 Perfect, so our next speaker is Christina Delisle talking about GDPR Okay, so I'm I'm just gonna try and look at the screen because my computer failed me just don't look I'm very proud of its brand So it's okay So I'm Christina. Thank you very much for choosing to attend this presentation I'm very excited to be the one that is gonna do the GDPR talk inside its room And I'm gonna talk about a few things related to open source and the quest for GDPR compliance Okay, a few words about me at xWiki. I am the xWiki of I am the DPO of xWiki SIS Which is a top-sponsoring company of xWiki the open source project Which means basically that it has according to its rules of governance the Most numerous number of developers inside the xWiki dev core team Regarding creep but this is the result of work of our research team and it's also an open source project and it consists of encrypted editors which are stored inside the cloud and It's in terms of the GDPR its encryption by design and Our privacy compliance journey is something related to the communities formed around these two projects And this talk is going to be about how the GDPR impacted the open source Communities and second of all how the open source communities can impact the GDPR and the principles of the GDPR because the open source Communities have principles and also have very healthy practices that can help and enhance the principles that the GDPR is talking about Now let's see what the GDPR did to us It has a lot of Transversal impact and it was to be honest a very it was very challenging for me to do a slide about like an overall thing of How GDPR compliance? Might might work and I just split it in like three three main areas now One impact was from the point of view of the legal and compliance governance basically all companies all businesses all organizations had to Review their privacy strategies taking into consideration the fact that there is a major risk of non-compliance So basically one when a company is doing budgeting it should take into consideration the fact that maybe maybe there is a high risk of of Non-compliance, so the budget should the should the should Take into consideration also these aspects regarding accountability It changed basically the burden of proof because so far if somebody were to say something The company was the one who was was going to to say oh, I'm innocent But now the company should be proactive and should prove its Its compliance with the GDPR and this means like a set of a lot of a lot of things that that a business should do Regarding lawfulness, this is the part about the consent of the person and the consent needs to Respect a few rules that the GDPR imposes about policymaking This was like reviewing all the policies that we have respecting a few standards that Respecting a few guidelines from from the GDPR and also a lot of auditing So basically auditing as as our weapon We audit something and then we propose measures and then we improve things inside the organization So organizations had to think a lot starting with 25th of May last year from the point of view of the technical aspect what the GDPR does is has is is enhances a lot of things to do regarding handling data breaches and also It proposes encryption solutions to be a best practice inside your organization So basically encryption became like the rule that we need to take into consideration We need to think about anonymizing data. We need to think about encrypting data We need to think about this choice as primary between the choice of encrypting and not encrypting We should go on the part of encryption and also privacy by design and by default and it Made a lot of difference also from the point of view of data collection and lifecycle because now the data Should should take into consideration now the data should Should be collected also for specific purposes and should be kept also as long as those purposes exist and also It should not be extended It should not be used more than it should be and so on I'm sure that you received a lot of you are very informed from this point of view about what these things mean These are a few of the areas of the biggest fines that were applied so far and a lot of them Taken to take into consideration things that have happened before the GDPR got enforced and We can see that one of the main thing is really related to consent and this is like what the marketing team inside an organization did and When the consent was for example, not really given or when the consent was like instead of Yes and no the options was yes or yes or something like that or when I don't know was sending an email to to To the data subject and adding in CC all the other people from our mailing list I mean these are things that basically have happened and have On the other side have brought a lot of fines to the people doing them because they did not consider The the the lawful way of treating consent Regarding data security areas there have been a lot of leaks breaches The info sec area has been on around the block for a long time. So they it's not something really new for them and regarding Regarding Those two those two things that I placed there. You can see there Some causes of why of why breaches happen and Also, you can see some effects of what happens when a breach is is happening Basically, if we are talking about a small business pretty much 60% of small businesses close their doors before the GDPR. This is actually a statistic that happened in 2014 Now, let's see what the GDPR did Very fundamental it reflect it was it was impacted from the point of view of the relationship between the data controller and the data processor Basically a data controller is the one that is the company that determines the purpose and means of processes and the Processor is the one that is having a DPA