 Thanks very much My sort of day job is as a chief privacy officer for a company that performs Relationship analytics this gets right into the middle of privacy law all over the world So I spent a lot of time Dealing with this in a particular dealing with GDPR and given that it keeps coming up and it keeps being a bugbear for developers operations people security people I Had intended to do a talk on what technologists need to know about GDPR For false Asia this year and in fact, that's how this talk ends But I realized while it's putting it together that there's actually a much larger Idea here that I thought was worth sharing What I realized was that? Software freedom and the GDPR data subject rights are in fact pursuing the same objective I hope I persuade you that it's almost exactly the same objective It's not just similar and then I'll talk about what you need to know about GDPR in practical use So what is the objective? the FSF's Essential freedoms and the GDPR's data subject rights seek to put individual human beings in very real control With respect to computers that we own and use control of the software that's running on those machines With respect to data that other people organizations are processing about us. That is any data and any organizations or people Control all that data and then a particular kind of control The actual words used also turn out to be rather similar The free software foundation unabashedly talks about freedom and software freedom They sort of apologize for free software because what they mean is freedom not free of charge GDPR talks about fundamental rights and freedoms that phrase appears more than 30 times in the regulation GDPR is unequivocally human rights law We look at it as yet another technical standard to comply with but it is not it's very clearly human rights law Once you get your head around that that changes the way it looks and changes the way you think about it Frequently I get people sort of saying to me things like You know this GDPR's real pains with stuff that it gets in the way and we're gonna do these things and oh my god It's it's so inconvenient and I who sort of works as it all the time and uses it as a blueprint have exactly the reverse response to it and It finally began to occur to me that this is an argument that I have seen before historically centuries ago It's the complaint that a change in social norms and in laws and in the enforcement of those laws Gets in the way of an existing set of practices And so the example I give Is this one before you think I've gone completely off the deep end The point I'm making in the first instance It's just that society progresses legal systems change businesses that are locked into or Dependent upon and all the way of doing things will struggle when these transitions occur Just as cotton pickers in the southern part of the US in particular We're really upset about the idea that they were no longer be able to own cotton pickers Have to go and do it themselves. So sorry the cotton farmers were upset that they were not able to own cotton pickers however After I thought about this for a while. I realized that the parallel runs much much deeper than it's really apparent I won't take you through this entire document, but it's Fascinating it's fairly straightforward language is only about 30 pages long the EDPS is a role The European Data Protection Supervisor is an individual role created within the EU system I won't try to explain where it sits because you end up with gigantic complicated diagrams of the institutions The important facts are that this gentleman has remarkable rights with respect to both the legislative and Regulatory processes within the EU and is therefore somewhat influential. It's a five-year contract basically the current government whose name I neglected to note is Very well-versed Does not mince words, but absolutely understands the topic from this particular opinion. I've extracted two Sentences and I wish to emphasize this is a little part of the problem But he's explaining in that opinion He deals with the whole range of methods of manipulation The whole dark patterns thing addictive patterns all those things but also Targeted advertising This is a method of manipulation target advertising isn't just like Broadcast advertising or newspaper advertising, but a bit better. It's better because it is more able to change the decisions that people make and Means that are used to produce it and to fine-tune it and to fine-tune its delivery categorically have nothing to do with the Improved accuracy or precision or personal welfare Resulting from those decision-making processes. They relate exclusively To the increased revenue for the platforms that are using and performing the targeting Strong words, but he goes further. In fact, he goes much further. I reiterate This is one little part of the problem The principal might he basically identifies the human rights that are at stake The principal of a little transparency is not meta versus cannot Seek receive and share information about the process and the candidates and their funding These rights are also therefore challenged by online manipulation a Direct consequence of these two observations Is that targeted advertising is incompatible with democracy? It's that stark. This is not hypothetical We've now seen it with the recent US presidential elections and the brings it We have very good reason to believe that the Russian troll factory was involved in the 2016 presidential election the US and Increasing evidence that the same is true for brexit Targeted advertising is a high-power super precise manipulation machine. It is totally incompatible with the concept of individual citizens Governing as a society or a state and for the third time This is only one of the problems He identifies a dozen other problems at this scale. So While the abolition of slavery seemed like a almost crazy Point of comparison, it starts to seem a bit less crazy. The other point I'd make is It's not remote from us Maybe all these weird things that lawyers and human rights activists are getting up into is perhaps out