When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.
The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:
1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.
In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.
Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.
On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.
2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.
However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.
3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.
But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.
As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.
When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.
4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).
However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.
These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).
Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.
5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.
This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.
As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,
“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”
The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!