Is the FSFE planning anything on the GDPR?
European data protection law and cybersecurity strategy/policy talks a lot of talk about safeguarding 'individual freedom' in relation to Madrid protocol and so forth but no mention of Free Software.
Here's one example...
The General Data Protection Regulation (GDPR) introduces (among other things) Data Protection Impact Assessments (Article 35) which have to be conducted when specific risks occur to the rights and **freedoms** of data subjects. Data Protection Officers (Articles 37–39) are to ensure compliance within organizations and have to be appointed **for all public authorities**.
One report by ENISA (the European Union Agency for Network and Information Security) specifies that outsourced data storage on remote clouds is practical and relatively safe, as long as only the data owner, not the cloud service, holds the decryption keys - nothing about decentralization or open standards.. and the rest of it.
Hi Mat,
Is the FSFE planning anything on the GDPR?
What specifically is it that you would see as something for the FSFE to engage in around the GDPR? What you quote sounded sensible to me, and are points which should be valid and true regardless of free software or not.
That ENISA doesn't consider open standards in relation to the cloud could be something to work on, but that seems separate from the GDPR specifically.
Hi Jonas,
Specifically, it seems to suggest to me that a fair number of proprietary platforms - facebook for example might contravene the 'Data protection by Design and by Default (Article 25)' that requires privacy settings to be set at a high level by default.
As far as I remember, FB wants everyone to share as much as possible, because that's forms the basis of it's ad revenue model and so the default settings for new accounts and new posts for established accounts is 'global' rather than 'private'?
I am sure there will be many other examples like this giving the FSFE a welcome opportunity to voice in the important conversations people are having about privacy and FB and others... I am thinking purely in terms of FSFE public affairs, raising the profile of the organization as a benign force for good rather than anything more ambitious I think.
ENISA seems to be used to elaborate on what needs to be done and although separate from the GDPR looks to be very influential in the interpretation?
/ m
On 07/08/17 08:20, Jonas Oberg wrote:
Hi Mat,
Is the FSFE planning anything on the GDPR?
What specifically is it that you would see as something for the FSFE to engage in around the GDPR? What you quote sounded sensible to me, and are points which should be valid and true regardless of free software or not.
That ENISA doesn't consider open standards in relation to the cloud could be something to work on, but that seems separate from the GDPR specifically.
Hi Mat,
Specifically, it seems to suggest to me that a fair number of proprietary platforms - facebook for example might contravene the 'Data protection by Design and by Default (Article 25)' that requires privacy settings to be set at a high level by default.
I would posit you're right in this. But I would think the same problem might exist with distributed platforms. I just checked Diaspora* for instance, and it seems to have the same level of default privacy as Facebook for new users and posts ("Friends only" on Facebook and "All aspects" on Diaspora*).
So it seems to me that if we agree that the right to privacy is important, supporting Free Software, and supporting the GDPR, are both important aspects of privacy, but the two are largely on parallel tracks and don't overlap much.
There's one case I can see though: it would be possible to make the claim that given the high requirements of GPDR, it's impossible for anyone to meet those requirements in a believeable way without publishing the software used as Free Software, and without using Open Standards (which is also roughly the requirement for Data Portability in Article 20).
Happy if anyone would like to work on this with us. I'm looping in our policy analyst, Polina Malaja, who would also be involved in this.
Good morning,
I am very pleased to see that you bring up this issue. GDPR offers a great opportunity to promote FOSS.
FOSS is definitely far more "GDPR-ready" than proprietary or closed-code. *But, what an irony! *Who shouts the most about GDPR these days? Delivers free seminars with free food & drinks(!), invites prominent professors on stage, to give speeches about data privacy under their auspices?
*T**he ones who hardly comply with the GDPR, invest heavily on promoting it! *Otherwise, they will gradually extinct. It seems they have no choice. They also have the budget required, to do so, unlike FOSS. And I am afraid that, at the end of the day, they manage to gain the impressions of the majority...
Can we blame consumers or companies for choosing closed code over FOSS? They are brain-washed, after all.
To close, I would like to work with you, to help create relevant publicity about the true values of FOSS, including its *inherent *GDPR-readiness.
I am -kind of- speaking by experience, because we have recently gone through an audit for GDPR compliance as a company (email providers). We actually changed our business model in order to better comply: we moved all of our customers, from a unified multi-tenant environment to separated, privately hosted servers. All on FOSS.
At your disposal, KR Ioli
On 10/8/2017 10:01 πμ, Jonas Oberg wrote:
Hi Mat,
Specifically, it seems to suggest to me that a fair number of proprietary platforms - facebook for example might contravene the 'Data protection by Design and by Default (Article 25)' that requires privacy settings to be set at a high level by default.