of scope for false Asia This to all happened on Friday This is a project That's looking to produce a personal assistant that works for its user Takes away the biases that are there to serve the platform owner and the highest bidding of their customers They're looking to adopt Susie as a core component of a neutral unbiased fair personal assistant This is false Asia two days ago So it's it's right in the middle of what fuzziers about excuse me briefly All this was a stalking force for reminding people that we're about the F as well as the O We spend a lot of time talking about open source and I don't object that at all. It's it's it's a legitimate mechanism. It's the basis for most of our cooperation The distinction from free software or with free software is perhaps not immediately obvious so much so that when we had our first keynote last year from a member of the or representative of the open source initiative He essentially claimed that free software and open source software were the same thing That there was no difference between them at all from the standpoint of the approach That is somewhat true in the sense that All free software is also open source software and the free software nation in fact supports this view This is The same approach Being pursued in the service of two different objectives one is users freedom the other is Quality efficiency flexibility of software footnote into predatory Vittaloc in which is a kind of freedom What is in fact a freedom where to be active? But apart from that overlap. They are two quite different objectives. It happens that the approach to them is very much the same But today's discussion is more about The two different approaches to that to a specific Objective that being the free software rather than the open source objective, so I don't wish to suggest that one is greater or less than the other they are both Important and the fact that the approaches overlaps where normally means that we're able to deal with or able to address both in this forum Hopefully most people in this room have already seen this but in case you haven't The four essential freedoms that the FSA identifies for free software To run a piece of software or programs the way they use for at at will any way you like and for any purpose To study it and modify it any way you like for the reason you like To share copies of the program in order to help people around you And to share copies of the all modified version of the software further to help people around you This is different to although related to the The open source definition and therefore the debut and free software guns with it But for today's talk I'm talking specifically about the freedoms that Free software is aimed at I'll ask for show of hands as this familiar to everyone or at least some people About half all right fair enough Okay, so now let's go and have a look at GDPR And specifically the data subject rights GDPR is 88 pages which sounds like a lot until you compare it with things like hip-fire and a bunch of other even more prescriptive rules a chunk of it is a Set of legally enforceable human rights that are created these are called Rights they apply to every single natural person within the jurisdiction of the EU member states So this is literally human rights The last two there are actually expressed as obligations of controllers rather than rights of individuals But for the purposes of the discussion they're relevant They are if someone is processing personal data about you you have a right to have access to that data You have a right to correct errors in it you've got a Health records are a common example that have incorrect information about what you're allergic to or your medical history That may in fact endanger your life So you have of course a right To access that information from anyone who holds it and if it's incorrect to correct it likewise things like Credit ratings that's a more direct example where the rectification comes in it is information about someone else's debt Unpaid that's damaging your credit reference Then you either can't borrow or it will be more expensive for you to borrow your right to fix that You have a right of erasure In a whole lot of cases unless there are specific compelling reasons and I'll get to those You can simply instruct a controller to delete Data about you and they are legally obliged to do so and to confirm that they have done so and to do so within 30 days Restriction of processing is related. This came up for the Royal London Free Hospital and Google DeepMind I would point out that the fault here was the hospitals and not Google's They went through the entire process to ensure that what they're doing is legitimate with respect to using the machine learning technique for better Diagnosis However, what they said? Oh, yeah, and you can go and do a bunch of test cases Completely outside the process Failing to perform the assessment and failing to recognize that doing so would bias the resulting Machine learning in ways that were not anticipated within the assessment the regulator was Graceful enough to invite the hospital sign and enforceable undertaking That ran about 15 pages basically to do a bunch of things they were supposed to have done in the first place and didn't let you're fine But they published it This is a common thing for particularly GD power regulators. They'd rather change behavior than punish and if they can do so by saying Here's what's expected Here's someone who did it wrong and here's how we will react nicely if you clean up your act fast Which is a not leave your 20 minute in your own fine Data portability doesn't apply universally, but certainly in cases where you provide the data The this is a bit like sort of your money in the bank account and they'll make a comeback to that analogy The controller is obliged not only to make the data available to you upon request But to also facilitate the automated transfer to some other controller including a competitor so I Think Google takeout perhaps as a as an example of a first cut of the mechanism of this kind, but the idea is that the act of Engaging a controller