GitLab is, at its core, an interface for working with Git repositories. In Git, the fingerprint (hash) of any change is comprised of many things, including the change itself, the self-provided identify information of the person making the change, and the fingerprint of the previous change.
Because changing a identity information would change the fingerprint, this change would cascade to break all future fingerprints. GitLab, then, must ask all users to waive their right to be forgotten. #gdpr
There's another interesting legal pothole here for GitLab, since I can clone any repo and upload a copy to GitLab, potentially propagating identity information for non-consenting users. This could be used against repository owners in the future, erasing repositories from the web if one contributor decides to file a claim of some sort.
@annika That's one of the funny things about GDPR. In a very very weird way it encourages people to self-host their stuff and to care about decentralization because GDPR doesn't apply to anything but companies.
@annika This is indeed an interesting case.
However I don't think that it is possible that a data subject can waive that right. Art. 17 DS-GVO doesn't allow this and I would find this counterintuitive.
While a data subject has a right to erasure, it is not necessarily the case that the controller has an obligation. The author of the git commit object is necessary for git to work. So I'd argue that Art.17(1) does not apply and thus there is no obligation.
However IANAL. 😉
@annika It will be interesting to see if that's actually enforceable.