Tag Archives: General Data Protection Regulation

GDPR, three years on: five lessons on data privacy and libraries

Leave a Reply

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.

The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:

1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.

In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.

Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.

On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.

The report highlights that GDPR is ‘still in its infancy’; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.

2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.

However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.

3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.

But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.

As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.

When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.

4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).

However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.

These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).

Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.

5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.

This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.

As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,

“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”

 

The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!

The EU General Data Protection Regulation, Two Years On

Leave a Reply

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in the EU. This marked a fundamentally new approach to data protection, privacy, security and user rights. Naturally, libraries as controllers of user data – patron registration data, library website uses, and much more – saw new obligations, responsibilities and processes that they needed to implement. Two years on, where does GDPR stand, and how will it continue to impact the library field?

The implementation and enforcement of GDPR has given rise to a flurry of activity over the past two years. Access Now points out that more than 140000 complaints have been submitted between May 2018 and May 2019 alone. Those found guilty of breaching its provisions have been held to account, with 231 fines or other sanctions levied over the past two years.

Indeed, just a few days ago, the Irish Data Protection Commissions issued a draft decision regarding Twitter’s GDPR compliance, moving closer towards the completion of a major cross-border GDPR case. Earlier, national authorities have already administered fines to Facebook, Google and WhatsApp; and several countries across the world introduced data privacy legislation inspired by GDPR or the global conversation it had launched.

Nonetheless, despite these arguably positive stories of authorities acting to protect privacy,  the Access Now report also points out the challenges that GDPR implementation has faced – such as the resource constraints Data Protection Authorities may face or the challenges of cross-border cases. Similarly, in their Open Letter marking the second anniversary of GDPR, European Digital Rights calls for more action to address the GDPR enforcement gaps.

Keeping Up with Events

The timing is helpful. A formal review of GDPR is due for its second anniversary. In addition, the area of data regulation will likely see more significant activities in the coming months and years. Just a few months ago, the European Commission led by Ursula van der Leyen has unveiled an ambitions EU Data Strategy, which will aim to facilitate data flows throughout the EU and enable broader use of data in services and products.

As a result, in 2021, Europe can expect a proposal of an EU Data Act; which will of course be linked to GDPR when it comes to such questions as data sharing and user rights (e.g. portability).

Of course, the current pandemic has also raised questions pertaining to GDPR. The COVID crisis has, for example, prompted questions about the more extensive use of health data for research purposes, employee data, or tracing applications and geolocation – and how these relate to the privacy and security protections guaranteed by GDPR rules.

The European Data Protection Supervisor has reiterated that GDPR is designed to be a broad legislation, with rules and regulations which are applicable to crises situations such as this. Nonetheless, there will be a lot of value in an evaluation of the degree to which violations of the right to a private live have been justifiable, and whether tougher or clearer rules are necessary.

Libraries and GDPR, looking ahead

This points us to the question of what these developments can mean for libraries. With the demand for digital library offerings and services surging during COVID, it is particularly important to keep in mind the need to at all times ensure the privacy and security of user data that such activities generate.

GDPR highlights the importance of “privacy by design”, meaning that privacy and security measures are taken into consideration and embedded into the design of new data processing operations from the outset. Similarly, data controllers need to ensure the privacy and security of users’ data when making use of any new third-party platforms or services.

If you are introducing new digital services or processes to your library, it’s crucial to consider whether these might entail collecting any new personal data, or processing it differently. On what grounds would the new data be processed? Are third party suppliers also respecting privacy?

We are yet to see the long-term impact of the pandemic on library services – including the question of whether this large-scale shift to digital will be sustained. In the meantime, it is crucial for libraries to continue putting privacy and security first in any new services or offerings, and keep an eye on any possible future legislation in the field of data regulation!

A Right to Anonymity?

1 Reply

A Right to Anonymity - ImageWith recent reforms in Austria set to remove the possibility to leave anonymous comments on the internet, the question of the right to anonymity is on the agenda.

The justification for the reforms in Austria is concern about the rise of ‘hate speech’, and the sense that anonymity can give people the possibility to spread discriminatory views without consequences. If there’s a risk of being identified and caught, the argument goes, people will moderate their speech.

Civil liberties groups have, however, opposed this, pointing out that it is often the usual victims of hate speech – marginalised groups, those in vulnerable positions – who have benefitted most from the opportunity to use the Internet without giving up their identities.

How does this affect libraries, both as concerns their values and their practice?

Anonymity is included as a concept in IFLA’s own Statement on Intellectual Freedom, which is celebrating its 20th Anniversary this year:

‘Library users shall have the right to personal privacy and anonymity. Librarians and other library staff shall not disclose the identity of users or the materials they use to a third party’.