with the controller And it's the third party that processes on the controller's behalf and in between themselves we have currently this thing called DPA data processing agreement and They are obliged basically to establish a few set of rules in between of them taking into consideration Different aspects regarding how they will handle data breaches if for example a data processor has a data breach It should inform the data controller They are there are like lots lots of lots of things that the GDPR imposes that pretty much Previously were not very enforced and were not very clear So basically the GDPR did the very cool thing in determining what are the Relationships between the controller and the processor and also take into consideration also the fact that Somebody can act as a controller and a processor on On the same relationship depending on the data that That we are talking about so you can be a controller and also a processor at the same time basically Depending on the data that you are handling inside your organization And also the processor can have sub processors and the relationship pretty much stays the same And if you think that this distinction between controllers and processors is pretty much something new in fact it existed previously and a very revolutionizing thing that happened around 2012 was when Google INC was sued and at that point there was this There was a decision that was brought by the European Court of Justice on Google Spain and Google Incorporated versus mr. Gonzalez who was a Spanish citizen So this this decision at that point was a very Revolutionizing because up to that point Google was considering itself a data processor and After this decision because the European Court of Justice made this this this ruling Google was considered a data controller which meant basically a lot of Extra work of them to do and this was even before the GDPR and The impact of this was that by 2016 Google received a lot a lot of requests to remove approximately 1.2 million websites Which previously were not at their door or which previously existed at their door But they would would have had the opportunity of just saying I'm a processor go to the controller and Now we pretty much know Google is a controller So we do have the opportunity of making a lot of requests for example because it's our data and They should answer to to those requests of course now let's see how we are Imposing this model the model between data processor and data controller to the open source model because It's a bit challenging. It's not really the the classical business report that we are having When we have a company and another company we have a lot of controllers and processors around the open source communities around the open source Ecosystems and we have also the community itself the community is not something that is for profit It's something that is that it's formed by us it's formed by data subjects data subjects that are physical persons that pretty much have rights now which are very enforced by the GDPR and I called the others the controllers and processors the infrastructure providers They are the ones who let's say they are buying our beer But pretty much they are providing our hosting if we have a forum or a website for example They are offering us a lot of things around what we are doing inside our open source community And now let's give us some examples of who's who who is a controller and who exactly is a processor in xwiki the open source Software the controller of hosting on xwiki.org, which is where you will find the open source project is xwiki SIS Which is the company that offers services on top of the the open source project and on behalf of the company OVH, which is another company offers hosting So basically xwiki SIS is a controller of that data from xwiki.org Which is the open source project Outsource let's say it like that to a processor which is OVH and We have basically this report between these three aspects. We have the community We have xwiki SIS and we have also the OVH, which is the data processor on GitHub for example that we all know very much loves a lot the open source software GitHub acts as a controller of our personal data from our free Private user accounts, so if we have an account on github, which I pretty much know you do GitHub the company is the one that is the controller of your email address for example and If you are for example a business like xwiki SIS for example and you buy some things from them some some services and You want them to process the invoices it they become the Processor of those invoices, so they they act also as a controller on some aspects and as a processor on some other aspects Now Why should they process our personal data because the GDPR offers us a few Very clear reasons of why somebody can process the personal data that we give them to that we offer them First of all is compliance with the law and this is basically a legal obligation for example invoices We pretty much know now depending on the legislation There is a certain time that we need to keep those invoices So basically if somebody makes a request to delete an invoice from our database We cannot do it because the law says we cannot so we have to keep it now the contract reasons This is a contract that is done by the data subjects for example if you come to FAS them and you Sign an agreement with the conference organizers you Pretty much have a contract with them that you should come you should pay you should you should be here and so on and so For legitimate interest is something very very interest a very very interesting because it's always something about assessment It's about balancing. It's about balancing the interest of the person who is a data controller and the interest of the data subjects Itself because for example, if