General Data Protection Regulation
Ying Li’s PyCon2018 keynote discussed the importance of writing secure software, and the responsibility that we, as developers, have in keeping users safe. While watching, it occurred to me that I haven’t written about the new European Union laws that stem from the General Data Protection Regulation (GDPR) that goes into effect this month.
I was involved in several conversations on this topic lately, so here’s some information on the rules, their implications and responses from businesses, and the reactions as the rest of the world tries to implement similar systems.
Important Note: I’m not a lawyer or anyone with formal legal training, the point of this article is to inform and inspire the reader to do their own research before coming to conclusions on how it affects their specific situation.
What is GDPR?
The main goal of the regulation is to control what, how, why and where we collect an EU citizen’s data. It also empowers the citizen with a fundamental set of rights that give them control of their data. I think Article 1, Paragraphs 1-3 of the General Data Protection Regulation summarizes the intent fairly well:
This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
While straightforward, the key points to pay attention to are the following:
* Only European Union citizens are considered as
natural persons. This means that a developer now has a special subset of application users, regardless of whether the systems are in place to make that distinction. We’re not only talking about new users that came online after the regulation, but also existing ones. Also, this includes all citizens, whether or not they currently live inside the EU (address alone is not enough information).
* We need to define the words
personal data, we’ll get into that soon.
* Data is only allowed to move freely within the Union. So if you process information somewhere else, or store it somewhere else, there are restrictions you have to take into consideration.
What is Personal Data?
This is the most important item to pay attention to. All your decisions moving forward require a correct understanding of the definition of “personal data” per the regulation. This is not about what you think personal data should be, it’s about what the regulation says it is. Article 4, Paragraph 1 covers it:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Let’s think about just a few implications:
* What if you run an application that stores pictures? Some of these come with GPS coordinates! This is
* What if instead you reference social media posts? These could also contain
* Same thing goes for IP addresses, which also fall into the
online identifier category.
All of these qualify as personal data, and you would therefore fall under the scrutiny of this regulation.
What does Data “Processing” Mean in this Context?
Article 4, Paragraph 2 says:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
It involves both automated and manual handling of information. Article 5 section c) adds to this by stating that you must minimize the data collected, only using it for the purposes indicated. For example, you cannot use location data to determine if I’m near a movie theater and then sell that history to someone else, unless I gave you explicit permission to do so. Same concept applies if you’re indirectly sharing it when using 3rd party services.
Article 6 states that processing of data is only legal if users gave their explicit consent, and Article 7 makes it required that data processors are able to prove they received consent.
Gathering consent also has rules on the clarity and verbiage of the agreements, making them non-binding if they infringe on the rules. Things like checkboxes that are checked by default will not be allowed, and long-winded EULAs that are hard to understand could be voided.
Article 8 tells us that children under the age of 16 cannot give consent unless authorized by their guardians. You must also demonstrate that reasonable efforts are taken to verify age. While this is a concern for many online services, it’s easy to not consider it in non-obvious situations. Seems that developers now have to think about how to determine if their new user, signed in over a New Zealand IP address for example, is actually the underage son of an EU citizen that moved to Australia. If we’re not careful, “due diligence” could actually expose more personal data.
The user data described in the excerpt below is labeled “special” by Article 9. As such it has separate provisions requiring specific consent (separate from the overall data consent) for handling or collecting it.
data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The regulation enumerates the following rights for EU citizens:
- Right to Rectification - When requested, you must update any personal data that’s incorrect or incomplete. I expect you also have to verify the new data is accurate.
- Right to Erasure - Does your application provide an easy way to permanently delete a user? No? Better get working on it. Many times we don’t consider this option because it can actually break some systems. It’s common for developers to provide user “deactivation”, instead of deletion in tools where accurate transaction histories are important.
- Right to Restriction of Processing - When invoked, the application must require explicit user permission to do anything with their data other than store it.
- Right to Data Portability - Users may request all their data. Your app must be able to “download” that info in a machine-readable commonly-used format.
- Right to Object - Stop processing the user’s data. It’s like a freeze.
If you rectify or erase someone’s information, you’re also required to notify any other parties that you may have communicated that information to. Imagine the implications with common sign-on or other services that may independently manage some user data like Stripe or Salesforce.
