I’m sure we are all aware that the more complicated something can be made by the legal fraternity, the more they stand to gain, particularly when they can generate and / or capitalise on dispute. Sadly, the letter of the law often trumps the spirit why it was created, which in my opinion is around the wrong way.
I feel sorry for companies such as ROON that are trying to provide a good product / service to their customers with honourable, good intent, yet are subject to all this nonsense.
I am just a Roon user and have spent time reading the T&C’s that we all signed up to when we subscribed to use Roon.
You gave consent for Roon to pull data from your Roon server/core.
Danny has said this.
Personal data = photos, documents
PII = name, email, DOB etc
Personal data, in Roons case is data from your core. It’s data of your usage of Roon etc.
Your PII is something Roon already has on file for you on your Roon account.
My wife has looked at the legal jargon for me, she’s a solicitor here in the UK. Her words “The T&C’s state Roon can access your core at anytime to retrieve data. If you ticked an ‘I agree’ box when signing up, then you have given consent”.
No further consent is required.
Roon works by accessing your data.
No, the GDPR is concerned with personal information.
From the UK implementation of the regulation.
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
Personal data is information that relates to an identified or identifiable individual. In the case of Roon logs, the data does not identify an individual.
Do you agree that «relates to» is not the same as «identifies»?
I can relate to my wife but I don’t identify with her.
My data can relate to me and even if one piece of data doesn’t, a collection of them might. At any rate, collecting logs from a user means that Roon can gain knowledge of the particular environment of that user, including information that perhaps should be kept from prying eyes. If Roon can and sometimes will collect such data it would be useful for the user to know what that data is, by what mechanism and motivation it is collected and perhaps when it happens.
A roon official has chimed in to say that «personal data» is only data that directly identifies an individual, but this is not correct. The EU Commission says:
Personal data is any information that relates to an identified or identifiable living individual . Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Collect enough logs, and though they perhaps seem neutral, put together they may well be considered personal data.
Therefore I have asked by what mechanism this data is being collected, and come to think of it I also wonder what guidelines Roon employees follow when they actually make the choice to collect this data. Though some guesses have been presented by Roon users, these questions remain unanswered by Roon officials.
No offence to your wife but she is incorrect. There are specific conditions which must be met in order for consent to be lawful and one of them is that consent must be unbundled. Therefore acceptance of the T&Cs alone does not satisfy the conditions of consent and I do not see any legal exceptions that would be valid in this case (Remember that we are talking about fundamental and not absolute rights)
Added to that consent can be withdrawn at any time and without detriment so I would suggest if this data is really needed that consent would be the last lawful basis you would want to rely on to support such processing. I usually advise my clients to avoid consent as a lawful basis whenever possible unless there is no other choice.
As a disclaimer my interpretation of consent has been validated by conversations with the EDPB, the ICO, the DPC, the AGPD, amongst other regulators and also with some of the largest legal firms in the world. Then again I am not a huge fan of lawyers and most regulators are rubbish!
I strongly beg to differ.
Re-read what I wrote, or what my wife told me to 
My wife has looked at the legal jargon for me, she’s a solicitor here in the UK. Her words “The T&C’s state Roon can access your core at anytime to retrieve data. If you ticked an ‘I agree’ box when signing up, then you have given consent”.
If you agree to something, such as allowing Roon to capture data from your core then they can. That’s quite simple.
Roon’s T&C’s are fairly concise and state for what purpose and @Danny has confirmed what is ‘pulled’, and what is not.
I do agree with you that consent can be withdrawn.
Withdrawing your consent for Roon to capture data from your core will most likely render Roon useless. Nothing more than a Windows Media Player I guess.
I’m happy that Roon can access my core when they need to. I have paid for a lifetime subscription and want the product/service to work.
Those who have issue with privacy in terms of Roon capturing data, then this kind of thing ain’t for you.
Let me provide an ad absurdum. If it had somehow slipped into the TOC that agreeing to the TOC implies that you have to embezzle all the money from every orphanage in a 100 km radius from where you live, you would of course not be bound by the TOC. If the TOC included a clause that you had to provide Roon your firstborn for their annual barbecue, you would not be bound by it either. TOCs are agreements between the company and the user, but they don’t replace laws.
Well no, he has said that there are “logs” that don’t include data like e-mails, IP addresses and so on – data that can identify a person directly. However, he has not said anything about “personal data” as it is defined in the GDPR.
