Die Datenschutzgrundverordnung der Europäischen Union: Unser Schlachtplan.
Dieser Blogpost handelt von der Datenschutzgrundverordnung (DSGVO) der Europäischen Union (EU). Während ich auf die Grundlagen der DSGVO eingehe, konzentriert sich der Schwerpunkt auf deren Auswirkungen auf FreeSewing.org, und was wir in den 100 Tagen tun wollen, die bleiben, bevor die DSGVO in Kraft tritt.
Dies ist eine etwas lange Lektüre, deshalb hier ein Inhaltsverzeichnis:
Gedanken zur DSGVO der EU
Ich habe eine Hassliebe mit der Europäischen Union. Ich liebe, was sie tun und wofür sie stehen, ich hasse, wie sie es tun.
Mit der DSGVO ist es nicht anders. Es handelt sich um einen wichtiges Stück Gesetzgebung, das die Messlatte für den Online-Datenschutz höher legt, was großartig ist. Aber als ich über das Thema las, verspürte ich den Drang, aus Wut aufzuhören, diese ewigen Bürokraten.
Erlauben Sie mir, das zu erklären.
Privatsphäre braucht Schutz
Auf Gedeih und Verderb (ich glaube eher auf Verderben) hat sich das Internet in einen Modus Operandi eingependelt wobei Sie freie Sachen mit Ihren persönlichen Daten bezahlen. Einige Leute nennen es People-Farming, und ich denke, das ist ein toller Begriff.
Die furchterregenden Fünf saugen immer mehr unseres persönlichen Lebens ab. Abgesehen davon, dass wir nie online gehen werden, können wir anscheinend nur sehr wenig dagegen tun.
Warum die EU die beste ist
Dieses Problem ist zu groß, um von einem von uns alleine angegangen zu werden. Wer könnte der geballten Macht der Technologieriesen die Stirn bieten?
Nun, wie ist das für einen Lebenslauf:
- Habe Facebook zu 110 Millionen Euro Strafe wegen irreführender Aussagen über den Kauf von WhatsApp verurteilt
- Befahl Amazon die Nachzahlung von 250 Millionen Euro zusätzlicher Steuern in Luxemburg
- Verhängte gegen Google eine Geldbuße in Höhe von 2,4 Milliarden Euro wegen Missbrauchs seiner dominanten Position bei der Suche
- Habe Apple zur Zahlung von 13 Milliarden Euro zusätzlicher Steuern in Irland verurteilt
Wenn es um die Giganten der Technik geht, ist die Europäische Union nur eine Peitsche, kein Zuckerbrot.
Die Datenschutzgrundverordnung setzt Datenschutzrichtlinien durch, die die Rechte der Nutzer respektieren. Sie gilt für alle EU-Bürger, jederzeit und überall.
Es spielt keine Rolle, ob Sie ein "Silicon Valley Juggernaut" sind, die Rechte der EU-Bürger respektieren oder sich dem Zorn der Eurokratie stellen:
Organisationen, die gegen GDPR verstoßen, können mit einer Geldstrafe von bis zu 4% des weltweiten Jahresumsatzes oder 20 Millionen Euro (je nachdem, welcher Betrag höher ist) belegt werden
Vier Prozent des weltweiten Umsatzes ist eine sehr lange Peitsche.
Warum die EU die schlechteste ist
Da die EU die EU ist, ist die Verordnung ein Mischmasch aus hochgesteckten Zielen und Idealen, die durch Lobbygruppen verwässert und durch den Kompromiss, der erforderlich ist, um 28 Mitgliedstaaten ins Boot zu holen, noch komplizierter wird.
Die Absichten sind großartig, es ist eine großartige Idee, aber sie machen einen schrecklichen Job, sie zu vermarkten --- wie immer.
Die praktische Umsetzung liegt in den Händen der so genannten Artikel-29-Arbeitsgruppe die sich derzeit mit der Gestaltung von Symbolen beschäftigt (das kann man sich nicht ausdenken) Sie wird ihren Namen in Europäischen Datenschutzrat am 25. Mai ändern weil Sie mit diesem ganzen Jargon jetzt nicht zu zufrieden sein werden, oder?
Die DSGVO in der praktischen Umsetzung
Wenn Sie Expertenrat zur DSGVO-Konformität suchen, ist dies nicht der richtige Ort für Sie.
