Keeping Up With… General Data Protection Regulation (GDPR)
This edition of Keeping Up With... was written by Margaret Heller.
Margaret Heller is Digital Services Librarian at Loyola University Chicago, email: mheller1@luc.edu. She is also a Public Voices Fellow with The OpEd Project.
Introduction
The General Data Protection Regulation, or GDPR, went into effect on May 25, 2018. It is a regulation by the European Union (EU) which requires any company that collects any electronic personal data to better protect the information and be transparent about what they have. While it applies to EU residents only, it has had a global impact. For librarians who work at institutions with campuses or programs in the EU the effect is more immediate, but any library that offers international services should be aware of what the regulation entails and how they might be affected. Seek advice from your institution’s legal counsel for specific questions.
GDPR provides a single set of rules for EU residents about what entities who hold their data can and cannot do. It gives individuals recourse if some information about them is somewhere they don't want it to be. Terms and conditions can’t be buried under legalese; the text has to be written in understandable language. Companies must let people know right away about data breaches. Individuals have the right to know exactly what data a company has, and are able to request that a company deletes or transfers data about them under certain circumstances. Companies must design their systems and practices with privacy as the default, and improve their practices to make sure that happens [1].
Our Tools Have Improved
Anyone who holds data must make sure their practices and tools work with GDPR. We can thank the EU because this is likely going to offer us more control over our online footprints and those of our patrons. Librarians have been deleting data about people for a long time. It is standard practice to delete the borrowing records for patrons when the book was returned or a fine paid. We couldn’t turn over information to law enforcement if we didn’t have it. But since then, the trails people leave through libraries have become easier to track as more and more reading happens online. A lot of the systems we use haven't offered the ability to delete search logs or other information about individuals, but as of right now are starting to roll out those tools to be compliant with GDPR. Some of the tools are blunt instruments: for example, Ex Libris offers the option to delete patrons from Primo entirely, but this doesn’t really address issues like search logs [2].
The Right To Be Forgotten, and Who Decides
GDPR allows individuals to have more control over how their information appears in searches and potentially in the historical record. The origins of the GDPR go back quite a long time [3], but it began to be more widely known when in 2014 a Spanish man sued Google to get them to take down search results to a newspaper article about his debts. This case became known as the “right to be forgotten” law [4]. The mechanisms set up by this law required Google to take requests by any EU citizen and consider removing search results. While the law allows companies to retain data in the public interest, the UK just required Google to remove information about a businessman’s past crimes that were not relevant to his business activities [5]. The GDPR extends this beyond search results about individuals into the actual data the companies have about people. This distinction is important—the new regulation will help people control how the Internet talks about them.
Of course, the news media is supposed to hold the powerful to account, and search engines are critical for journalists and researchers. The need for preserving the historical record is not in question. In fact, since the “right to be forgotten” regulations were passed, most of the requests for removing information came from private individuals seeking to remove directory information such as their address or phone number [6]. This will be an important area to keep an eye on, however, and think critically about the balance between privacy and history.
The Actual Impact Depends on Us
Especially for those outside the EU, gaining the benefits from GDPR will require extra work. If the impact of library research data seems too abstract, think about data that is more familiar to everyone: social media. Marketers use data about you from Facebook and Google to determine what ads you should see. Google knows a lot about you: what searches you did, what apps you used on your Android phone or tablet, what locations you looked up on Google maps, and what pages you brought up on Chrome. You can see for yourself at Google My Activity [7].
Google first rolled out this feature in 2015, possibly as a result of European regulations, and for the first time it was clear to see exactly how big our online footprints can be. You can now delete any data about your own activity that you want. Facebook has a similar, though not as detailed, advertising profile [8]. Why does this matter? You might not realize how many location-based advertising options Google offers. You can target ads to people searching for a specific location, even if they aren’t physically based there when they do the search [9].
Needless to say, you only can control what Google or Facebook knows about you and ads it shows you if you take the time to review these profiles and think carefully about your online preferences. The same is true of library tools, both vendor and library-created. Following best practices for privacy that have been provided by ALA is a good start [10].
Conclusion
Many vendors have rolled out new privacy policies, and some libraries too. But these aren’t meaningful unless we read and understand them. We don’t know exactly what privacy tools all companies will make available to non-EU residents. Mark Zuckerberg has claimed that Facebook will follow GDPR “in spirit” internationally, but at the same time, has moved ownership of the data of 1.5 billion Facebook users out of Ireland to California, which means that it will no longer be possible to lodge complaints against Facebook in Irish courts [11]. In the days following May 25, some non-EU newspaper sites (particularly those owned by Tronc) were blocked in the EU because the companies were not prepared for GDPR and preferred to avoid serving European readers than face potential risk under GDPR [12]. It may be easier for libraries to avoid holding any personal data for EU residents because that would expose them to risk for GDPR compliance. That may not be acceptable if it means not offering services to those patrons or holding those collections. GDPR will require some hard choices, but brings with it some great opportunities.
Notes
[1] European Commission, “2018 Reform of EU Data Protection Rules,” European Commission, 2018,
https://ec.europa.eu/commission/priorities/justice-and-fundamental-righ….
[2] Itai Veltzman, “What You Need to Know About Addressing GDPR Data Subject Rights in Primo,” 2018,
https://knowledge.exlibrisgroup.com/@api/deki/files/61926/What_You_Need….
[3] Trunomi, “EU GDPR: How Did We Get Here?,” EU GDPR Portal, 2018, http://eugdpr.org/how-did-we-get-here-.html.
[4] Ivana Kottasova, “Top Court Says People Have ‘the Right to Be Forgotten’ in Google Case,” CNN, May 13, 2014, https://www.cnn.com/2014/05/13/business/google-right-to-be-forgotten/in….
[5] Seth Fiegerman, “Google Loses ‘right to Be Forgotten’ Legal Battle,” CNNMoney, April 13, 2018, http://money.cnn.com/2018/04/13/technology/google-loses-right-to-be-for….
[6] James Doubek, “Google Has Received 650,000 ‘Right To Be Forgotten’ Requests Since 2014,” NPR.Org, February 28, 2018, https://www.npr.org/sections/thetwo-way/2018/02/28/589411543/google-rec….
[7] “Google - My Activity,” accessed June 11, 2018, https://myactivity.google.com/myactivity.
[8] “Ad Preferences,” accessed June 11, 2018, https://www.facebook.com/ads/preferences/edit/#_=_.
[9] “About Advanced Location Options - AdWords Help,” accessed June 13, 2018, https://support.google.com/adwords/answer/1722038.
[10] IFC Privacy Subcommittee, “Library Privacy Guidelines,” Text, Advocacy, Legislation & Issues, February 6, 2017, http://www.ala.org/advocacy/privacy/guidelines.
[11] David Ingram, “Exclusive: Facebook to Put 1.5 Billion Users out of Reach of New EU Privacy Law,” Reuters, April 19, 2018, https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclus….
[12] Adam Satariano, “U.S. News Outlets Block European Readers Over New Privacy Rules,” The New York Times, May 25, 2018, sec. Business Day, https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-u….