When the world’s most comprehensive digital privacy law – the EU General Data Protection Regulation (GDPR) – took effect in May 2018, media and tech experts focused much of their attention on how corporations, who hold massive amounts of data, would be affected by the law.
This focus was understandable, but it left some important questions under-examined–specifically about non-profit organizations that operate in the public’s interest. How would non-governmental organizations (NGOs) be impacted? What does GDPR compliance mean in very practical terms for NGOs? What are the challenges they are facing? Could the GDPR be ‘weaponized’ against NGOs and if so, how? What good compliance practices can be shared among non-profits?
Ben Hayes and Lucy Hannah from Data Protection Support & Management and I have examined these questions in detail and released our findings in this report.
Our key takeaway: GDPR compliance is an integral part of organisational resilience, and it requires resources and attention from NGO leaders, foundations and regulators to defend their organisations against attempts by governments and corporations to misuse the GDPR against them.
In a political climate where human rights and social justice groups are under increasing pressure, GDPR compliance needs to be given the attention it deserves by NGO leaders and funders. Lack of compliance will attract enforcement action by data protection regulators and create opportunities for retaliation by civil society adversaries.
At the same time, since the law came into force, we recognise that some NGOs have over-complied with the law, possibly diverting scarce resources and hampering operations.
For example, during our research, we discovered a small NGO that undertook an advanced and resource-intensive compliance process (a Data Protection Impact Assessment or DPIA) for all processing operations. DPIAs are only required for large-scale and high-risk processing of personal data. Yet this NGO, which holds very limited personal data and undertakes no marketing or outreach activities, engaged in this complex and time-consuming assessment because the organization was under enormous pressure from their government. They told us they “wanted to do everything possible to avoid attracting attention.”
This stands in stark contrast to the leisurely and sometimes reckless approach to GDPR compliance taken by Big Tech. For example, a report found that Microsoft had failed to conduct a DPIA for its widely-used Office software, even though it clearly involves large-scale and high-risk data processing.
Our research also found that private companies, individuals and governments who oppose the work of an organisation have used GDPR to try to keep NGOs from publishing their work. To date, NGOs have successfully fought against this misuse of the law.
Global Witness, for instance, successfully resisted attempts by the owner of a global mining company to use GDPR to harass them. The owner used a provision in the law – known as data subject access requests – to try to force Global Witness to disclose sources it used in an anti-mining campaign. This provision of the law, which gives individuals the right to know who holds their data, was never intended to be used as a tool for powerful companies to intimidate those holding them to account. Indeed, UK officials ruled that Global Witness did not have to provide this sensitive data, ruling that the NGO should benefit from the same protections journalists enjoy.
A similar case surfaced in Romania. There, the RISE Project – an investigative journalism organization – published a damning story about Liveu Dragnea, then-President of Romania’s Socialist Party. Using emails, videos, photos and other materials, RISE pieced together a damning portrait of alleged corruption by the politician.
What happened next shocked RISE. The Romanian Data Protection Authority – empowered by the GDPR to protect Romanians’ privacy – threatened RISE with a $20 million fine, and requested details of sources used in the story as well as an explanation as to why the subjects of the story were not informed prior to publication. RISE responded by declining to expose its sources, noting it would be a violation of their journalistic work and would impinge on their freedom of expression rights. The case is ongoing.
This report leaves us with a key challenge: how we can strengthen civil society’s ability to comply with GDPR and push back against what we expect to be a growing number of abuses of GDPR against civil society?
NGOs we spoke to generally set a high bar for compliance. Their values coincide with key GDPR principles. They tend to believe users must be able to effectively control their personal data, and those who collect and use them must be fully transparent and accountable to the users.
But we need to acknowledge that compliance is challenging.
First, certain aspects of the law are currently ‘grey areas’ and concern important programmatic civil society activities. For example, it is currently unclear whether a growing group of NGOs specialized in providing research services to investigative journalists and advocacy organisations are able to rely on the journalistic or research exemptions in GDPR. We need regulators and courts to step in and interpret data protection laws with a view to extend, and not constrain, the civil society space.
Second, compliance is resource-intensive. We need NGO leaders and funders to work together to create a holistic support infrastructure for civil society to better connect the experts and NGOs active in the responsible data, digital security and data protection communities. With this report, which includes a 20-page best practice guide for GDPR compliance, Open Society Foundations hopes to make a first contribution towards strengthening data governance in the NGO sector.
Photo credit: Rodion Kutsaev