A new report looks at how the GDPR can be weaponized against social sector organizations and what they should do to prepare.
Digital Impact 4Q4: Vera Franz and Ben Hayes on the Good and Bad of GDPR Compliance
SUBSCRIBE TO THIS PODCAST ON iTUNES.
00:00 CHRIS DELATORRE: This is Digital Impact 4Q4, I’m Chris Delatorre. Today’s four questions are for Vera Franz, Deputy Director of Open Society Foundations’ Information Program and Ben Hayes, Director of AWO, a legal firm and consulting agency working on data rights. In February, OSF published a report looking at how the EU General Data Protection Regulation—or GDPR—impacts non-governmental organizations in practical terms. The report offers practical guidance based on compliance challenges, and specifically addresses the importance of defending social sector organizations against attempts by governments and corporations to misuse the GDPR against them.
00:50 CHRIS DELATORRE: Vera, we’re coming up on the 2-year anniversary of the GDPR. We’ve seen a lot of changes, not only in the European Union but also here in the United States. Of course, I’m referring to the CCPA—the California Consumer Privacy Act, which went into effect this year. Now, your report focuses on the GDPR but I would recommend it to anyone in the social sector dealing with data, regardless of where they operate. Early in the report, you point out a general absence of advice specifically geared toward the social sector—commercial interests notwithstanding. Why is it so important to help CSOs consider the broadest context of compliance for either of these regulations?
01:33 VERA FRANZ: Thanks Chris and thanks for having us on your podcast. So, when we started out with our research for this report, one thing we observed is that NGOs were tying themselves up in knots over their mailing lists, which resulted in flooding of our inboxes with re-consent requests, which were mostly unnecessary. So, in essence we saw NGOs over-complying with GDPR and at the same time in my role at OSF I support a lot of work to support GDPR vis-a-vis big tech—the big corporations, including Facebook and Google—and I observed there that some of these big companies were under-complying. That’s not me saying this, this is European regulators stating as much as well.
So, we observed this phenomenon and this was an indication for us that some guidance for civil society was really needed. And as your question suggests, data protection compliance is not discreet [inaudible] exercise for NGOs. I think—or we think, as the outcomes of this report—it’s really about two big things. First, it is about—for civil society—living by our values, and more specifically protecting our constituents and partners. They can be marginalized vulnerable members of society or whistleblowers or similar. And protecting them means protecting their data against abuse once those data sets are in our systems. More importantly, GDPR compliance is also about protecting the resilience of our own organizations—I guess by extension our space for action. Or, in other words, minimizing our attack surfaces.
A new report from Open Society Foundations looks at the GDPR has impacted the social sector.
As we all know, civil society is in the business of going after some of the most powerful in society, be they governments or corporations, to hold them to account. And in the process of doing so, we make powerful enemies. And we believe that if we don’t get data protection compliance right, our opponents may use this against us. Now to be clear, the use of law against civil society is nothing new. It goes back many years, even in the digital space. I remember 10 or 15 years ago, the Russian government abusing—going after NGOs by using their illegal Microsoft Office licenses as an excuse, so this is a well known tactic.
But we are in an age today where the environment for civil society is really getting more hostile, including Western democracies, so including in the EU. OSF of course is painfully aware of that change in climate as well. And so what we did with this report—or what we wanted to do is to find out what a new body of law—the GDPR—in this new climate of growing hostility would be abused, and if so how. So that’s what we really tried to do with this report.
04:49 CHRIS DELATORRE: Ben, to Vera’s point—and as you mention in the report—with all of the good the GDPR represents for the sector, the regulation can also be used against NGOs. Could an oppressive government use the GDPR against nonprofits—for instance, to shut down an organization it doesn’t like—and also to Vera’s point, are free societies immune? Could the regulation be weaponized by a corrupt administration in the US or UK?
05:18 BEN HAYES: Thanks Chris and thanks again for having us on the podcast. You know, this is something that motivated us to write the report, right? And I guess with the caveat that you’ve already given, you know we’re huge fans of the GDPR in the sense that we think it’s right that the European Union has tried to set a high bar for all entities handling personal data, to do so in a responsible and accountable way. But as Vera said, as with all regulations there is a significant potential for misuse or abuse and fortunately we haven’t seen too much of that yet but we do document a few cases in the report. One of which provides a good example of how this can and has played out is an investigative journalist collective in Romania called RISE who basically published a bunch of data alleging, demonstrating the involvement of government officials in corruption.