Aber wenn Sie neugierig sind auf die DSGVO und was es für eine Website wie FreeSewing.org braucht um der Verordnung gerecht zu werden, lesen Sie weiter.
Weiterführende Literatur
Wenn Sie wirklich wissen wollen, was DSGVO ist, ist das Beste, was Sie tun können Lesen Sie das verdammte Ding einfach durch. Es ist keine Raketenwissenschaft.
Wenn Gesetzestexte Sie dazu bringen, die Wände hoch zu gehen, hat die ICO des Vereinigten Königreichs einfach einer der besten Leitfäden zu DSGVO.
Gut zu wissen
A few things you should know before we dive into GDPR:
There's 100 days left
The GDPR was adopted back in 2016, but it won't grow its teeth until May 25th 2018.
Until that day, you get a pass. After that day, it's for real. Which means we have 100 days left to get our house in order.
There's exemptions for SMEs
Organizations employing fewer than 250 people are exempt from some of the more bureaucratic aspects of the GDPR, such as a bunch of documenting requirements.
Essentially, while you still have to do the right thing, there's a lot less paperwork to fill out.
Freesewing employs zero people, so we're off the hook.
There's extra provisions for sensitive data
Body measurements alone are not sensitive data
The GDPR has extra provisions for sensitive data such as biometric data, profiling, and a bunch of other stuff.
This was cause for concern because we collect body measurements, and one of our questions was whether that qualifies as biometric data.
Turns out it doesn't. Biometric data is what you can use to identify a person, like a fingerprint or iris scan. Body measurements alone are not sensitive data.
Collecting data through consent
To collect data, you need a so-called lawful basis for data processing. There are different types, but the one that applies to us (and to most online services) is consent.
In this scenario, your legal basis for processing the data is that you've asked the person to get their data and they've freely given it to you.
That is straight-forward, and makes sense. But the GDPR is really serious about making sure this consent is freely given, and not wrestled from you grudgingly.
To prevent companies from throwing up a big wall of legalese that people have to agree to, the GDPR outlines a number of principles this consent should adhere to. Here's a non-exhaustive list:
- people should have real choice and control
- consent requires a positive opt-in, pre-ticked boxes or anything like that are not allowed
- there should be a very clear statement explaining what people are agreeing to
- these requests for consent must be separate from any terms & conditions
- consent needs to be granular, you need individual consent for different things, and can't ask for blanket consent
- it must be easy for people to redraw consent
- consent of data processing should not be a precondition for a service
Looking at that list, I can't help but feel that legislation would be a lot simpler if lawmakers could just write don't be a dick and call it a day.
Consent granularity
Remember, we can't just get blanket consent. We need to get consent for every type of data processing we do.
For freesewing.org, we have identified three different types of data processing:
- Profile data
- Model data
- Patron data
For each of these, we'll need to get consent from the user, making sure it's real consent as intended in the GDPR.
Below is a mockup for what this could look like for each data type:
These mockups are no longer available
Please note that the mockups originally included in this post are no longer available. Instead, this functionality has been implemented in the website.
Consent timing
The GDPR states that you should ask for consent when the data is collected.
With our three types of data processing, that means that consent must be asked at different times:
- Profile data: When signing up on the site
- Model data: When creating the first model
- Patron data: When becoming a patron
This will (also) require some extra work to integrate this in the site.
Respecting basic rights when processing data
The EU enshrines basic rights for its citizens that should be respected when processing data.
Let's look at each of these rights and their impact on freesewing.org.
The right to be informed
You need to be transparent about how you use personal data. Why you collect it, how you use it, and so on.
Informing users is something we are still working on. If anything, this blog post is part of that effort.
We will need to design the individual privacy notices, but also a more overall privacy policy as well as making certain that users are informed of all their rights.
While this will require some work, I don't expect any problems here.
The right of access
People have the right to know their data is processed, and to access that data.
We are already compliant, as all data users enter on the site can also be accessed by them.
The right to rectification
People have the right to correct their data if it's not correct.
We are already compliant, as all data users enter on the site can also be edited by them.
The right to erasure
People have the right to have their data removed/erased.
We are already compliant, as users can remove their models, or entire account at any time.
The right to restrict processing
This right means that users must be able to put a freeze on all data processing, without going as far as to delete their data.
We do not currently offer this possibility, and will need to add this functionality to the site.
The right to data portability
People not only have a right to export all their data, that export should also be in a format that makes it easy for them to take their data elsewhere.