Talking about privacy and anonymity is perhaps a little awkward. In effect, anonymity is rather one means – a particularly effective one – of ensuring privacy. If you are never identified in what you do, then there is no possibility of someone else learning about your preferences or activities.

For example, it is the difference between paying for your groceries with a credit or debit card, and paying with cash. Paying with a card leaves a trace which a shop or card provider can use to build a profile. Paying with cash leaves no trace. It is far easier to be anonymous in the latter case.

 

Of course, privacy can be achieved without anonymity. There are conditions under which personal data collection is acceptable – and even desirable.

Indeed, this is recognised in legislation such as the General Data Protection Regulation in Europe. This both looks to ensure that no more data is collected than necessary (data minimisation), and that what data is collected is done with consent, and then stored and used properly.

In short, privacy implies a mixture of anonymity in some cases, and careful and ethical collection and management of data in others.

The question then is of how to decide when we should opt for anonymity, and when not, acknowledging that the highest level of privacy comes from keeping people anonymous.

 

Anonymity vs Data Protection

There are some interesting examples in the wider world that offer some insights into this question. For example, it is seen as normal that we need to identify ourselves in order to buy and drive a car. Nonetheless, the list of who owns which car is not made public.

However, if we were asked for the same in order to ride a bicycle, this would seem shocking.

Why is this? The reason likely lies in the fact that it is far more likely that someone can do harm in a car than on a bicycle. In order to catch those who are driving too fast, or causing accidents, giving the police a means of identifying the owner of a car can be seen as justifiable (if not perfect).

A second example comes from contrasting medical records with information about how someone travels around within a country.

We generally accept that medical professionals should have access to records about allergies, conditions and past treatment in order to improve our care. We of course expect that these are properly looked after.

In contrast, in most parts of the world, we don’t expect to be tracked as we move around within the cities, regions or countries we live in. While, of course, our phones often do this for us, when we become aware of it, we often remember to update our settings to prevent this.

In short, while there may be some situations where being tracked is helpful (for example to find missing people or to make using online maps easier), many given the option will choose anonymity.

In this case, even though medical information is arguably far more personal than travel information, we accept this breach of anonymity because it brings real benefits.

What about libraries?

Many libraries do not require identification for someone to be able to enter a building and use resources on site (although policies do vary when it comes to using library computers). However, in order to borrow books, a library card is necessary, implying a loss of anonymity.

The justification is that lending only works when there are limits on what any individual can borrow, and that there is a time-limit on this. This is only possible with an account attached to a person.

The IFLA statement implicitly recognises this divergent approach, accepting that in addition to anonymity in some circumstances, libraries will also hold personal information which could (but shouldn’t, at least not without consent) be shared with third parties.

How does this choice apply when it comes to using – and expressing yourself – on the internet?

 

The Man Without an IP Address

Clearly the argument of the Austrian government is that the harm done by online hate speech is cause enough to oblige people to use their real names.

At first, this logic is attractive. Hate speech does indeed do harm to people who may already be vulnerable, and it is important to stop it when it risks leading to real harm.

However, it is not necessarily the case that identifying a person stops this from happening – in the end, it is taking down the content itself that resolves the issue. This can be done through notice and (transparent) moderation.

The subject of hate speech itself is also difficult. While there may be some black-and-white cases, there are many more nuanced ones where it is hard to draw a clear distinction. Just because something is rude or offensive for some, it does not necessarily make it hate-speech.

This recalls the situation with other reasons often given for restricting content, such as security (many governments claim that any criticism of their actions is a security threat) or morality (used in many situations to repress LBGTQI expression).

It is clear of course that perhaps some sources of hate speech will think twice if they need to share their identities. But this does not necessarily stop them holding such views, or carrying out acts motivated by them.

Furthermore, we also have to accept that removing the right to anonymity risks opening the doors to other moves away from anonymity as default, and so weakening a key protection for vulnerable individuals and groups.

People who have found a community and a voice online that has been denied to them in the physical world risk losing it when their names are shared. Through this, they can become the victims of attacks on their persons and property.

At a less extreme level, the feeling of being watched can have a chilling effect on online behaviour, restricting people’s ability to follow their interests and develop their personalities. In any case, for a democratic government to take such a step, even for the most honest of intentions, simply risks legitimatising those who will use restrictions on anonymity to crack down on diversity and dissent.

 

The implication of the General Data Protection Regulation, as well as of IFLA’s Statements on Intellectual Freedom and Privacy in the Library Environment is that the default in any situation should be the highest possible level of privacy – i.e. anonymity.

It follows that the collection of data should be the exception, not the rule, and in this case be justified, with cases such as that of Austria provide an opportunity to remind ourselves what’s at stake.

Nonetheless, decisions about when it is acceptable to derogate from anonymity also appear in the work of libraries. It is important to be conscious of these, in order to take the best decisions for users.