6 Replies Latest reply on Jul 20, 2018 2:37 PM by Grégoire Michel

    GDPR & "Open Source" Data?

    Lawrence Mien

      I'm currently working on implementing GDPR practices and I've run into an interesting situation with my data and legal colleagues located in Russia.

       

      My colleagues insists that if we obtained their data from an "open source" third-party, they have consented to us using their data by giving their data to that third party. For example, if someone submits their data to a directory or a tradeshow, we are free to use their data from the tradeshow. An example he gave was Facebook giving user data to third-parties. His justification is that the legal team has told him this is okay but somehow I am not entirely trusting of the legal team's judgement on this as I have not personally spoken with them.

       

      I had a lot of issues with this and I wanted to get input and verification on my arguments from anyone else who would have expertise. Please let me know if this all makes sense. Here are my issues:

       

      1. Proving consent - How would we prove we have their consent with data such as opt-in date and IP if their agreement is not with us?
        1. Terms of consent - unless we have the GDPR acceptance terms from every single repository that we got data from, how can we be sure that they have consented for their data to be transferred for use by a third-party?
      2. According to definition for approved Third Countries US entities receiving data must be a part of privacy shield, which I don't believe we are which will lead to these derogations that must be met
      3. Guidelines on data obtained from somewhere other than the subject (Art. 14 GDPR) requires specific actions to be taken which we have not taken (Additional information on this)

       

      I feel like this is pretty compelling evidence that the situation he's indicated is NOT GDPR compliant, but I want to be sure. Thanks in advance for any input.

        • Re: GDPR & "Open Source" Data
          Sanford Whiteman

          I 100% agree with your assessment, Lawrence.

           

          I don't even know what "open source" could possibly mean here except a total corruption of the term. To use Facebook -- who have been known to break their own privacy agreements and/or not enforce them for 3rd party apps -- as an example is almost like a confession.

          1 of 1 people found this helpful
          • Re: GDPR & "Open Source" Data?
            Grace Brebner

            I agree also.

             

            I'm not a lawyer (thankfully), but based on what I do know:

             

            One key component of consent under GDPR is that it must be clearly informed, clearly recorded and easily revoked (see: Consent | ICO). I would be very sceptical of a suggestion that you could use consent as a legal basis here - this:

            they have consented to us using their data by giving their data to that third party

            Would only stand up (in my mind) if, when they provided their data to that third party, they were presented with and agreed to an opt in was explicit about the data being given to you specifically, and explicit about exactly what you would do with that data, and explicit about exactly how long you would hold that data, and provided a link to both their and your privacy policy, and there was an adequately easy means for the user to revoke that consent. Not to mention, all of this would need to be demonstrably proven in court if you were challenged - so you'd have to record what they consented to and when and where and store that data. Any thing less than that and you're likely open to challenge - which, based on the high consequences for failure in GDPR... Well let's just say I'd err on the side of nothing less than that.

             

            And that doesn't even get into the whole other kettle of fish of sharing data with third parties requiring additional agreements around data processors vs data controllers, and which of the two is liable if the processor causes a breach of GDPR...

            1 of 1 people found this helpful
              • Re: GDPR & "Open Source" Data?
                Josh Hill

                Yes.

                GDPR is clear that even if the person Consented to communications with a Tradeshow company, they ALSO have to explicitly OPT IN to communications from YOU if the data is to be shared. You should definitely not use data w/o a clear chain of consent. Perhaps best to confirm this with EU Counsel, rather than Russian Counsel.

                 

                Open Source info is essentially website scraping or research, which is not legal in most countries outside the US and generally against most websites' privacy policies. "Open Source" is  a term from the intelligence community where they gather info from news, libraries, easy to access places that do not require spying.

                 

                I find this odd, because Russia does have an interesting set of privacy laws for themselves.

                1 of 1 people found this helpful
              • Re: GDPR & "Open Source" Data?
                Lawrence Mien

                Thank you everyone for your input.

                 

                I was able to put together a pretty compelling set of evidence why it is 120% not compliant and I think they have no qualms about my assessment. Much appreciated!

                • Re: GDPR & "Open Source" Data?
                  Grégoire Michel

                  100% sure this is not compliant to GDPR. Period

                   

                  -Greg