd love to help you re-draft the delegation to try and make the work of a future team more rewarding going forward.

What do you think about scheduling a (semi-?)public jitsi call to discuss this?

This is definitely a good idea. However, I would delay this until after
my bits were sent and some questions I received meanwhile are answered.

I the meantime providing an answer to the all important workload question could help people decide if they want to volunteer for this:

- How many GDPR inquiries did the existing team receive in the last year?
(or month if that's easier to check)

Four in 2025.

PS: I'm moving my reply to debian-project@d.o instead of devel since it's organizational matters.

Makes sense.

Kind regards
Andreas.

--
https://fam-tille.de

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi Bart,
On Sat, Jan 03, 2026 at 01:38:24AM +0100, Bart Martens wrote:

Looking at the current delegation text this smells like a burnout job to me (definition: high expectation + low control).

On the other hand, some volunteers might prefer a role of identifying possible improvements without any (legal) responsibility on decisions and prioritizing implementations.

Good point. However given how open Debian is anyone that wants to do this
can already do this. Just talk to people! Post ideas to the debian-project list, maybe form an informal team and take it from there. No need for a delegation to get started.
I'd look at the delegation as helping lower Andreas' workload on the
official side of things.

- How many GDPR inquiries did the existing team receive in the last year?
(or month if that's easier to check)

I think it's much more than dealing with inquiries. There should be
people [...]

Are you volunteering? :-)
Its easy to say we should have people with motivation, but rather harder to make the people and motivation actually materialize.
What I'm proposing is to look at what the people doing the work need to be effective at doing the work: Is it know-how, is it delegated decision
power, is it knowing the right people in the project? (etc).
Once we know what it is they need such a delegation is much more likely to
be effective.
--Daniel
PS: I did a quick search for context on the history of the team:
- DebConf25 BoF - which has no recording or meeting notes :(
Did anyone reading this attend and can share a quick summary?
https://debconf25.debconf.org/talks/224-the-data-protection-team-status-and-future/
- 2024 DPL election: Question to all candidates: GDPR compliance review
https://lists.debian.org/debian-vote/2024/04/msg00024.html
- DebConf22 BoF - has a recording!
https://meetings-archive.debian.net/pub/debian-meetings/2022/DebConf22/debconf22-215-state-of-the-data-protection-team.webm


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi Andreas,
On Sun, Jan 04, 2026 at 05:22:59PM +0100, Andreas Tille wrote:

Am Fri, Jan 02, 2026 at 09:51:25AM +0100 schrieb Daniel Gr”ber:

Looking at the current delegation text this smells like a burnout job to me (definition: high expectation + low control).

I was asking back to the old team and will publish the result in my next
bits soon. I do not think that burnout is the correct description if my interpretation of the answers is correct.

I'm glad thats not how the old team feels! Yet I do think the delegation
could provide more context for new volunteers on how they are supposed to
do the work we're asking them to do. Clarity on their powers (if any are needed) would also help the team communicate with others in the project
IMO, but let's discuss all that in more detail on the call.
See also my other mail to Bart on more specifically what I think we should
do to better define the role.

What do you think about scheduling a (semi-?)public jitsi call to discuss this?

This is definitely a good idea. However, I would delay this until after
my bits were sent and some questions I received meanwhile are answered.

Sounds good. Lmk.

- How many GDPR inquiries did the existing team receive in the last year?
(or month if that's easier to check)

Four in 2025.

That does sound managable, but since it's a public service we do have to
plan for what happens when there's a sudden burst or a particularly
complicated request.
Did the old team leave behind an archive of their internal communication
with the project so new people have something to go on and don't have to
start from scratch?
Thanks,
--Daniel


--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, Jan 04, 2026 at 08:14:33PM +0100, Daniel Gr?ber wrote:

Hi Bart,

On Sat, Jan 03, 2026 at 01:38:24AM +0100, Bart Martens wrote:

Looking at the current delegation text this smells like a burnout job to me
(definition: high expectation + low control).

On the other hand, some volunteers might prefer a role of identifying possible improvements without any (legal) responsibility on decisions and prioritizing implementations.

Good point. However given how open Debian is anyone that wants to do this
can already do this. Just talk to people! Post ideas to the debian-project list, maybe form an informal team and take it from there. No need for a delegation to get started.

It is hard to convince our fellow-DDs all over the project to erase personal data from their systems without a formal delegation from the DPL.

I'd look at the delegation as helping lower Andreas' workload on the
official side of things.

- How many GDPR inquiries did the existing team receive in the last year?
(or month if that's easier to check)

I think it's much more than dealing with inquiries. There should be
people [...]

Are you volunteering? :-)

Maybe.

Its easy to say we should have people with motivation, but rather harder to make the people and motivation actually materialize.

It's why I wrote "maybe". :-)

For example, "carnivore" is likely still processing personal data in ways that Debian does not really need, so must not have. I might some day find the time to have a look at it. (I'm careful with making promises in volunteering work.)

What I'm proposing is to look at what the people doing the work need to be effective at doing the work: Is it know-how, is it delegated decision
power, is it knowing the right people in the project? (etc).

Sounds like a useful task!

Once we know what it is they need such a delegation is much more likely to
be effective.

--Daniel

PS: I did a quick search for context on the history of the team:

- DebConf25 BoF - which has no recording or meeting notes :(
Did anyone reading this attend and can share a quick summary?
https://debconf25.debconf.org/talks/224-the-data-protection-team-status-and-future/

- 2024 DPL election: Question to all candidates: GDPR compliance review
https://lists.debian.org/debian-vote/2024/04/msg00024.html

- DebConf22 BoF - has a recording!
https://meetings-archive.debian.net/pub/debian-meetings/2022/DebConf22/debconf22-215-state-of-the-data-protection-team.webm

--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)