We are already compliant, as we allow users to export all of their data, and make it available in different standard formats (YAML and JSON).
The right to object
The right to object applies specifically to:
- processing for public interests or by official authorities
- processing for direct marketing
- processing for science/historic research/statistics
In these cases, people can object to this specific processing.
This is going to apply to us when we start publishing anonymized model data, something that's on our roadmap.
The reason for publishing this data is that we want to make a dataset available of real body measurements, rather than the standard measurements that are typically used in the industry.
This is something we'll write about more at a later date, but essentially this falls under the scientific research/statistics category. And even though the data is anonimized, we still need to respect the right of users to object to this processing.
As such, we should add the possibility to object to this specific use of the data.
Rights in relation to automated decision making and profiling
People have extra rights when it comes to profiling or decisions made by AI or algorithms without human involvement.
This is not relevant in our situation.
Privacy by design
The EU isn't content with throwing up a couple of consent questions and respecting people's rights when processing data. It also wants to make certain that your privacy is (better) protected when things go wrong.
That's why it advocates for privacy by design. While it's a concept that's hard to pin down in legislation, the purpose is clear: They want everyone to consider privacy from the very start of their project/product/business, and not as an afterthought.
Things such as encryption (both in transit and for data at-rest), pseudonyms, and data expiry are suggested as things to keep in mind while designing.
Obviously, the EU is not going to come check your code to see whether you've taken privacy by design to heart. But it can (and probably will) have an influence when things to wrong.
Imagine two companies who have a data leak, one of them hasn't done much to safeguard the privacy of their users, whereas the other has taken privacy by design measures to mitigate the damage.
It seems obvious that the EU is going to come down harder on the company who didn't even try.
What we're already doing
We already do a number of things that are driven by a privacy by design approach. For example:
- We use pseudonyms for user accounts
- We don't share any data with any third party
- We don't include any tracking code, or analytics
- We don't use cookies
- We don't have any social logins, like buttons, or other such things
- We don't run/show any ads
- We don't run any third-party JavaScript code
- We use encryption on all transport
There's some more info on this in this blog post: The choices I've made to protect your privacy. Or why you won't be getting any cookies.
These already form a very good basis for a privacy conscious website. But since we'll need to make changes for GDPR anyway, we're considering other options to further raise the privacy bar. Specifically, what can we do to limit the damage to our users in case there is a data leak.
Restriction of data storage
Some of the most sensitive data we store today is the address and birthday of our higher-tier patrons.
However, the site does not need this information to function. We only need it for administrative purposes; Sending out gifts and birthday cards to our patrons.
As such, there's no real need to keep this data in the freesewing database. We could just as well write this information down in a notebook we keep on our coffee table.
So, as part of our GDPR-related changes, we will remove this information from the database, and store it offline.
Encryption of data at rest
We already encrypt all data in transit. But, we are currently considering to add encryption of data at rest.
The idea is to encrypt all data that could potentially identify a user. Such as:
- Email address
- User name
- Model names
- Model notes
This would add an extra layer of defense for our users' privacy in case somehow our database gets dumped.
While this change will be non-trivial to implement and come with a performance penalty, I feel it's worth looking in to.
Fazit
While we still have some work to do, we are already compliant with large parts of the GDPR, especially when it comes to respecting users rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
We are currently working on the right to be informed and have a plan for the changes required to respect the right to restrict processing and the right to object.
On the data collection site, we need to hammer out the details for our privacy notices. We'll also write a detailed privacy policy that bundles all the info from the different notices.
We'll need to add changes to the user on-boarding to make sure notices are presented at the correct time. Not to mention that we'll need to keep track of who gave their consent for what.
Action points
- Draft privacy notices for profile/model/patron data
- Integrate consent in user on-boarding, model creation, and patron sign-up
- Make site functionality depend on consent
- Provide a centralized privacy dashboard where people can review their privacy settings/consent
- Add email notifications every time consent is changed
- Provide a way for people to freeze their account
- Provide a way for people to object to their model data being used for research and statistics
- Write and publish an overall privacy policy
- Encrypt sensitive data in the database
Seems like we've got a lot of work ahead of us.
Feedback
It is my personal opinion that the GDPR is a good thing. But I want to hear from you about the changes outlined in this blog post.
So please reach out with your feedback and comments. It is after all your data we're talking about.