Continuing the discussion from Connected Mac Mini frequently disconnects from Core:
Sign me up for one of those too please.
Question:
Is my layman understanding correct:
Roon may at any time, in principle without the user knowing, pull personal and identifiable data from any Roon core.
If so, second question:
Can you uphold GDPR requirements if the above is true?
Search is available to all.
So it is, but what youâre linking to doesnât answer my questions.
First, Roon operates in the US. Second, the GDPR doesnât prohibit the collecting or use of personal data. Rather, it is how such data are used.
Moreover, by using Roon you agreed to their T&Cs, which includes a section on data. You can read this here:
https://roon.app/en/termsandconditions
Which links to the privacy policy:
https://roon.app/en/privacypolicy
As far as I am aware, the only personal data Roon collects are your name, email, locale and IP address (but I may have missed something) and these are necessary to run the service.
Roon already has this data, so they donât need to pull it from your core. Other data collected are non-personally identifiable.
Yes, but I live in a country where GDPR is law. Therefore Roonâs access to and use of my data are subject to GDPR law.
No, GDPR also regulates how data is collected.
Thank you for your input, but my question is regarding the claim that Roon can pull personally identifiable data without the customer knowing.
The GDPR helps protect data of EU and UK citizens irrespective of where they are. However, non-EU countries must also comply with their data protection legislation. So, whilst a company operating in the US may provide services to EU citizens, a foreign data controller reports to the local data protection authority (in the same way the UK reports to the DPA.)
That is what I said.
The privacy policy sets out in plain language what data Roon collects. This IMO meets the terms of the GDPR.
But you do, because it is stated in the privacy policy. Moreover, they donât pull any PII since they already have this in order to deliver the service.
What additional PII are you concerned that they may pull from your Roon core?
I raised two questions in the first post. The first is related to the concern that Roon could at any point pull data (logs) from any user. This data would conceivably contain more than what you mention above. If roon can pull this data without explicit concent the question of transparency should be raised as this would mean that roon would have imposed a standing invitation to peruse information about the userâs setup and perhaps more. See: JUSTICE AND CONSUMERS ARTICLE 29 - Guidelines on Transparency under Regulation 2016/679 (wp260rev.01)
The second question is really only to hear Roonâs own reasoning whether this «backdoor» is within the GDPR regulations or not.
I suppose a more to-the-point question could be:
If it is true that Roon now has chosen to grant themselves access to any userâs personal application without asking for consent, why have they chosen this solution which might be slightly more convenient to themselves but pose a much bigger risk for the user? Itâs 2023, they could make a «send logs to Roon» button.
I donât object to them looking at my logs, I object to them having 24/7 access to them without me knowing.
Itâs a European thing.
Thatâs new 
I only knew the expression âitâs a Jeep thingâ 
Since your edit makes me look unreasonable Iâll edit too.
If they do have 24/7 access and this is not according to the GDPR they risk huge fines.
I wouldnât call it that - itâs a legitimate concern from both privacy & security viewpoints.
The privacy part has been addressed quite a few times, but the âpullingâ part, if true, is concerning.
If anything is indeed âpulledâ (I honestly doubt it), the concern would be what is âpulledâ and how secured that process is, considering Roonâs core/server is in your LAN.
If we need to know anything about you we will just ask the NSA or the PRC for a complete copy of your hard drive 
Let me know if you find anything interesting
Just checked, nah youâre just another boring audiophile fella 
But seriously, Roon couldnât give you the recommendations and such if it didnât know what you listen to. Iâm sure Qobuz Tidal and the rest collect some data from usâŠâŠâŠlike Jim I could care less.
I know but that isnât whatâs at stake.
Precisely. Isnât the pulling part exactly what Roon admits to doing here?
Consider whatâs being said here:
This implies that they promise to stop not asking for consent, i.e. you have to opt in if you want to know if they access personal data. At the face of it this is not good GDPR practice.
Last I checked with GDPR, companies should default to opt-out and ask.
I think you have to expand on your post if you want me to understand your point.
nothing to expand - Iâm just digesting that reply âŠ
That reply covers it well