The Chancery has now finished processing all changes resulting from answers to the mandatory questions (eg. changed email addresses and/or contact or privacy preferences).
I would additionally like to inform the general public that, last week, a registered political party requested access the Electorate Database as provided by Lex.D.8.5 and subsections thereof, which alerted me to an error I made interpreting that law.
The legislation itself is clear, but it seems I misinterpreted it, or misremembered it, while writing the last version of the General Election Rules and the Census forms as well: both refer to the electoral comms opt-in as only covering the Chancery's election-time forwarding service, and the former states in rule A.3 that parties may only receive those addresses which are public.
However, D.8.5.3 and D.8.5.4 clearly states the Chancery shall hand over all email addresses of people who okayed receiving electoral comms, irrespective of whether they wish their email address to be public.
I can only apologise for issuing a set of rules which was in breach of Lex.D.8.5, though that is moot as no party requested the Electorate Database, and for erroneously indicating in the Census that the electoral email opt-in only affected the Chancery's election-time forwarding service. I do still think that the best way to send unintrusive electoral communications and respect a citizen's right to privacy is through the Chancery, but I must comply with the law.
To those citizens concerned about privacy - protection of which remains a strong priority of this Chancery - I can issue two assurances:
- The Electorate Database is only accessible to "leaders of parties which have fully registered" as per D.8.5.2, which the Chancery holds to mean the leaders of the four parties sitting in the Cosă, before Dissolution, and the parties who have registered to the next Election and paid their fee, from Dissolution onwards;
- Citizens are free to opt out at any time as provided by D.8.5.7, and the Chancery will provide tools to do so automatically. The Chancery considers email addresses that are not public to be a citizen's private information, unlawful access/use of which is covered by Lex.A.7.3.3.
Quote from: Sir Lüc on October 09, 2025, 09:37:53 AMI would additionally like to inform the general public that, last week, a registered political party requested access the Electorate Database as provided by Lex.D.8.5 and subsections thereof, which alerted me to an error I made interpreting that law.
I am not sure how a similar request is made but the Green Party publicly submits a request for access to the Electorate Database, as provided by Lex.D.8.5.
We also applaud the transparency of the Chancery in disclosing this request and informing the public of the interpretation error.
The Chancery will comply with both requests it received as soon as it has implemented the required Database functions for automatic dynamic export of the mailing list and for opting out by citizens (likely, in a matter of a few days.)
Quote from: Sir Lüc on October 10, 2025, 08:25:06 AMThe Chancery will comply with both requests it received as soon as it has implemented the required Database functions for automatic dynamic export of the mailing list and for opting out by citizens (likely, in a matter of a few days.)
Thank you
Thank you
@Sir Lüc for your openness in explaining the situation and for recognising the oversight. Having looked again at both El Lex D.8.5 and the wording of the 2025 Census, I do have several concerns from a data protection standpoint.
The Census wording clearly stated that, if citizens consented, the Chancery would
forward electoral communications to them. It did not say that email addresses would be released directly to political parties. Citizens, especially those living in the EU or UK, would have understood that their information would remain under the Chancery's control.
That creates a tension between El Lex and the principles of the General Data Protection Regulation (GDPR). Under Articles 4(11) and 7 of the GDPR,
consent must be specific, informed, and freely given. Agreeing to receive electoral communications is not the same as agreeing to have one's email address shared with multiple third parties. The consent that was gathered referred to forwarding, not to disclosure.
The Chancery, as the body that collects and determines how citizens' data is used, would be considered the data controller under the GDPR. This carries legal responsibilities, including the need for a lawful basis for any processing, the application of data minimisation under Article 5(1)(c), and the duty to maintain security and accountability under Articles 5(1)(f) and 32. Once email addresses are distributed to several party leaders, the Chancery loses effective control over how that data is stored or used. This increases the risk of unauthorised retention, forwarding, or misuse. In such a situation, both the Chancery and the recipients could be considered joint data controllers for any misuse that occurs.
The principle of purpose limitation under Article 5(1)(b) is also relevant. Data collected to enable election communication must only be used for that stated purpose. Allowing the Chancery to continue forwarding messages on behalf of parties would meet this requirement while maintaining confidentiality and security.
This raises a couple of important legal questions, and on which I would be interested to hear the Chancery's response or viewpoint: if El Lex requires the Chancery to act in a way that conflicts with the data protection laws of a citizen's country of residence (in this case the EU or UK), does El Lex take precedence over the Chancery's obligations under the GDPR? Has the Chancery formally considered its obligations under the GDPR as the data controller, especially in light of how the Census questions were phrased?
