Vera Franz, Ben Hayes, Lucy Hannah
As civil society organizations are becoming increasingly data-heavy operations, basic fluency in data protection is essential. Adapting to the changes brought by the EU General Data Protection Regulation (GDPR) will make civil society organizations more resilient and enable them to appropriately protect the personal data of their staff, donors, beneficiaries, research subjects, and contributors. In an era in which the political and operational space of civil society is “shrinking,” compliance with the GDPR also provides a robust defense against adversaries who may seek to use or abuse the GDPR in an attempt to undermine the activities of these organizations. Fluency in data protection also allows civil society organizations to lead by example on the value of data privacy and demonstrate an alternative to the current model of unchecked, large-scale data exploitation by many big technology companies.
We were motivated to produce this report as we witnessed many NGOs (non-governmental organizations) tie themselves up in knots over their mailing lists in the run up to the GDPR. Countless civil society organizations flooded our inboxes with needless re-consent requests, while large corporations gave the impression of business as usual. With this report, we set out to better understand what the GDPR means for NGOs in very practical terms, and provide some practical guidance to NGOs on issues that they have struggled with.
We wanted to understand NGOs’ attitudes toward the GDPR, the guidance on compliance available to them, the particular compliance challenges they encountered, and the impact the GDPR has on their core activities such as advocacy and human rights investigations. For example, is the approach to mailing lists, where many NGOs unnecessarily culled the addresses of recipients, characteristic of the non-profit compliance experience as a whole? Conversely, is the NGO sector under-complying as it is overly-reliant on the premise that its activities are all in the “public interest” and therefore a priori permissible under the GDPR? Also, we were particularly interested in exploring whether and how the GDPR has been or may be used by political opponents against civil society organizations and how the GDPR fits in with the growing compliance burden associated with the shrinking space for civic activism on political issues. There can be no doubt that tenacious civil society organizations have made powerful enemies; does the GDPR therefore leave them exposed to legal action by vexatious and litigious adversaries? Are they aware of these risks and have they taken adequate steps to mitigate them?
The authors firmly believe in the importance of comprehensive data protection, and the GDPR more specifically. Despite its detractors, the GDPR is without doubt the best entry point to begin to address the damage that massive data exploitation by big tech companies is doing to our societies—from political microtargeting and societal polarization to the out-of-control “ad tech” industry and the emergence and consolidation of tech monopolies. But we also acknowledge the challenges the GDPR creates for civil society. For example, while smaller organizations are exempt from certain compliance requirements such as the appointment of a data protection officer, most of the legislation applies in its entirety regardless of organization size and the compliance burden can disproportionately impact these organizations. This was recognized by the European Commission, which established a dedicated budgetline to help national data protection authorities assist small and medium-sized enterprises in understanding and complying with the GDPR. This was aimed squarely at businesses, with no provision for the hundreds of thousands of non-profit organizations across Europe. It is also notable that whereas most business sectors lobbied for exemptions, special treatment or lower standards in the GDPR to protect their commercial interests and activities, civil society organizations generally lobbied for high standards across the board—without necessarily thinking about the implications for their own work. So while media organizations had sought to ensure that the GDPR did not unduly restrict press freedom, other public interest organizations were not so forward-thinking, which appears to have left a few “gray” areas.
We hope this report can provide some practical guidance to NGOs on issues that they have struggled with: not by producing yet another GDPR checklist or “compliance tool,” but by thinking through the compliance issues that may be unique to civil society organizations engaged in social justice and human rights activism. Unfortunately, there is no getting away from the complexity of the GDPR—a problem compounded by the freedom left to the member states to apply and interpret many of its key provisions in accordance with their own national legal traditions—so the usual caveat about making additional checks for consistency with national law before relying on anything in the best practice section at Annex 1 applies.
The structure of the report reflects the challenges and opportunities that our work revealed. In section 2, we discuss in more detail our findings from the survey and the follow-up conversations we engaged in. The following sections cover notable issues that arose as the project went on. Section 3 provides two examples of when civil society organizations have been sanctioned for non-compliance with data protection law, and the lessons that can be learned by other civil society organizations. Section 4 looks at the way in which Subject Access Requests—which are derived from the fundamental right to access data about us collected by governments and businesses— have been used positively by civil society organizations, but also at how organizations have received and handled frustrating and unfounded requests. Section 5 explores the difficulty of disentangling data protection from wider societal issues of power and resistance, and considers its impact in terms of both push back against civil society organizations, and as a key factor in establishing an “enabling environment” that civil society needs to achieve positive social change. Sections 6 and 7 attempt to draw together the conclusions of our findings and make recommendations for different stakeholders. Annex 1 provides best practice guidance for civil society organizations based upon our research and wider experience of dealing with GDPR compliance.