The GDPR Takes Open Source to the Next Level

The GDPR Takes Open Source to the Next Level
Glyn Moody Wed, 05/02/2018 - 07:00

Richard Stallman will love the new GDPR.

It's not every day that a new law comes into force that will have major implications for digital industries around the globe. It's even rarer when a such law will also bolster free software's underlying philosophy. But the European Union's General Data Protection Regulation (GDPR), which will be enforced from May 25, 2018, does both of those things, making its appearance one of the most important events in the history of open source.

Free software is famously about freedom, not free beverages:

"Free software" means software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, "free software" is a matter of liberty, not price. To understand the concept, you should think of "free" as in "free speech," not as in "free beer".

Richard Stallman's great campaign to empower individuals by enabling them to choose software that is under their control has succeeded to the extent that anyone now can choose from among a wide range of free software programs and avoid proprietary lock-in. But a few years back, Stallman realized there was a new threat to freedom: cloud computing. As he told The Guardian in 2008:

One reason you should not use web applications to do your computing is that you lose control. It's just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you're defenseless. You're putty in the hands of whoever developed that software.

Stallman pointed out that running a free software operating system—for example Google's ChromeOS—offered no protection against this loss of control. Nor does requiring the cloud computing service to use the GNU Affero GPL license solve the problem: just because users have access to the underlying code that is running on the servers does not mean they are in the driver's seat. The real problem lies not with the code, but elsewhere—with the data.

Running free software on your own computer, you obviously retain control of your own data. But that's not the case with cloud computing services—or, indeed, most online services, such as e-commerce sites or social networks. There, highly personal data about you is routinely held by the companies in question. Whether or not they run their servers on open-source code—as most now do—is irrelevant; what matters is that they control your data—and you don't.

The new GDPR changes all that. Just as free software seeks to empower individuals by giving them control over the code they run, so the GDPR empowers people by giving them the ability to control their personal data, wherever it is stored, and whichever company is processing it. The GDPR will have a massive impact on the entire online world because its reach is global, as this EU website on the subject explains:

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location.

And if you think that the internet giants based outside the EU will simply ignore the GDPR, think again: under the legislation, companies that fail to comply with the new regulation can be fined up to 4% of their global turnover, wherever they are based. Google's total turnover last year was $110 billion, which means that non-compliance could cost it $4.4 billion. Those kinds of figures guarantee that every business in the world that has dealings with EU citizens anywhere, in any way, will be fully implementing the GDPR. In effect, the GDPR will be a privacy law for the whole world, and the whole world will benefit. According to a report in the Financial Times last year, the top 500 companies in the US alone will spend $7.8 billion in order to meet the new rules (paywall). The recent scandal over Cambridge Analytica's massive collection of personal data using a Facebook app is likely to increase pressure globally on businesses to strengthen their protections for personal data for everyone, not just for EU citizens.

The GDPR's main features are as follows. Consent to data processing "must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it." Companies will no longer be able to hide bad privacy policies in long and incomprehensible terms and conditions. The purpose of the data processing must be clearly attached to the request for consent, and withdrawing consent must be as easy to do as giving it.

There are two important rights in the GDPR. The "right to access" means people are able to find out from an organization whether or not personal data concerning them is being processed, where and for what purpose. They must be given a copy of the personal data, free of charge, on request. That data must be in a "commonly used" and machine-readable format so that it can be easily transferred to another service. The other right is to data erasure, also known as the "right to be forgotten". This applies when data is no longer relevant to the original purposes for processing, or people have withdrawn their consent. However, that right is not absolute: the public interest in the availability of the data may mean that it is not deleted.

One of the innovations of the GDPR is that it embraces "privacy by design and default". That is, privacy must be built in to technology from the start and not added as an afterthought. In many ways, this mirrors free software's insistence that freedom must suffuse computer code, not be regarded as something that can be bolted on afterward. The original Privacy by Design framework explains what this will mean in practice:

Privacy must become integral to organizational priorities, project objectives, design processes, and planning operations. Privacy must be embedded into every standard, protocol and process that touches our lives.

Open-source projects are probably in a good position to make that happen, thanks to their transparent, flexible processes and feedback mechanisms. In addition, under the GDPR, computer security and encryption gain a heightened importance, not least because there are new requirements for "breach notifications". Both the relevant authorities and those affected must be informed rapidly of any breach. Again, open-source applications may have an advantage here thanks to the ready availability of the source code that can be examined for possible vulnerabilities. The new fines for those who fail to comply with the breach notifications—up to 2% of global turnover—could offer an additional incentive for companies to require open-source solutions so that they have the option to look for problems before they turn into expensive infractions of the GDPR.

It would be hard to overstate the importance of the GDPR, which will have global ramifications for both the privacy sector in particular and the digital world in general. Its impact on open source is more subtle, but no less profound. Although it was never intended as such, it will effectively address the key problem left unresolved by free software: how to endow users with the same kind of control that they enjoy over their own computers, when they use online services. As a result, May 25, 2018 should go down as the day when the freedom bestowed by open source went up a notch.