I’ll also repeat, because unfortunately it’s evident that the point has not come across, that this is not what I’m worried about primarily. Like you, I’m a lifetime customer and I like the product. What my question was about is how it’s pulled and what access and info Roon has beyond what Danny has already confirmed. The concern here is NOT that Roon might find the user’s e-mail address (I know they have it), but that Roon has a way to engage at-will with data on a user’s computer that provides much more detailed info about the user and their environment. This is probably fine but it’s potentially concerning, all the more because no officials have yet to say either of the following:
At this point we only have:
Remember that this whole thing sprung out from an official writing the following:
Note that a) Roon can collect “diagnostic information” from your computer – that’s information that evidently includes fairly detailed information about your own local network, according to the discussion in that thread.
Note also that b) Roon has chosen this method for convenience and ask the user over a discussion forum to trust them if they want to opt out. It’s not a feature in the app or an e-mail.
If you read the thread you will also see that c) when the user says they’re so concerned over this that they won’t use Roon anymore, Roon has no further comment. Why? Wouldn’t it be reasonable that a serious company who, according to their privacy policy, are “privacy freaks”, comments on this? If for nothing else, then at least for comforting users who are concerned but not ready to stop using the service altogether?
Quite correct, ad absurdum 
You examples are a criminal offence for starters. You’ve completely missed the point here.
Sharing data isn’t a criminal offence. The data handler abusing your data is the crime. Hence laws in place, such as GDPR.
You’re going round in circles here.
You data, logs or whatever you want to refer to them as are needed to be accessed by Roon for Roon to work at its best.
If you or others have a serious issue with Roon accessing your cores/servers then there’s little point using Roon or continuing in this thread.
Last look at things.
You go on a website, it needs you to allow cookies for the website to function properly. You can consent or decline. You consent, then you can’t complain afterwards. You can delete the cookies and clear your browser history and therefore remove that consent.
Time to move on for me, and I suggest for you also.
My view in this @kc1 is that maybe people aren’t quite understanding the point of the thread. Me included.
In short, the thread is a question to Roon about how they access our computers to gather data and whether they handle that data properly. As you don’t represent Roon as an official you can’t answer this question @AMT but thanks for trying anyway.
I follow what @Hestepare is getting at and am a bit bemused that Roon have not yet given a clear answer unless they are not entirely clear on the law themselves and are checking with their legal team before replying, which would be completely understandable, but if that is the case why not just say so.
I respectfully disagree. We are talking about a customer’s information request about a process that is not very transparent. Dismissing the customer(s), a practice I’ve seen repeatedly in this forum, does not help Roon or the customer(s), is it?
I have Plex server, Logitech Media Server etc - I’m not concerned with them, as the server(s) configuration provide check-boxes for opt-in or opt-out of diagnostic logging etc. If you need support, they ASK(ed) you to send whatever logs they need (which if you want, you can examine before sending). Maybe Roon should follow suit to stop similar concerns?
PS1: I have no issue with Roon, life sub as like you & @Hestepare, won’t lose sleep over this, but I also would like to see an ‘official’ answer , because I am interested in the topic, as I am sure others do as well. If the discussion leads to improving Roon, all the better for all of us.
PS2: If you want to learn about data protection, privacy etc, check IAPP - plenty of courses.
They should move on then - this thread is between the person with the concern & the Company. If one understands the concern and can provide a valid answer, fine.
This ^^ is does not in any way promote a ‘thoughtful, considered discussion’.
It’s simply aggravating.
Maybe this thread in its entirety could help.
Focus on @danny 's responses. I feel he explains all that is being asked here. 
About 60 posts and 3 days ago, I had posted this in reference to that link…
If this is directed to me I will answer this time that yes, I did read the thread when you linked it and 1) it’s four years old and 2) it does not answer my questions.
Oooh! I had the answer then and was about to say it 
… but I forgot the question … sorry 
Still wondering why this thread was put under «Roon community site», it has nothing to do with that. Either «software» or even «feedback» would be better, I suppose.
Don’t you just need to look at the logs to ascertain that?
I’ve just been through my latest RoonServer_log and it contains the following (this is probably not exhaustive):
Operating system of the server
Build number (of Roon)
Local time of server
The approximate geographical location of my server
My external IP address
Some local network IP addresses
Serial numbers of external hard drives (not sure why they’re needed)
Details about other mounted volumes (Time machine etc)
My Roon user ID
Which, if any, music subscription services I’m subscribed to
My email address
My first name and last name
Info about the various Roon endpoints on my network
Various references to the music I play
There may be more, but I got bored after the first 2000 lines.
Unless I’m missing some key point here it seems to me that I can probably be quite easily identified from what my core is doing, because the information is in the logs.
Don’t get me wrong, I have absolutely zero personal problem with this but, like a few others in this thread, I can understand where @Hestepare is coming from.
Maybe to unambiguously distinguish different drives?
Yep. That’s probably it.