to process data for you should not lock you in It should be possible for you to move a bit like be able to move phone numbers Be able to keep your phone number when you move between telcos That you shouldn't be locked in by the fact that it's difficult to shift The rights of objection I won't dig deeply into those but they're basically if you're unhappy with something that the controller has done then to Call it out on that and have them formally explain themselves And there's an unnamed right to be free from automated decision-making that have major only those that have major effects the fact that a ticket barrier won't let you through if there's something wrong with your electronic ticket It's not something you then go and sort of file a complaint about or you just perhaps you can rather things like credit decisions Access to welfare Enrollment on electoral that ledgers all those sorts of things if you are unhappy with an automated decision You have a legally enforceable right to have the controller have a human being review the decision and Document that review and the basis of either retaining the decision or modifying it and the phase to do so within 30 days is itself An action that's with it. That's a breach of the regulation and is itself actionable as a breach The transparency and the integrity company also the transparency is important because if a controller is not transparent of what they're doing Then there's no way for you to exercise these rights if you don't know that someone's processing data about you But you can't even start this process So there's a mechanism by which you must announce that you are processing data generally it's registration with a regulator and finally obligations of integrity and confidentiality and this is sort of Too obvious to say that's why it doesn't turn up as a right But if you are interesting confidential personal information To an organization to process then they're obliged to keep it confidential. They can't turn around and Sillout having told you they were going to otherwise so this doesn't look a whole lot like the FSC essential freedoms Access is a little bit like access to the code ratification is a bit like modifying the code to fix bugs But the rest is just clearly unrelated Notice one day that There's a different way to think about them Information security is a function in most organizations that provides to the board and stakeholders Set of capabilities with respect to information possessed by the system by the organization and the systems used to process that those capabilities are traditionally confidentiality Medical records stay secret integrity the errors are corrected or don't exist and availability now the latter is perhaps less obvious but if you are unconscious in an emergency room The people attend you need access to your medical records. It's not okay to say all the computers down come back next week So availability is a somewhat important or the often overlooked piece of information security Then there's another it's named a few different ways accountability trustworthiness and it's sliced different ways depending on whose Scheme you look at but The ability to object to be free from automated decision-making and transparency are broadly accountability obligations So this on this telling The data subject rights in GDPR are essentially infosec But instead of being on behalf of the board and the shareholders and the regulators and society at large They're on behalf of the individual data subjects about whom personal data is being processed And if this helps you or not, but it certainly helped for me It was a light bulb that suddenly clicked for me that this is literally security is an individual with respect to information being processed about And so certainly this shift From data controllers having their information that they possess and do whatever they like with to data controllers are custodians of information about you that they process under your direction Subjects you're consenting or not objecting That's a shift Ha It might be wondering therefore Okay, so far understood the thing But what's the purpose of GDPR the assumed purpose for people who are objecting is that it's to prevent the flow of information In fact, it's the reverse yes harmonize the protection of fundamental rights and freedoms and Ensure the free flow of personal data This is a direct quote from recital three on page one GDPR's purpose is to ensure the free flow of personal data So if you wrap against something that says oh my god the GDPR stop me from getting my thing down Firstly, you've completely misunderstood what it's about It doesn't say you can't do it says you can do and then spells out what you must do in order to comply and Secondly, depending on what you're doing. This might be a big signal that you need to stop doing Rethink it and not because the GDPR thinks you're bad because you're doing something that's inappropriate for human beings so What do technologists need to know? The most surprising or one of the three afford that's the most surprising thing that keeps coming up Is what personal data is? There's a term in wide use in the US and a bunch of other jurisdictions including Australia Personally identifiable information and it's tied to only the first of these that identifies like names ID numbers locations online identifiers GDPR employs a much broader definition anything at all that relates To an identified or even identifiable natural person is personal data Every single photograph that's being taken during cross Asia includes enough information To separate the person whose face appears in the photograph from another person to tell the difference. That's the Fact is specific to the physical identity of that that natural person The fact that we know nothing else about the person to their name dress where they live Nonetheless, it's personal data You know inside the EU you are already inside the The scope of the regulation Again, that's not a problem. The regulation is not a list of what you can't do. It's the opposite It's a list of what you can do. So you want to be inside the scope But