Tag Archives: GDPR

EuroDIG 2021: Takeaway messages for libraries

The 2021 edition of the European Dialogue on Internet Governance offers an opportunity to take stock of recent developments in the policies and practices within the digital ecosystem which can be of interest and impact libraries in Europe – and around the world.

1)    Moving ahead to champion Open Science

Open Science, particularly its digital dimensions, was among the key topics of interest in this year’s EuroDIG. Noting the many helpful local, regional and international (e.g. discipline-specific) open science initiatives, UNESCO and other stakeholders discussed the value of developing a comprehensive shared definition and normative approach; and UNESCO itself offered an update on its draft Recommendation on Open Science.

Here, a summary of key points raised by various stakeholders and Member States during the UNESCO consultation (to which IFLA also contributed) included references to the importance of infrastructure (e.g. internet connectivity), of Open Science monitoring, and of non-profit and sustainable services and infrastructures to support Open Science in light of the risks of commercial monopolisation. In November 2021, the draft Recommendations are due to be submitted to the UNESCO Geneva Conference with a view to their adoption, followed by anticipated adoption among Member States.

Open Data. A closely related topic which may be interesting for libraries working in this area is open data – particularly how to open and share data which is more sensitive and requires further safeguards. Noting the current legal provisions which govern the lifecycles and usage of such data (e.g. laws such as the General Data Protection Regulation), the speakers pointed out some of the existing and possible approaches which can help enable such data-sharing to take place securely in practice. These include, for example, various licensing models, or setting out rules on access to such sensitive data – e.g. for specific purposes, or to limited types of stakeholders.

This discussion also pointed to the importance of investing in infrastructural support, education, and awareness-raising, to help researchers navigate the questions around opening sensitive data. These discussions are of course highly relevant for libraries offering support or training on research data management, licensing or copyright for their institutions.

2)    Online learning: where do we stand today?

Digital divides and inequalities. The 2021 EuroDIG also offered an opportunity to reflect on the lessons learned from the rapid shift to digital in learning and education, which has taken place in many parts of the world over the past year. One of the most prominent challenges here is, of course, the widely-noted digital divide – inequalities in access to suitable connectivity or devices (or even suitable spaces) for learners, and the ability to use them effectively.

The social element. The social dimension of learning is another consideration – with concerns expressed over the possible impacts of all-digital learning on students’ social interactions and wellbeing. Some survey data suggests, for example, that parents reported positive impacts of remote learning for students’ math and reading competencies – but see it as having a more negative impact on their social skills. This raises the question of whether it is possible to leverage existing (and develop new) applications and digital mediums to further promote meaningful interaction and wellbeing.

These points relate to the questions many libraries themselves have been grappling with since they introduced virtual programming to support learning and social interaction for children – from storytimes to creative workshops or clubs.

Platforms, walled gardens, educational content discoverability. Another part of the discussion focused on digital learning platforms and tools themselves. Here, stakeholders noted that it is crucial for platforms to not only optimise learning – but to also take fully into account learners’ digital autonomy, digital self-determination, privacy and ethics.

Another consideration is the  “walled gardens” of some commercial learning platforms – those characterised by limited interoperability and a lack of access to their learning materials from outside of the platform (e.g with access cut off once a course ends). For libraries, this latter point relates to their own concerns over equity and availability of access to digital learning materials. One of the draft take-away messages also highlights the importance of tools that increase the discoverability of educational content across the various available platforms.

3)    Privacy and data protection – not an obstacle to productivity

Built-in privacy. Another well-noted impact of rapid digitalisation is the immense increase in the amount of data being generated and collected in the process. Naturally, this puts into the spotlight questions around data privacy (especially for personal data) and data protection.

This echoes some of the questions libraries themselves had to answer during the pandemic – which platform can be used for virtual programming? How to minimise data collection? What initiatives targeting particular user groups are possible?

Some of the suggested measures to address these concerns included clear internal policies and processes which build in privacy at the outset, increased transparency and accountability, and, importantly, actively promoting the idea that “data protection is not an obstacle to productivity and innovation”.

Digital skills. Another element that can help preserve privacy and data security is, of course, learning – both for staff members (to help guide internal processes) and users (to help understand and navigate their own use of the internet – e.g. online financial services). This will be familiar to many in the library field who are increasingly focused on supporting digital literacy and confidence within their communities.

