When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy \u2013 both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.<\/i><\/p>\n
The GDPR\u2019s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:<\/p>\n
1) Change is afoot, in Europe and beyond:<\/i><\/b> The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world \u2013 from Canada to Brazil, Singapore to Australia<\/a>.<\/p>\n In addition, with the \u2018Privacy Shield\u2019 framework for data exchange<\/a> between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.<\/p>\n Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.<\/p>\n On the other hand, as a recent GDPR implementation progress report by Access Now<\/a> notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement \u2013 e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.<\/p>\n The report highlights that GDPR is \u2018still in its infancy\u2019; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.<\/p>\n 2) It is not only governments that are changing their approaches:<\/i><\/b> another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple\u2019s software update and Google\u2019s planned steps to reduce third-party<\/a> tracking.<\/p>\n However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators<\/a>, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted<\/a> that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.<\/p>\n 3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries:<\/i><\/b> it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels<\/a>, like WhatsApp). There are also examples<\/a> of GDPR having an impact on whether some initiatives \u2013 like organised outreach to potentially vulnerable library users \u2013 were on the table.<\/p>\n But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.<\/p>\n As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic \u2013 from contact tracing and temperature checks<\/a> to supporting educators in protecting student privacy online<\/a>.<\/p>\n When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today \u2013 can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today \u2013 e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation \u2013 a concept which wasn\u2019t new to libraries, of course, but nonetheless helpful in thinking about any organisation\u2019s data management processes, and reducing risks and harms<\/a>. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR\u2019s jurisdiction.<\/p>\n 4) But it\u2019s not always easy to enforce privacy:<\/i><\/b> some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).<\/p>\n However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.<\/p>\n These were exemplified in the library concerns around the surveillance capacities of academic library vendors<\/a> (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright<\/a>).<\/p>\n Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries\u2019 work to renegotiate or recalibrate relationships and agreements with outside vendors.<\/p>\n 5) Privacy and performance should not be seen as mutually exclusive<\/b>: too often, it is easy to see privacy as a zero-sum game<\/i>. However, this is not inevitable.<\/p>\n This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.<\/a><\/p>\n