Read your own cite: nothing about the UUID in question is associable with an identified or identifiable natural person, which is what the GDPR concerns.
We do not have the ability to correlate your package installs (again, we do not know what you install) with your browsing history, and we do not store any information that would allow us (or an adversary) to do so.
Read your own cite: nothing about the UUID in question is associable with an identified or identifiable natural person, which is what the GDPR concerns.
This is false and a misunderstanding of the GDPR. It is not about whether it is currently possible. But whether it would be possible if it was correlated with other data.
What differs pseudonymisation from anonymisation is that the latter consists of removing personal identifiers, aggregating data, or processing this data in a way that it can no longer be related to an identified or identifiable individual. Unlike anonymised data, pseudonymised data qualifies as personal data under the General Data Protection Regulation (GDPR). Therefore, the distinction between these two concepts should be preserved.
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
So, basically if we have a data set with three columns:
Personal name, UUID, Action (e.g. brew install fzf)
Removing the first column is pseudonymization, and thus qualifies as personal data under the GDPR. Removing the first and the second column is anonymisation and is not personal data.
Again IANAL, but it is clear from the GDPR that the only thing you could do without consent is e.g. recording what packages get installed/uninstalled, but without a UUID.
Apply the counterfactual: what would have to be the case in order to correlate the UUID in question with user data?
We do not store anything else that could correlate with that UUID. We don't expose it to anybody else and it's unclear how, even if we did, it would result in personal correlation.
Apply the counterfactual: what would have to be the case in order to correlate the UUID in question with user data?
We do not store anything else that could correlate with that UUID. We don't expose it to anybody else and it's unclear how, even if we did, it would result in personal correlation.
You can argue against this, but it's simply how the GDPR defines personal data, and if you violate it, someone could report you to their data protection authority.
Secondly, the GDPR does not just do this to protect citizens against direct use of their personal data (I think most Homebrew users would be immediately convinced that you wouldn't misuse this data, including me), but also scenarios that are outside of your control. Such as: Google decides to violate the GDPR against your will and correlates the data. Or: Google Analytics gets hacked, the data set becomes available on the black market or wherever and people correlate the data with other leaked data.
We do not have the ability to correlate your package installs (again, we do not know what you install) with your browsing history, and we do not store any information that would allow us (or an adversary) to do so.