Brussels, the 6 June 2018
Dear Data Protection and IT Professionals,
The EU’s new law General Data Protection Regulation (GDPR for short) applies from 25 May 2018 onwards. It consists of 99 articles and 173 recitals that fill together 88 pages in the official publication. Different than a technical standardisation document, many of those articles must first be interpreted under consideration of case law from past judgements and published opinions of data protection authorities. As a result, even compliance questions for relatively simple applications such as a mailing list cannot be answered without profound study of many legal documents. Complex concepts such as privacy by design and pseudonymisation are the source for many questions yet to be answered.
At the same time, the tech industry has worked for many years on solutions to setup fairly easy personal data processing applications. Thanks to e.g. Google Sheets, Doodle, Mailchimp, or Wordpress, even non-experts can nowadays become data controllers with only few clicks or swipes. The development of peer-to-peer protocols for distributed databases, e.g. Bitcoin, Dat, or IPFS, has the potential to further lower the initial hurdle to become a data controller—up to the point of unconsciousness of the controller.
To allow for a rapid adoption of data protection obligations, and in turn an overall increase of data hygiene, training for data controllers and processors is needed and must be accessible not only for those who can afford to dedicate resources, but at best to all data controllers and processors. For this reason, we call for the foundation of a collaborative Internet knowledge database under a free creative commons license to ensure its broad and continuous availability.
So far, freely accessible practical advice is often, if not mostly, offered by stakeholders that may have conflicting business interests. Online service providers, law firms and training institutes may gear advice towards their own services. Restrictive licenses may prevent good advice from being freely shared. Erroneous or out-dated advice may not be updated. Especially, the latter is important as GDPR compliance is a moving target. New judgements or advances in state-of-the-art privacy engineering1 require continuous updates.
As data protection is an interdisciplinary field, the knowledge database should be co-authored jointly by legal experts and computer engineers and must accommodate the needs of both communities. The platform Stack Exchange provides communities with a software solution for collaborative freqently asked questions (FAQ). The platform is well-known to most computer engineers for offering stackoverflow.com and started more recently law.stackexchange.com2. The collaboration is organised as follows:
- Questions, answers and meta-data are published in the Internet under a free license (cc by-sa) and are available for download in machine-readable form.
- Anybody can ask or answer a question.
- The best answers are voted to the top.
- Users earn reputation points for every vote they receive.
- Users unlock privileges as they earn reputation, like the ability to comment or vote.
- Moderators are elected among users, and top users have access to special tools to help moderate.
To provide for an overall high quality of answers, references to primary sources shall be used where opinions are inevitable. This rule is also employed by Wikipedia and can be enforced by both moderators and top users.
The signatories support the foundation of such a collaborative data protection knowledge database in form of frequently asked questions.
Authors and Initial Signatories:
- Robert Riemann, Brussels
- Xavier Lavayssière, Paris
- Franz Ritschel, Köln
If you want to receive updates or if you have questions, please send your request to email@example.com. If you want to become a signatory, send a mail to firstname.lastname@example.org. Requests in French language are answered at email@example.com and for signing at firstname.lastname@example.org.
List of Recipients:
- the Internet Privacy Engineering Network (IPEN for short), an initiative of the European Data Protection Supervisor
- Stack Overflow, the company behind the famous knowledge database stackoverflow.com for programmers
- the European Digital Rights (EDRi for short), an association of civil and human rights organisations from across Europe
- the participants of the 2018 edition of the Annual Privacy Forum (APF for short)
- the organisation committee of the international conference Computers, Privacy and Data Protection (CPDP for short)
- and non-disclosed individual recipients
The GDPR mandates in Art. 25 on data protection by design and by default controllers of data processing to take into account among others the state of the art when defining means for data processing and during the data processing itself. ↩︎
law.stackexchange.com covers already questions on GDPR and data protection. However, we feel that data protection deserves its own platform that encompasses also other disciplines such as computer engineering or ethics. ↩︎