What is the background of the GDPR?
As technologies develop and more and more data are produced and collected, several initiatives seize the potential of the data by re-using it to gain insight or provide new products and services. Mobile applications can, for example, tell users when it will rain in which area by linked weather and geo data. Websites on public procurement provide inside on public spending and decision making. Others combine bus and train schedules and routes to improve public transport and smart city initiatives. Most of the data that is re-used is Open Data not including personal data.
Re-using personal data, can help organisations understand user behaviour and target their marketing activities more effectively. Because personal data is information relating to a person who can be identified, directly or indirectly by the data, the right of privacy is concerned. The right of privacy is a human right anchored in most modern democracies. In Article 8 of the European Convention on Human Rights, it states that "Everyone has the right to respect for his private and family life, his home and his correspondence." Because processing personal data concerns the privacy of individuals, the use of personal data is regulated.
What is the aim of GDPR?
In order to set a legal framework for data privacy in the mid-1990s, the Directive 95/46/EC was written. In that time the internet was still a recent innovation and social media was not spread yet. Since then, the technology and the re-use of data outgrew the Directive, making an update necessary. To ensure data privacy, regulations had to expand to digital privacy breaches. Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") replaces the Directive 95/46/EC with the aim to raise awareness, transparency and compliance. It impacts almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad. To increase awareness at the level of company's senior executives, penalties in case of non-compliance are increased to up to 20 million Euro or 4% of the worldwide turnover.
How can GDPR increase understanding and trust in sharing data?
However, the aim of GDPR is not to penalise data users but to guide data processing, increase trust and encourage sharing and re-using data. A driver for GDPR is to increase understanding of how personal data is treated and processed. Since digital data is mostly not tangible, it makes it more difficult to understand also because often technical or legal jargon is used. GDPR aims to give citizens back the control on their personal data, to simplify the regulatory environment and to highlight the benefit of data re-use in compliance with data privacy regulations.
In the absence of a clear understanding of data privacy regulations, avoidance, anxiety and misunderstanding hinder trust and literate safe data handling. By setting a solid and current legal framework that protects personal data, it reduces the risk of misuse and privacy breaches (attentionally or due to a lack of knowledge or awareness). GDPR determines the conditions for consent:
"... companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
This way, processing personal data will be more transparent and comprehensible restricted by guidelines and legal barriers. That makes it also easier and more favourable for data (re-)users to process and create value out of data and Open Data. Additionally, it enables to rise understanding for the benefit of sharing data because it is not overshadowed by the insecurity and anxiety of misuse. This highlights that the GDPR supports sharing and re-using data by increasing transparency and knowledge about how to process data in a safe and legal way. With organisations compelled to handle data with greater care, consumers can be more inclined to not only share their data but understand the benefits of sharing and re-using data. Therefore, GDPR in fact supports the concept of Open Data.
What kind of data is concerned by the GDPR?
EUgdpr.org provides a highly exhaustive and comprehensible overview on GDPR and what is means. To help understand GDPR related to Open Data, two definitions of data can help.
Personal data is "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". GDPR deals exclusively with personal data.
Open Data refers to data which is open for free access, use and modification to be shared for any purpose. The principles for Open Data are described in detail in the Open Definition. Open Data cannot be considered open if it is not accompanied by a licence that ensures its free re-use.
What are the implications of GDPR for Open Data?
There is still a misunderstanding about how protecting data and opening data can pursue the same goal. Some even claim GDPR is controversial to the concept of Open Data. GDPR deals exclusively with personal data. The only situation when GDPR directly affects Open Data is when Open Data includes personal data. According to GDPR, European citizens must give their clear and explicit consent to the processing of their data. Therefore, no personal data can be published for re-use without the consent of the affected party.
There are a few exceptions, when personal data can be published:
- If there are legitimate reasons to publish data. For example, in the case of a court decision. This rule restricts privacy rights in general.
- If the data has been anonymized.
Anonymization is the process of removing personally identifiable information from data. Therefore, these data can no longer be referred to as "personal data" and is no longer subject to GDPR. By ensuring that personal data is processed transparent, strictly following GDPR, it can lower the barrier to publish and re-use Open data. Therefore, GDPR can facilitate the data-driven economy, generating new products and services that create value to society, while respecting the rights of citizens.