that just surprises people example the An organization framework that Felipe presented yesterday, I think with the format preserving Solidization of things like phone numbers So you are replacing a correct phone number with one that is still the right format, but hasn't yours look up key somewhere So it's a suit name a it's still personal identifiable because if you have the key you can map that back to individual but be You might have mapped to the phone number of another natural person Well, that's identified that relates to a person even though you only got there coincidentally You are possessing data that relates to that person you have legally enforceable rights What that person has legally enforceable rights against you even though you don't know who they are So it's a very very very broad definition On the other big one. It's not limited. There's nothing about this That limits at the confidential data the mere fact that you've been named as having been convicted of murder in a newspaper Is not sufficient excuse For a web host or a website search index Google for example to continue processing or even retaining That information That's the right to a razor. It's for this control. So the the thing I'm talking about aren't just about the screw data They're about anything at all about human being and get back to the EDP as opinion There's a whole lot of public data that can be used to profile you and more precisely manipulate you So GDP our scope includes the whole lot Time for time so very quickly territorial scope generally if you are inside the jurisdiction of a new member state Then all personal personal data is subject to the regulation if you are outside Then you come into the regulation scope under two Circumstances one is you're promoting goods and services to people within even if they're free But certainly if they're for money Marketing is the big one. So you're profiling you're inside You must then comply The other is if you're doing anything that qualifies as monitoring. This is unfortunate. It's a bit difficult to say what monitoring is and isn't When you actually get down to it, but roughly if you are observing change at the time lawful basis Might eat most of my time on this because this is really really important Processing is lawful if and only if you fit one of these six buckets if you don't you are breaking the law It's that blunt There are two scope exceptions incidentally Domestic so friends phone numbers in your phone no problem Judicial if you work for a court different set of rules, but everybody else Every for-profit company every non-profit every political party every government body every quango the whole lot Are within the scope of the regulation the six bases? The first one is consent I'll get to the rules for consent in the moment. They're extraordinarily high It works for marketing. It's not much good for a great many other things the Tennessee to attempt to consent lauder is Understandable of bad. It's not enough to have common law consent Necessary performance of a contract if I'm a commerce provider and you place an order with me to deliver to your home of Necessity I will give you a dress to a courier. I don't need your consent for that. I'm legally obliged Compliance of legal obligation mostly for for regulator industries, so bank KYC stuff. You don't need consent for that Protect protect vital interests something's gonna die. Okay Disclosure now argue later public interest or official duty importantly Public interest is not DIY. It must be in a way that's spilt out in member-state law. This is matters to archivists You can't archive personal data in the EU unless you have member-state law Stepping out water is And finally the different interests and this is where a whole lot of stuff comes up that As long as what's being pursued the data is gained Legitimately and the interest being pursued is legitimately then you can process However You've got to do the balancing exercise with the data subjects human rights There's a standard way to do it. It takes a few hours. It's not terribly difficult, but it has to be done It's gonna be documented and it's gonna be better to data subjects and to the regulators Purpose specification is critically important You must know what the purpose is and you must have documented it Firstly your lawful basis depends upon it and secondly all the choices you will make stem from that This is another much longer session, but just understand that it's not just keep that because it might be useful You must have a purpose you must say it Consentment agents are staggering It's got it. You can't bundle it. The subject can withdraw at any time You must tell them prior to getting consent that they can withdraw at any time It shall be as easy to withdraw as to give consent all these nag bars that are saying except cookies Strictly speaking they must then put up a nag bar that allows you to decline Because it must be as easy as if you've made it easy to consent. You must also make it easy to decline You're making a cross for your own back If you don't meet all of these then your consent is invalid for GDPR purposes It's a very very very high bar and it's it's can't be used in relation to dependents generally You can't an employer can't rely on the consent of an employee You've got to use legitimate interest and you've got to perform the assessment I apologize for running out. I'm almost there There's a bunch of information has to be provided This looks a bit like a privacy policy that you'll start to see in EU websites what are called data protection notices Sometimes it's on the website. Sometimes it's on form. There's a few different ways to provide it There are also disclosures relevant during research that involves personal data even the identified personal data Most importantly don't panic It's complicated. It does create a bunch of new obligations. It does interfere with long established ways of doing business as Did the abolition of slavery to Don't allow this to freak you out Get help Work out what you have to do and do it the regulations purpose is to facilitate the free flow of data Thank you