you are a notorious person and You have your you have there's an article in the newspaper about yourself If you if you make a deletion request, maybe the newspaper can say no But you're a public person, but if you're a private person then the balance pretty much shifts and the GDPR talks about careful assessment and the consent which should be specific informed It should require an affirmative action and it should be freely revocable. Basically if I change my mind It should The data should be given back Now let's see some Illustrations from the point of view of the contract your user name and email address are given in order to create your github account And also you are pretty much accepting their terms of service agreement with the github This is the example of the conference the previous That that I previously explained so we have the terms of service agreement with the company github and we accept it So basically we accept them to process our email address or our username The consent is something related for example to my picture from xfiki.org Where it was something not necessary for that account to exist But I just decided to offer them my picture So they are processing my picture based on my consent Legitimate interest and this is interesting the commits to the open source code of an open source project in order to make That commit to the open source project You need sometimes to provide your name to provide your email and you are pretty much aware of the fact that you are Doing this and your intention pretty much is to make it public is to contribute So that's that processing is legitimate on behalf of the open source people that were caught up the open source Of the open source software that that is processing your personal data And for example, we have here the developer certificate of origin from Linux That pretty much states what what the GDPR has said and this is a bit like older Including all personal information. I submit with it including my sign-off so when you Contribute to the Linux open source project You pretty much are aware of the fact that your email address Maybe will always be public or that what you are committing will always be public and will not be deleted if you Have a data subject request Let's see open source and the GDPR the control of the download it The control of the data is to the people and this is what pretty much the open source Did the open source software did as the GDPR has as main aim as main spirit to give the data back to the people It doesn't belong to the controllers. It belongs to the data subjects Cloud computing has been a very old debate around the open source software community and With this model of processor and controller what the GDPR did was something good for the open source because it's pretty much cleared the Relationship between the clouds provider and the people using that provider the provider is a Processor and the person using it is offering that data in order for it to process. So basically So basically it it enhanced this report It helped it contributed to this debate on cloud computing Regarding extraterritoriality. This is highly compatible with what? With what's the online environment has because it's like perfect if we the GDPR pretty much becomes like The new standard of the future regarding privacy and it extends borders Even though it is in theory applicable to data subjects from the European Union and it pretty much in the future Might become the standard and pretty much people from outside Europe are considering the GDPR when they are doing their policies The open source government nuns is by default transparent And this is something that helps the GDPR because we can see the we can see bugs for example And we can fix them if there is a security issue we can fix it and everything is pretty much Visible to everybody and everybody can pretty much contribute to the success of the open source project and also it's this transparency contributes a lot to to Help us Prevent vulnerabilities of a code because people are participating and also it's very privacy-oriented Because it's for the people by the people and also it's facilitating meritocracy, which pretty much speaks by itself The open source innovation privacy is something that is not really a coincidence in my opinion because a lot of the open source projects Nowadays are considering privacy as something very fundamental inside their their Their principles inside their projects. We have decentralization. We have Federation Networks We have zero knowledge collaborative software, which is creep bad And I wanted to illustrate to you how privacy by design and default are are Enhanced by zero knowledge collaborative software and by default that I mean zero knowledge Collaborative software basically using encryption pretty much speaks by itself regarding Privacy by design and the privacy by default thing which means that You an organization should only process data that is necessary to an extent that is necessary as long as it is necessary And this is something actually debatable because if we store data in the cloud Should it be by default encrypted? This is more like something to to debate because on the other hand the cloud provider will not be able to provide backups And this is something that it should be balanced like what what should be the perspective of the future regarding Regarding cloud computing it should be private by default to have it encrypted or it should be privacy by defaults to have the current status quo Now feel free to contact me. Thank you very much for attending this presentation again And if you have any questions, please do Ask I think we have some time Hello, thank you very much for the talk. So my question is around the Kind of legitimate interest without somebody overseeing like either a regulator