Advocating for Post-GDPR Privacy and Data Protection in Open-Source Projects

Introduction

The EU General Data Protection Regulation (GDPR), also known as Regulation (EU) 2016/679, gives people additional control over their personal data. The regulation was first published in April 2016 and became applicable on May 25, 2018. It replaces the previous Directive 95/46/EC. Despite the two years transition period, and also the fact that it has been officially into effect for several months already, many organisations are still not complying.

The regulation describes the rights of the data subjects and the obligations of both data controllers and processors but does not offer any means of helping organisations to achieve compliance. In other words, it tells them what to do but not how. Open-source projects are usually not exempted as many of them do process personal data one way or another.

This blog post attempts to highlights the importance of enhanced privacy and data protection measures in open-source projects, explains my personal outreach efforts and meanwhile presents some of the common struggles that open-source projects are facing.

Speaking at Fosscomm 2018 in Heraklion, Greece Speaking at Fosscomm 2018 in Heraklion, Greece

The Importance

During the last twenty to thirty years, we have seen tremendous changes in the ICT industry. Nowadays, we transmit large volumes of data across continents within seconds — the amount of data, relating to citizens, that organisations are collecting and processing is enormous.

Unfortunately, several organisations are mishandling data belonging to citizens. Every once in a while we hear about major hacking incidents and severe data breaches. Organisations, nevertheless, seem to fail at implementing appropriate measures to safeguard personal data.

I have participated in multiple free and open-source software projects and communities. We usually advocate for software freedom, open standards and the commons. However, I believe we sometimes fail to realise the significant importance of data privacy and data protection in the modern world and consequently spend less effort embracing such principles.

My Outreach Efforts

I have had the pleasure of speaking about the GDPR Compliance and Open Source Projects at Fosscomm 2018 and OpenFest 2018 in Heraklion, Greece and Sofia, Bulgaria respectively. I introduced the fundamental aspects of the regulation (i.e. the organisational and processing requirements and the rights of the data subjects), mentioned ongoing privacy and data protection issues and explained Mozilla’s involvement. Thankfully, Fosscomm 2018 organisers have published the video recording of my presentation (in Greek). In addition, I have published the presentation slides I used at OpenFest 2018. Both the video recording and the presentation slides are freely available under Creative Commons licenses.

Speaking at OpenFest 2018 in Sofia, Bulgaria Speaking at OpenFest 2018 in Sofia, Bulgaria

Furthermore, I will soon be delivering a similar presentation at SFK’19 in Pristina, Kosovo. Looking forward!

Common Issues

Long story short, open-source projects need to give particular attention regarding a) how they obtain, handle and protect personal data associated with their users and contributors, and b) how they design and enforce mechanisms to provide their users and contributors with additional controls over their data as required by the regulation.

Free and open-source software engineers, developers, and enthusiasts seem to be aware that the regulation has brought new challenges. However, I sense that many projects are unable to correctly interpret the requirements of the regulation and perform appropriate adjustments to their workflows.

Open-source projects occasionally fail to refer to any of the six distinct legal justifications (e.g., consent) that the regulation establishes for the lawful processing of personal data. Moreover, they don’t always adhere to the regulation’s processing principles such as the data minimisation and storage limitation. Last but not least, they sometimes don’t feature the necessary mechanisms to honour the rights of the data subjects.

Explaining the requirements of the regulation and the subsequent obligations of both data controllers and processors lies beyond the purposes of this particular blog post. However, I might be discussing the fundamental aspects of the GDPR in future writings.

Closing Thoughts

May 25th, 2018 was just the beginning. There are currently numerous complaints against data controllers and processors and investigations are ongoing. CNIL recently fined Google 50 million EUR for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization. The regulation has unarguably strict requirements and leaves little room for mistakes.

Organisations should process personal data with respect and meanwhile apply the highest level of protection. Data subjects should also be made aware of the potential risks and available controls. Let’s increase awareness around privacy and data protection matters!