And shortly after this material was released, the Romanian data protection authority—which is supposed to be an independent branch of the Romanian government—sent the Rise Collective a letter demanding an explanation of all of the sources, requesting access to the data, using requirements in the GDPR that shouldn’t in our view have been applied in this case but do exist—asking why the data subjects were not informed about the potential use of their data and so forth and actually threatening this group of journalists with a 20 million euro fine. So you know that happens. There’s no doubt that the threat of this is real.
It’s good to report also that there was some strong pushback from civil society. A bunch of digital rights organizations—Privacy International, European Digital Rights, and others—wrote the European Data Protection Board, which is sort of the preeminent body established under the GDPR to provide guidance on the implementation and regulation and just said look this is a manifestly an abuse of the GDPR, it’s clearly not what the regulation is intended to do, the protections that should apply to a group like Rise have clearly been ignored. And to it’s credit the EDPB the Data Protection Board wrote publicly to the Romanian data protection authority setting out its concerns in this case. There’s a few others. As I say it’s not a massive trend that we should be particularly frightened of but there are a few other cases that we document in the report.
I guess just on this I think it’s not necessarily just repressive governments that we need to worry about. If you look at the way regulation has been—to use the word we use in the report—weaponized against civil society, we do see a link between the way malevolent actors have used—as Vera said, like the example with the Russian government—the way malevolent actors have used regulatory requirements to go after civil society actors. Just two quick examples: I don’t know if you guys have followed the stuff around deplatforming. So, you get activists basically writing to financial service providers and saying this particular user of PayPal or whatever it is is an extremist or is associated with terrorism and ergo you as the platform should cut your ties with this organization. And you know because the way the publicity machine works, we’re seeing that quite a lot.
10:11 CHRIS DELATORRE: Vera, in light of what Ben just said, right now the future of journalism seems to depend on achieving a balance between free expression and data protection. deplatforming—it’s a good example of mediating this effect. The GDPR includes exemptions for media organizations, but not all organizations providing support services to journalists are considered as such. What does the GDPR mean for journalists and the organizations who support them? Anyone out there who may be working in this field, what would you say to them right now?
10:48 VERA FRANZ: Yeah, I think journalism is more—generally speaking, investigative journalism and research more specifically—have a very interesting, I would say, relationship with data protection and data privacy. Because if you think about it, on the one hand, investigative journalism and research are aiming to create greater transparency to expose injustices, corruption, etc. and there may be there doing so running into data protection problems and data privacy problems. Yet of course, in order to do their work, they at the same time rely on strong privacy and data protection frameworks—for example to protect their sources—so it’s a very interesting space. And I guess free expression and data protection are indeed two rights that need to be balanced.
The good thing is this balancing exercise is something we’re very familiar in the human rights and social justice community and civil society more generally speaking as often it is about balancing different rights. But going back to the journalism question, how this tension is [inaudible] as you suggested to exemptions for data protection or for expression for journalism. And there is an interesting question of who falls under it. And there’s an interesting example we came across in our reports. So Global Witness, which is an anti-corruption investigation reporting outfit, they covered corruption by a mining company active in Africa. And the founder of that company and others associated with it brought Global Witness to court for the violation of data protection. Now, interestingly and crucially, the UK data protection regulator which weighed in as these court proceedings were happening, clarified that the journalistic exemption in data protection applied not only to conventional media organizations but also to civil society organizations engaged in journalism and public interest reporting, such as Global Witness. And I think the rules of this can now be overstated, as we have many NGOs today investigating and covering injustices. So this is a very important clarification.
But to be clear, there are challenges that remain at the intersection of free expression and data protection and with a focus on journalism. So, one of the most interesting challenges we identified is that in recent years we saw the rise of NGOs providing research support services to investigative journalists. And it’s currently unclear under GDPR whether these entities actually can rely on the journalistic exemption. The reasons that they gather, analyze, visualize data but they don’t publish, they support others to publish. And some national implementations of the GDPR have stated that journalistic exemption only applies to activities of entities that intend to publish.
So this is an interesting open question that we found a gray area so to say we also explored if these newer types of NGOs would be covered by other exemptions, such as archiving and research exemptions but that’s also challenging, not clear. And so ultimately what we did in our report is that we called on the European data protection regulators and also the EU Agency for Fundamental Rights to write updated guidance on the relationship between data protection and free expression.
14:56 CHRIS DELATORRE: Ben, let’s shift to how CSOs are using data protection laws to push BACK on attempts to shrink civic space. The report looks at subject access requests, which are derived from the right to access data collected by governments and companies. How are civil society organizations using this practice to protect the rights of individuals and how can they assess their vulnerabilities to those who would weaponize it against them?
