Richard Stallman will love the new GDPR.
It’s not every day that a new law comes into force that will
have major implications for digital industries around the
globe. It’s even rarer when a such law will also bolster free
software’s underlying philosophy. But the European Union’s General Data Protection
Regulation (GDPR), which will be enforced from May 25, 2018, does
both of those things, making its appearance one of the most important
events in the history of open source.
Free software is famously about freedom,
not free beverages:
“Free software” means software that respects users’
freedom and community. Roughly, it means that the users have the freedom
to run, copy, distribute, study, change and improve the software. Thus,
“free software” is a matter of liberty, not price. To understand the
concept, you should think of “free” as in “free speech,” not as
in “free beer”.
Richard Stallman’s great campaign to empower individuals by
enabling them to choose software that is under their control has
succeeded to the extent that anyone now can choose from among
a wide range of free software programs and avoid proprietary
lock-in. But a few years back, Stallman realized there was a
new threat to freedom: cloud computing. As he told The Guardian
One reason you should not use web applications to do your
computing is that you lose control. It’s just as bad as using
a proprietary program. Do your own computing on your own computer with
your copy of a freedom-respecting program. If you use a proprietary
program or somebody else’s web server, you’re defenseless. You’re putty
in the hands of whoever developed that software.
Stallman pointed out that running a free software
operating system—for example Google’s ChromeOS—offered no
protection against this loss of control. Nor does
requiring the cloud computing service to use the GNU Affero
GPL license solve the problem: just because users have access to
the underlying code that is running on the servers does not mean they
are in the driver’s seat. The real problem lies not with the code,
but elsewhere—with the data.
Running free software on your own computer, you obviously retain control
of your own data. But that’s not the case with cloud computing services—or, indeed, most online services, such as e-commerce sites or social
networks. There, highly personal data about you is routinely held by
the companies in question. Whether or not they run their servers on open-source code—as most now do—is irrelevant; what matters is that they
control your data—and you don’t.
The new GDPR changes all that. Just as free software seeks to empower
individuals by giving them control over the code they run, so the GDPR
empowers people by giving them the ability to control their personal
data, wherever it is stored, and whichever company is processing it.
The GDPR will have a massive impact on the entire online world because
its reach is global,
as this EU website on the subject explains:
The GDPR not only applies to organisations located within
the EU but it will also apply to organisations located outside of the
EU if they offer goods or services to, or monitor the behaviour of,
EU data subjects. It applies to all companies processing and holding
the personal data of data subjects residing in the European Union,
regardless of the company’s location.
And if you think that the internet giants based outside
the EU will simply ignore the GDPR, think again: under
the legislation, companies that fail to comply with the new
regulation can be fined up to 4% of their global turnover,
wherever they are based. Google’s total turnover last year was $110
billion, which means that non-compliance could cost it $4.4 billion.
Those kinds of figures guarantee that every business in the world that has
dealings with EU citizens anywhere, in any way, will be fully implementing
the GDPR. In effect, the GDPR will be a privacy law for the whole world,
and the whole world will benefit. According to a report in the Financial
Times last year, the top 500 companies in the US alone will spend $7.8
billion in order to meet the new
rules (paywall). The recent scandal over Cambridge
Analytica’s massive collection of personal data using a Facebook app
is likely to increase pressure globally on businesses to strengthen their
protections for personal data for everyone, not just for EU citizens.
The GDPR’s main
features are as follows.
Consent to data processing “must be clear
and distinguishable from other matters and provided in an intelligible
and easily accessible form, using clear and plain language. It must be as
easy to withdraw consent as it is to give it.”
Companies will no longer
be able to hide bad privacy policies in long and incomprehensible terms
The purpose of the data processing must be clearly
attached to the request for consent, and withdrawing consent must be as easy to do as giving it.
There are two important rights in the GDPR. The “right to access”
means people are able to find out from an organization whether or not
personal data concerning them is being processed, where and for what
purpose. They must be given a copy of the personal data, free of charge,
on request. That data must be in a “commonly used” and machine-readable
format so that it can be easily transferred to another service. The other
right is to data erasure, also known as the “right to be forgotten”.
This applies when data is no longer relevant to the original purposes
for processing, or people have withdrawn their consent. However, that
right is not absolute: the public interest in the availability of the
data may mean that it is not deleted.
One of the innovations of the GDPR is that it embraces “privacy by design and
default“. That is, privacy must be built in to technology from the
start and not added as an afterthought. In many ways, this mirrors free
software’s insistence that freedom must suffuse computer code, not be
regarded as something that can be bolted on afterward. The original Privacy
by Design framework explains what this will mean in practice:
Privacy must become integral to organizational priorities,
project objectives, design processes, and planning operations. Privacy
must be embedded into every standard, protocol and process that touches
Open-source projects are probably in a good position to make
that happen, thanks to their transparent, flexible processes
and feedback mechanisms. In addition, under the GDPR, computer security
and encryption gain a heightened importance, not least because
there are new requirements for “breach notifications”. Both the relevant authorities
and those affected must
be informed rapidly of any breach. Again, open-source applications may
have an advantage here thanks to the ready availability of the source
code that can be examined for possible vulnerabilities. The new fines
for those who fail to comply with the breach notifications—up to 2%
of global turnover—could offer an additional incentive for companies
to require open-source solutions so that they have the option to look
for problems before they turn into expensive infractions of the GDPR.
It would be hard to overstate the importance of the GDPR, which will
have global ramifications for both the privacy sector in particular and
the digital world in general. Its impact on open source is more subtle,
but no less profound. Although it was never intended as such, it will
effectively address the key problem left unresolved by free software:
how to endow users with the same kind of control that they enjoy over
their own computers, when they use online services. As a result, May
25, 2018 should go down as the day when the freedom bestowed by open source
went up a notch.