Even if enforcement may be unlikely, the GDPR is binding law within the EU and UK. Any organisation, group, or individual involved in processing the personal data of EU or UK residents must comply with it. Even if El Lex directs disclosure, the Chancery would still remain responsible as data controller for ensuring that the processing is lawful and GDPR compliant.
It may therefore be sensible to pause before any release of data and consider a privacy-preserving interpretation of El Lex. An interim measure could be to email all citizens to explain the current situation and include an opt-in link allowing them to give explicit consent for their data to be shared with registered parties, along with clear information on how those parties will handle, store, and delete it. The longer-term fix would be to update future Census or data-consent wording so that it clearly states that opting in means disclosure to registered parties.
This would (I hope) resolve the issue going forward and bring the process in line with both Talossan law and GDPR principles.
My two bence on this quiet Friday evening,
-- Litz
Quote from: Sir Lüc on October 10, 2025, 08:25:06 AMThe Chancery will comply with both requests it received
All three requests
Quote from: Baroness Litz Cjantscheir, UrN-GC on October 10, 2025, 03:39:07 PMThank you @Sir Lüc for your openness in explaining the situation and for recognising the oversight. Having looked again at both El Lex D.8.5 and the wording of the 2025 Census, I do have several concerns from a data protection standpoint.
Thank you Baroness Litz. This is a very thorough and detailed analysis. Unfortunately, while I am aware of GDPR, I did not consider its full implications. I would first like to answer your two questions and then move to my proposed solution:
Quoteif El Lex requires the Chancery to act in a way that conflicts with the data protection laws of a citizen's country of residence (in this case the EU or UK), does El Lex take precedence over the Chancery's obligations under the GDPR?
This is obviously a pain point of micronational legislation; one of the classical questions (and my first big argument with a fellow Talossan back in 2012) was along the lines of - if smoking weed is legal under Talossan law but illegal under my macronational jurisdiction, what should I do? There obviously is nuance at play, but while I believe questions such as that one are down to personal values, not to mention carrying consequences that are limited to the individual, others are much less subjective and much more consequential. Worse, in this case El Lexhatx potentially *directs* someone to *break macronational law*. I am sure this situation was not intended when the statute was written - the current language stems from The Freedom of Information and Privacy (Gov.) Act (40RZ9), a bill that was passed in 2009, way before GDPR was adopted. Regardless, that's not something I am willing to do nor something that is fair to require.
QuoteHas the Chancery formally considered its obligations under the GDPR as the data controller, especially in light of how the Census questions were phrased?
Did the Chancery attempt to design a personal data release form, along with the related framework for using said personal data, to strive to protect Talossan citizens's right to privacy as much as possible? Yes. Did the Chancery consult macronational legislation while doing so? No.
My main takeway is this - while Lex.D.8.5 needs reform, agreeing to simply not use it poses no harm or disadvantage. The purpose of D.8.5 is to ensure a free and fair election by providing all registered parties with the opportunity to contact all (opted-in) citizens, equally and uniformly. That is also the same purpose of the privacy-preserving election-time forwarding service. The D.8.5 list has not been divulged yet, so no party has gained an unfair advantage over the others.
What I propose is the following:
- Party leaders amicably and collectively agree not to request the D.8.5 list, as it would be tantamount to asking the Chancery to break macronational law;
- The Chancery retains its traditional forwarding service, and agrees to expand it so that it is available immediately, under the same restrictions as during election time;
- The incoming Cosă seriously looks at amending the existing D.8.5, so that it is no longer in breach of GDPR protections.
That sounds fine to me!
Quote from: Sir Lüc on Today at 09:13:27 AMMy main takeway is this - while Lex.D.8.5 needs reform, agreeing to simply not use it poses no harm or disadvantage. The purpose of D.8.5 is to ensure a free and fair election by providing all registered parties with the opportunity to contact all (opted-in) citizens, equally and uniformly. That is also the same purpose of the privacy-preserving election-time forwarding service. The D.8.5 list has not been divulged yet, so no party has gained an unfair advantage over the others.
What I propose is the following:
- Party leaders amicably and collectively agree not to request the D.8.5 list, as it would be tantamount to asking the Chancery to break macronational law;
- The Chancery retains its traditional forwarding service, and agrees to expand it so that it is available immediately, under the same restrictions as during election time;
- The incoming Cosă seriously looks at amending the existing D.8.5, so that it is no longer in breach of GDPR protections.
Agreed. I would suggest the amending of D.8.5 be led by the Chancery as the SOS has the power to propose legislation and has already proposed actions represented by the list itself.
I will no doubt attempt to either present a proposal myself or chip in with my thoughts on an existing one, for sure. I think Baroness Litz has already made some very sound points in this comment on the related Hopper thread (https://wittenberg.talossa.com/index.php?msg=37255).