4)    Paths towards a greener digital future

The complexity of the relationship between the ongoing digital transformation and environment and sustainability is, of course, well-noted. Technology has immense potential to help track and mitigate today’s environmental challenges. Yet it also contributes to these challenges in various ways, from energy consumption and resource extraction to e-waste.

A part of the EuroDIG discussions dedicated to environmental sustainability focused on a broader public perspective: the impacts of lifestyles and consumption patterns around technology.

As such, one of the key needed changes the participants highlighted were policies, practices and infrastructure facilitating the reuse and repair of technology. Another important element was raising public awareness and education, to enable communities to make sustainable choices – which also requires access to quality information and transparency about technology.

Such questions are of course of interest for libraries: from public procurement, to repair workshops held in libraries, to raising awareness about sustainable consumption patterns.

A related point focused on the link between sustainability and equality of access. Here, it can be worthwhile also to examine models of access that support equitable digital inclusion while keeping the number of new devices entering circulation lower (whether it is distributing refurbished technology, free public access to ICT, and others).

These are just some of the discussions from the 2021 EuroDIG which can be worthwhile and interesting for libraries to keep track of – with more sessions exploring questions around freedom of expression and content moderation practices online, formal and informal media literacy learning practices, and more.

You can take a look at the draft EuroDIG2021 takeaway messages, access all session recordings, and stay engaged with internet governance discussions to share insights, perspectives and good practices from across the global library field!

GDPR, three years on: five lessons on data privacy and libraries

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.

The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:

1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.

In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.

Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.

On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.

The report highlights that GDPR is ‘still in its infancy’; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.

2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.

However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.

3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.

But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.

As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.

When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.

4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).

However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.

These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).

Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.

5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.

This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.

As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,

“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”

 

The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!

The EU General Data Protection Regulation, Two Years On

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in the EU. This marked a fundamentally new approach to data protection, privacy, security and user rights. Naturally, libraries as controllers of user data – patron registration data, library website uses, and much more – saw new obligations, responsibilities and processes that they needed to implement. Two years on, where does GDPR stand, and how will it continue to impact the library field?

The implementation and enforcement of GDPR has given rise to a flurry of activity over the past two years. Access Now points out that more than 140000 complaints have been submitted between May 2018 and May 2019 alone. Those found guilty of breaching its provisions have been held to account, with 231 fines or other sanctions levied over the past two years.

Indeed, just a few days ago, the Irish Data Protection Commissions issued a draft decision regarding Twitter’s GDPR compliance, moving closer towards the completion of a major cross-border GDPR case. Earlier, national authorities have already administered fines to Facebook, Google and WhatsApp; and several countries across the world introduced data privacy legislation inspired by GDPR or the global conversation it had launched.

Nonetheless, despite these arguably positive stories of authorities acting to protect privacy,  the Access Now report also points out the challenges that GDPR implementation has faced – such as the resource constraints Data Protection Authorities may face or the challenges of cross-border cases. Similarly, in their Open Letter marking the second anniversary of GDPR, European Digital Rights calls for more action to address the GDPR enforcement gaps.

Keeping Up with Events

The timing is helpful. A formal review of GDPR is due for its second anniversary. In addition, the area of data regulation will likely see more significant activities in the coming months and years. Just a few months ago, the European Commission led by Ursula van der Leyen has unveiled an ambitions EU Data Strategy, which will aim to facilitate data flows throughout the EU and enable broader use of data in services and products.

As a result, in 2021, Europe can expect a proposal of an EU Data Act; which will of course be linked to GDPR when it comes to such questions as data sharing and user rights (e.g. portability).

Of course, the current pandemic has also raised questions pertaining to GDPR. The COVID crisis has, for example, prompted questions about the more extensive use of health data for research purposes, employee data, or tracing applications and geolocation – and how these relate to the privacy and security protections guaranteed by GDPR rules.

The European Data Protection Supervisor has reiterated that GDPR is designed to be a broad legislation, with rules and regulations which are applicable to crises situations such as this. Nonetheless, there will be a lot of value in an evaluation of the degree to which violations of the right to a private live have been justifiable, and whether tougher or clearer rules are necessary.