or somebody that you know legal department, etc The temptation is to tip the legitimate interest ever in the favor of you know the companies or the data processor or the sub processors Do you think that that's currently one of the problems with the regulation or will we get to that as you know more information about GDPR emerges Okay, that yeah, that's that's a good question What I think is that it's something very healthy to debate first inside the organization if we should if we should Accept or not a data as a data subject request and it pretty much this debate contributes to to the future of that Of that data request pretty much to to show you how this thing is working you as a data subject You are sending to the organization a data subject request and the organization Currently should like think first should it accept your request or should it not accept your request? And I believe this is actually healthy in determining what is the positioning of that organization because pretty much What what that organization is doing is not really ruling what is the the right thing to do that is the job of a judge that pretty much afterwards might come and What the organization does is have an answer to that request and after if you let's say you are not satisfied with that request You can move forward and you can go to the national to the national authority and say why you are not satisfied with that request Now we have another procedure where the national authority who are not the judges are the ones who are deciding if that request should be Okay, if you're right or if you're wrong and if you are not satisfied with that thing You can go as mr. Gonzalez did to a national court. He went to Spain first He went to a national court from Spain and afterwards He was not satisfied with what the national court of Spain did and then he went even higher and then even higher It encountered a judge that had a question for the European Court of Justice and the European Court of Justice I could have pretty much like more questions But one of the questions were is Google incorporated a Controller or is it the processor and the European Court of Justice said at that point before the GDPR that it is a controller and this was and this was an evolution towards the perspective of how we handle privacy and I believe this is this is healthy because in general in my opinion It's very important to debate and I am very I'm very pro that that attitude Do you have any more questions? Okay, thank you very much. Hi just a quick question. Is she there is she going I? Don't know whether she will hear me No, hi just a quick question Okay, and yes, I'm a teacher my educator not a software developer GDPR came into the UK for us as educators is quite a big thing and across the world for us to look at to conform to Schools because in reality, I cannot really hear you. So, oh right. Can you hear me now? Excuse me. Can you hear me? No, no, no, she can't hear me from I can hear that you said she can't hear me. Oh, right. Okay. Yeah, so Yeah, we had GDPR come in for schools to use that we had to take quite seriously But things like and I won't name names But some of the software that's been given to schools for free now has like 35 million users in the UK We're opting into them knowing that they conform to GDPR But then we're not looking when it goes to the legitimacy Interests that those companies then share to 45 of the companies Under the basis of the information they collect about children in schools to 45 of the companies under the legislation of legitimate interests You cannot I have tried you can't seem to see or get any further than that They just stand there and go it's legitimate interest that we take your kids information from school And we farm it out to Google to Amazon to all of these other proprietary things But educators aren't getting the message that the free software that they're getting sold at national Conferences like I spoke at a bet which billions of pounds were spent on To sell it to us that this is an issue for the data privacy for those students We're effectively giving away young people's information and not even parents are these kind of These kinds of things are getting through to them GDPR, how do you feel that that is made a dent on it because I feel like it's just gone Yeah, we got legitimacy with GDPR, but now we can just put legitimate interests and everybody will be fine about it I Don't I don't think personally that legitimate interest is something that That is let's say just posted and it's like yeah, it's in legitimate interest. So But as a person defense from a company you might hear the legitimate interest So currently we do have a gray area and that's in that in that aspect. So The the answer might be in the evolution of the vision we have currently on the GDPR and on privacy What I do believe however, is that what we did so far is an evolution So we can notice Significantly that this is starting to become something important and something very relevant something to be placed on the agenda And this is something that that that actually was seen on the 25th of May when everybody had like so different interpretations about what the GDPR does Doesn't and so on and so forth. However after the 25th of May last year things have pretty much Gone in the direction of privacy now companies are thinking about it now and Us as a data subjects what we should do and as members of a person of an open source community is is in fact Be aware of the fact that we do have lots of rights and we do have the possibility of using them So if we use these rights, we are actually putting pressure on the private sector And we are putting pressure on we are we are putting pressure on this evolution We are contributing basically to to them offering more attention towards this topic