Richard Stallman will love the new GDPR.
It's not every day that a new law comes into force that willhave major implications for digital industries around theglobe. It's even rarer when a such law will also bolster freesoftware's underlying philosophy. But the European Union'sGeneral Data ProtectionRegulation (GDPR), which will be enforced from May 25, 2018, doesboth of those things, making its appearance one of the most importantevents in the history of open source.
Free software is famouslyabout freedom,not free beverages:
"Free software" means software that respects users'freedom and community. Roughly, it means that the users have the freedomto run, copy, distribute, study, change and improve the software. Thus,"free software" is a matter of liberty, not price. To understand theconcept, you should think of "free" as in "free speech," not asin "free beer".
Richard Stallman's great campaign to empower individuals byenabling them to choose software that is under their control hassucceeded to the extent that anyone now can choose from amonga wide range of free software programs and avoid proprietarylock-in. But a few years back, Stallman realized there wasanew threat to freedom: cloud computing. As he toldThe Guardianin 2008:
One reason you should not use web applications to do yourcomputing is that you lose control. It's just as bad as usinga proprietary program. Do your own computing on your own computer withyour copy of a freedom-respecting program. If you use a proprietaryprogram or somebody else's web server, you're defenseless. You're puttyin the hands of whoever developed that software.
Stallman pointed out that running a free softwareoperating system—for example Google's ChromeOS—offerednoprotection against this loss of control. Nor doesrequiring the cloud computing service to use theGNU AfferoGPL license solve the problem: just because users have access tothe underlying code that is running on the servers does not mean theyare in the driver's seat. The real problem lies not with the code,but elsewhere—with the data.
Running free software on your own computer, you obviously retain controlof your own data. But that's not the case with cloud computing services—or, indeed, most online services, such as e-commerce sites or socialnetworks. There, highly personal data about you is routinely held bythe companies in question. Whether or not they run their servers on open-source code—as most now do—is irrelevant; what matters is that theycontrol your data—and you don't.
The new GDPR changes all that. Just as free software seeks to empowerindividuals by giving them control over the code they run, so the GDPRempowers people by giving them the ability to control their personaldata, wherever it is stored, and whichever company is processing it.The GDPR will have a massive impact on the entire online world becauseits reach is global,as this EU website on the subject explains:
The GDPR not only applies to organisations located withinthe EU but it will also apply to organisations located outside of theEU if they offer goods or services to, or monitor the behaviour of,EU data subjects. It applies to all companies processing and holdingthe personal data of data subjects residing in the European Union,regardless of the company's location.
And if you think that the internet giants based outsidethe EU will simply ignore the GDPR, think again: underthe legislation, companies that fail to comply with the newregulation can be fined up to 4% of theirglobal turnover,wherever they are based. Google's total turnover last year was$110billion, which means that non-compliance could cost it $4.4 billion.Those kinds of figures guarantee that every business in the world that hasdealings with EU citizens anywhere, in any way, will be fully implementingthe GDPR. In effect, the GDPR will be a privacy law for the whole world,and the whole world will benefit. According to a report in theFinancialTimes last year, the top 500 companies in the US alone will spend$7.8billion in order to meet the newrules (paywall). The recent scandal overCambridgeAnalytica's massive collection of personal data using a Facebook appis likely to increase pressure globally on businesses to strengthen theirprotections for personal data for everyone, not just for EU citizens.
The GDPR's mainfeatures are as follows.Consent to data processing "must be clearand distinguishable from other matters and provided in an intelligibleand easily accessible form, using clear and plain language. It must be aseasy to withdraw consent as it is to give it."Companies will no longerbe able to hide bad privacy policies in long and incomprehensible termsand conditions.The purpose of the data processing must be clearlyattached to the request for consent, and withdrawing consent must be as easy to do as giving it.
There are two important rights in the GDPR. The "right to access"means people are able to find out from an organization whether or notpersonal data concerning them is being processed, where and for whatpurpose. They must be given a copy of the personal data, free of charge,on request. That data must be in a "commonly used" and machine-readableformat so that it can be easily transferred to another service. The otherright is to data erasure, also known as the "right to be forgotten".This applies when data is no longer relevant to the original purposesfor processing, or people have withdrawn their consent. However, thatright is not absolute: the public interest in the availability of thedata may mean that it is not deleted.
One of the innovations of the GDPR is that it embraces "privacy by design anddefault". That is, privacy must be built in to technology from thestart and not added as an afterthought. In many ways, this mirrors freesoftware's insistence that freedom must suffuse computer code, not beregarded as something that can be bolted on afterward. The originalPrivacyby Design framework explains what this will mean in practice:
Privacy must become integral to organizational priorities,project objectives, design processes, and planning operations. Privacymust be embedded into every standard, protocol and process that touchesour lives.
Open-source projects are probably in a good position to makethat happen, thanks to their transparent, flexible processesand feedback mechanisms. In addition, under the GDPR,computer securityand encryption gain a heightened importance, not least becausethere are new requirements for "breach notifications". Boththe relevant authoritiesandthose affected mustbe informed rapidly of any breach. Again, open-source applications mayhave an advantage here thanks to the ready availability of the sourcecode that can be examined for possible vulnerabilities. The new finesfor those who fail to comply with the breach notifications—up to 2%of global turnover—could offer an additional incentive for companiesto require open-source solutions so that they have the option to lookfor problems before they turn into expensive infractions of the GDPR.
It would be hard to overstate the importance of the GDPR, which willhave global ramifications for both the privacy sector in particular andthe digital world in general. Its impact on open source is more subtle,but no less profound. Although it was never intended as such, it willeffectively address the key problem left unresolved by free software:how to endow users with the same kind of control that they enjoy overtheir own computers, when they use online services. As a result, May25, 2018 should go down as the day when the freedom bestowed by open sourcewent up a notch.
Glyn Moody has been writing about the internet since 1994, and about free software since 1995. In 1997, he wrote the first mainstream feature about GNU/Linux and free software, which appeared inWired. In 2001, his bookRebel Code: Linux And The Open Source Revolution was published. Since then, he has written widely about free software and digital rights. He has ablog, and he is active on social media: @glynmoody onTwitter.
Recent Articles