Libraries and GDPR, looking ahead

This points us to the question of what these developments can mean for libraries. With the demand for digital library offerings and services surging during COVID, it is particularly important to keep in mind the need to at all times ensure the privacy and security of user data that such activities generate.

GDPR highlights the importance of “privacy by design”, meaning that privacy and security measures are taken into consideration and embedded into the design of new data processing operations from the outset. Similarly, data controllers need to ensure the privacy and security of users’ data when making use of any new third-party platforms or services.

If you are introducing new digital services or processes to your library, it’s crucial to consider whether these might entail collecting any new personal data, or processing it differently. On what grounds would the new data be processed? Are third party suppliers also respecting privacy?

We are yet to see the long-term impact of the pandemic on library services – including the question of whether this large-scale shift to digital will be sustained. In the meantime, it is crucial for libraries to continue putting privacy and security first in any new services or offerings, and keep an eye on any possible future legislation in the field of data regulation!

Personal Identifiable Information and Archiving For The Public Interest

 “There is no political power without control of the archives, if not of memory. Effective democratization can always be measured by this essential criterion: the participation in and access to the archive, its constitution, and its interpretation.” Jacques Derrida

Archives and libraries are important memory institutions. Their role in documenting many aspects of human lives can, alongside providing a vital support to researchers, also promote accountability and the bringing to justice of those who infringe rights. One of my favourite archive stories relates to an episode of Guatemalan history.

In 2005, some abandoned old buildings in Guatemala City were opened for an upcoming city project. Unexpectedly, they revealed the entire archive of the defunct National Police. Amidst piles of papers ruined by humidity, vermin and tears lay the documentation of a series of horrors committed at the height of Guatemala’s civil conflict in the 1980s. During this time, governmental death squads roamed the city and kidnapped individuals who never returned to their homes.

Upon the discovery, local volunteers and archivists worked alongside colleagues from the USA to collect, preserve and digitize all the papers. The effects of such discovery had profound repercussions on Guatemalan society as the discovery allowed the country to close the door on one of the most violent periods of its history. The digitized archives were made available online and they are now publicly available here.

This story underlines that institutions such as libraries and archives are the homes for our collective memory. They help us to understand the past, make sense of the present, and guide us for the future. Archives and libraries collect and store this information in the public interest, and inevitably, they will collect information concerning people.

The broad definition of personally identifiable information potentially covers a wide range of materials – blogs or news stories containing political views, Wikipedia pages, tweets. These all serve to identify a person.

Clearly there are significant concerns about how data is used, for example by social media platforms, credit rating agencies, or marketing companies. The new General Data Protection Regulation (GDPR), which entered into force on 25 May 2018, applied to all of them. But what what does it mean for memory institutions?

The law has the general aim to protect individuals’ rights and freedoms and enables organisations to process personal identifiable information with due regard for the rights and freedom of individuals. As such, a data subject has the right to be informed about the data gathered about him/her, has the right to access, the right of rectification and process and the right to erasure or the right to be forgotten, among others.

Article 17 of the GDPR states that the “data subject shall have the right to obtain from the controller, the person who determines why and how personal data are processed, the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”.

However, there is an exception for archiving purposes, amongst other circumstances. “Importantly, the right to erasure does not apply if processing is necessary for archiving purposes in the public interest, where erasure is likely to render impossible or seriously impair the achievement of that processing”.

However, this exception is only optional – countries have to decide whether they want to include it in national law. Moreover, it is unclear what the phrase “archiving purposes in the public interest” really means and which archives/collections are covered. The phrase is not defined in the GDPR itself.  A recital may imply that coverage is limited to institutions with a legal obligation to acquire and preserve records but there are others who collect for different reasons and their mission also results in public benefit.

With more and more countries looking to adopt data protection legislation, there is a need to ensure that archiving exceptions are protected. Without this, there is always a risk that those who committed crimes during the Guatemalan civil war can ask for the evidence of their crimes to be deleted.

IFLA is planning to write a statement on personal identifiable information and archiving in the public interest and it would like to gather opinions, comments and suggestions from its FAIFE community on this topic. Please let us know if you have any ideas to contribute. We are looking forward to hearing from you.