In theory, the likelihood that an average user invokes any of these rights is fairly low. However, if you’re caught unable to comply with their request, you may be in breach of the regulation and you’ll have to deal with the fines.
Waiving these Rights
A legal document where the citizen waives their GDPR-given rights is not valid. You cannot fix the problem by making users agree that the law does not apply to them.
If you have legal agreements like end-user agreements or other customer service agreements, you’re required to explicitly define how customer data is used or stored. This is probably easy for the app that you own or develop, but it gets real complicated, real quick, if you use a lot of free services which may or may not track your user. For example: Google Analytics, Google Ads, Disqus, Amazon ads.
Data Protection Officers
If your business is large enough you need to anoint someone as your “data protection officer”. This person’s job is to make sure the architecture of end-user applications and internal processes complies with GDPR rules. They need to train “data handlers” so that they understand how to create, manage and remove data correctly. They’re also in charge of putting the tools and processes in place to discover and handle data breaches, as well as managing requests for the rights identified earlier.
Reporting Data Breaches
The law also requires reporting data breaches within 72 hours of discovery. This means that asides from instrumenting infrastructure, the proper processes must be in place so you’re ready to react to problems quickly. This is less about the security issues that lead to a breach and more about protecting users by letting them know quickly that their information might be compromised.
However, this is easier said than done. Application security these days is very complicated, and if you haven’t determined the root cause of a breach, making it public can put your users at higher risk. Someone else might try to get into the systems. If the security hole isn’t plugged, it doesn’t matter wether affected users take action to update their sensitive data, the attackers will have access to the new data.
I believe this will actually lead to less secure applications. I mean after all, if we don’t “discover” the data breach, then we don’t have to report it.
Your Geographic Location doesn’t Matter
I’m not sure how “enforceable” this really is, but Article 3, Paragraph 1 says:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
What are some businesses doing?
New companies have now formed to run systems that determine the location of potential users and simply deny the app or service to EU citizens. I fully expected this reaction from a free market, but it doesn’t really solve the problem.
Some folks are trying to split their users or accounts between the EU and everyone else, allowing them to apply different rules. I think this is a bad idea that will only lead to more problems.
While I haven’t seen any evidence of it, I could easily imagine companies setting up or moving into more “permissive” states (you know who I’m talking about) that would refuse to enforce some of these laws.
Some other interesting points
Article 2, Paragraph 2:
This Regulation does not apply to the processing of personal data: a) in the course of an activity which falls outside the scope of Union law; b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; c) by a natural person in the course of a purely personal or household activity; d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Criminals can and will do whatever they want with your data. They’re criminals after all! However, for the rest of us, it looks like using other people’s data for some personal activity is also allowed. Maybe education counts as a personal activity (assuming we can prove it in court). I think it’s a good idea to protect that.
Now what about d)? It seems the EU granted its citizens new rights, but none of them apply when the government itself needs to use the data. What is this? I guess the right to be forgotten from MI6 databases doesn’t exist. I understand the law-enforcement problems it creates, but I’m not a fan of double standards.
At least they try to make up for it with Article 98, where they mention the intent of making government institutions more consistent with these new regulations. Let’s hope that the institutions will consider their proposals.
What are other countries doing?
Though I don’t consider recent data breaches more special than the many incidents we’ve had in the past, as far as I can tell, the regulation is a reaction to them. Regardless, it seems that many places around the world are trying to enact similar laws, and you can bet that most will be based on some derivative of this one.
From what I’ve seen so far, other state actors are trying to dig into it even deeper. They want to lay the responsibility for data breaches at the feet of application developers. Including penalties that incur large fines and even jail time.
As developers, we’re frequently subject to business prioritization. Sometimes, no matter how much you speak up, some of these items wind up at lower priority. Does this mean that we now need to hire lawyers to interpret these laws for us? Maybe we can come up with some kind of notice to represent “due diligence”, and send it to the corporate overlords when they dismiss security issues.
Like I said at the beginning, I’m not a lawyer and the main reason behind writing this article is that I want all of you to be aware that there’s something important here you need to look at.
Do your own research, talk to your boss, check with your company’s legal department. It’s in your best interest to keep an eye out for these types of changes in government. This also includes local governments.
Feel free to use the comments section of this article to post known legislation attempts with your local, state or federal governments, especially if they succeeded.