I would posit you're right in this. But I would think the same problem might exist with distributed platforms. I just checked Diaspora* for instance, and it seems to have the same level of default privacy as Facebook for new users and posts ("Friends only" on Facebook and "All aspects" on Diaspora*).
So it seems to me that if we agree that the right to privacy is important, supporting Free Software, and supporting the GDPR, are both important aspects of privacy, but the two are largely on parallel tracks and don't overlap much.
There's one case I can see though: it would be possible to make the claim that given the high requirements of GPDR, it's impossible for anyone to meet those requirements in a believeable way without publishing the software used as Free Software, and without using Open Standards (which is also roughly the requirement for Data Portability in Article 20).
Happy if anyone would like to work on this with us. I'm looping in our policy analyst, Polina Malaja, who would also be involved in this.
Greetings,
I take your point Jonas about disapora possibly matching facebook on the default privacy settings. I'll take your word on that for this discussion because it may be more significant to consider which of the two (diaspora/facebook) could be predicted to change the quickest to respond to the potential contravention.
That techno-cultural aspect of FS (community) vs. proprietory (market-led) design features suggests to me it may be worth working something up on that... I may contact disapora for a view...
I note the high requirements of GPDR too, and because proprietary software is much more likely to flout Open Standards I believe FS (and FSFE) is more naturally positioned to talk into this new legislative context without the need to shout, deliver free seminars or provide free food & drinks(!)
Ioli - I am sure GDPR offers a great opportunity to promote FOSS - one way or another - the messaging could be quite powerful I think because the GDPR articulates many contemporary issues for companies and citizens.
Can we blame consumers or companies for choosing closed code over FOSS?
Well, lets not blame... lets see it as a huge opportunity to educate both!
I would like to work with you, to help create relevant publicity about
the true values of FOSS, including its inherent GDPR-readiness.
Sounds like a plan...
I think GDPR has so much social and political force and influence over large populations the FSFE would do well to talk into that space for lots of reasons... and all of them I think are positive and developing policy and orienting public affairs around that I believe would definitiely been effective and in the FSFE mission interest
/ mat
Good afternoon,
I agree with you, Mat. I don't have a plan yet, but I have an idea of what could be done to this direction:
We certainly need to agree upon a plan with clear objectives: what we want to achieve, how and when. We also need volunteers for the "field-work", a steering committee (or alike) to help, give directions, delegate tasks to volunteers and coordinate their progress. Finally, due to the complexity of the GDPR, I think we need a legal team to verify the final output, before it goes public, or correct the expressions we use.
It is a big challenge and won't be easy, but it is worth giving it a try.
We could break down the work in groups of applications such as, for example: 1) group of operating systems, 2) group of social media, 3) group of CRM 4) group of email etc. and assign volunteers to work with each group, according to experience. Volunteers will study the GDPR in depth and elaborate on each group, how/why FOSS is more GDPR-ready than it's closed-code counterpart.
I could volunteer for email, if you accept, because I happen to know it well enough. I could provide a list of arguments, about how FOSS can help towards compliance with the GDPR regarding email.
The same could be done for the rest of software segments. It won't be easy at all. This is why we will need a legal team, such as Data Protection Officers, to clarify the grey areas and propose corrections.
This is just an idea, as I said. I am open to suggestions. I would be happy to contribute, to the extend I can, to such a nice mission.
KR Ioli
On 10/8/2017 1:09 μμ, Mat Witts wrote:
Greetings,
I take your point Jonas about disapora possibly matching facebook on the default privacy settings. I'll take your word on that for this discussion because it may be more significant to consider which of the two (diaspora/facebook) could be predicted to change the quickest to respond to the potential contravention.
That techno-cultural aspect of FS (community) vs. proprietory (market-led) design features suggests to me it may be worth working something up on that... I may contact disapora for a view...
I note the high requirements of GPDR too, and because proprietary software is much more likely to flout Open Standards I believe FS (and FSFE) is more naturally positioned to talk into this new legislative context without the need to shout, deliver free seminars or provide free food & drinks(!)
Ioli - I am sure GDPR offers a great opportunity to promote FOSS - one way or another - the messaging could be quite powerful I think because the GDPR articulates many contemporary issues for companies and citizens.
Can we blame consumers or companies for choosing closed code over FOSS?
Well, lets not blame... lets see it as a huge opportunity to educate both!
I would like to work with you, to help create relevant publicity about
the true values of FOSS, including its inherent GDPR-readiness.
Sounds like a plan...
I think GDPR has so much social and political force and influence over large populations the FSFE would do well to talk into that space for lots of reasons... and all of them I think are positive and developing policy and orienting public affairs around that I believe would definitiely been effective and in the FSFE mission interest
/ mat