15:22 BEN HAYES: Thanks, Chris. I think if we take an expansive view of civic space and say you know let’s look at all the ways in which big tech, big data is transforming our democracy and our economy and the relationship between civil society and power, SARs emerge as like a super interesting tool—SAR, subject access requests—for civil society organizations, not just to find out what exactly it is that particular entities are doing with data, which is essentially the rationale for having subject access requests. I mean, enshrining that within the law. But also to pursue more interesting and creative means of pushing back against some of these companies.
So, I’ll give you sort of three quick examples. Most people I’m sure most of your listeners will be fully aware of the Cambridge Analytica case but what they may not realize is that all of the litigation within that began with a single subject access request—actually by a US citizen, Professor David Cowell—and he’d learned about Cambridge Analytica, heard that they may have been involved in Trump’s election campaign and instructed UK lawyer—actually Ravi Naik, my partner at AWO—to make a subject access request on his behalf. And Cambridge Analytica—I think this was almost certainly at the beginning of their downfall—they actually replied and said, you know, basically you’re a US citizen. You have no more right to your data and are no more entitled to a response than a Taliban in a cape. Which is you know an absolutely astonishing response to someone exercising their legal right. Also erroneous under the law because it doesn’t matter where you’re situation if you make a subject access request to a European data controller. But all of that and the failure, the failure of Cambridge Analytica to respond as they are legally obliged to do so, to their subject access request, opened the door for all of the litigation that followed.
Similarly we got a couple of great organizations actually that are using subject access requests just to push back on the gig economy. So, you have companies like Uber that will say we’re not obliged to provide our drivers with full employment contracts because they’re not employees because their job descriptions are different or their responsibilities are different. Or we’re not obliged to comply with certain environmental regulations because the nature of our business is such that we fall outside and all this and they come up with all sorts of ways of trying to exempt themselves from the law that many people think ought to apply. And what unions and organizations working with them are now doing are basically organizing gig economy workers to submit subject access requests then creating data trusts to house the responses—to create an evidence base that pushes back precisely on the kinds of arguments these guys are using in courts. And those involved think this can actually be a more effective way of getting to where we need to be than going through lengthy legal proceedings that could ultimately take years to achieve.
And just the third one I was going to mention was facial recognition. You know if the news almost every day we’ve got companies like Clearview popping up and making lots of waves in the digital rights community. Again, the use of SARs and the demand for data controllers to facilitate subject access requests is leading to tangible changes in some activities of those companies and in my view can potentially—or can and will potentially lead to some very interesting litigation. Just the flip side of that, you asked what can civil society do to make themselves more resilient and again this sort of goes back to the conversation we were having at the beginning. It is the case that the regulation applies equally to all entities and we are starting to see, you know, vexatious malevolent actors using subject access requests that have no interest in getting the data but like the people we would call the good guys want to use the SAR process as a way to get legal leverage into a civil society organization’s activities. And you know this is really why we—one of the main motivations for drafting the report focusing on civil society resilience.
Again, there’s a couple of cases your listeners can refer to in the report but the key thing being that if you don’t as a civil society organization have a robust policy in place for A. how you’re doing your data management, B. how you’re responding to subject access requests, and three, you know, take significant care when you’re doing those things, you are opening yourself up to regulatory pressure and potentially litigation in exactly the same way the Cambridge Analyticas of this world have done so. I’ll just finish with a plug for the report again. It sets out a bunch of recommendations, best practices, things that in our experience civil society organizations, NGOs, have really struggled to deal with or haven’t really thought about, right? Some of this is pretty complicated but there are some base-level stuff that we think all civil society organizations can and should be doing. So hopefully those from that community who are listening will check out the report and find it useful. And I’ll give you the website for AWO, that’s www.awo.agency.
21:53 VERA FRANZ: Yes, and if you’re interested in learning more about Open Society Foundations or work to support civil society, including in the digital age, how we support work to hold digital power to account, to protect information democracy, go to www.opensocietyfoundation.org and follow me on Twitter @vfranz73. Thank you.
22:19 CHRIS DELATORRE: Vera Franz, Deputy Director of Open Society Foundations’ Information Program and Ben Hayes, Director of AWO, thank you.
Digital Impact is a program of the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society. Follow this and other episodes at digitalimpact.io and on Twitter @dgtlimpact with #4Q4Data.