GDPR is everywhere: hundreds of notifications appear on your email box in just in the blink of an eye. GDPR has a huge impact in all IT companies, but how does this new regulation affect the FOSS community? How does Bitergia manage this?
As you will know (of course you know, you didn’t even get a choice with all the GDPR‘s news popping up), on 25th May 2018 the EU General Data Protection Regulation (“GDPR”) came into force across the European Union replacing the existing data protection regulation. While standardizing data protection laws and processing across the EU, it also introduces new and additional data protection obligations on entities handling personal data.
GDPR and Open source
This impacts many actors in the open source space, including including how they use and contribute to online repositories, communications channels, foundations and other entities that run or manage open source projects, release managers, committers and other contributors to FOSS projects, and even companies using open source software.
A single example would be the “authors” file in a repository, where the name and surname (or nick-name) of the contributors is collected and disseminated publicly. Another example with personal data being published are the statistics of the code management system (e.g. on Github under the “insights” tab).
This data is probably in good faith published (recognition of authorship, responsibility for management, need for communicating among project members) but the GDPR includes a list of information and other requirements that the current infrastructures do not necessarily support making it difficult for entities like Bitergia working in the FOSS space to come into full compliance with the law.
We have noticed that some platforms have updated their privacy policies, but much of this updating has focused on the “first line” functionality of the platform: the core service they provide, such as hosting code, or providing a communication channel. However, these platforms are used for many other purposes, taking advantage of the data and code that is publicly available, including for example the data analytics service that we provide, offering reports on project health, sustainability and dynamics.
Bitergia actions
At Bitergia, while fostering and supporting the FOSS community, we are also committed to ensuring the security and protection of the personal information that we access and process for providing our services and carrying out our analytics.
With the advent of GDPR, we realized we needed to update our privacy program in order to meet the demands of the GDPR and eventually the forthcoming Spanish Data Protection Law.
As we have all seen in the many emails that we have received, “consent” is one of the legal bases of processing data – and some of the online platforms processing EU citizen data are getting this consent, and not just for the primary purpose of the platform (e.g. Eclipse development environment) but also for other purposes related to FOSS projects and communities: project management, authorship recognition, community management through open or close communications , etc. But consent is not the only – nor indeed the main – legal basis for processing personal data: many entities can process personal data for the “performance of a contract” (e.g. providing code hosting services and other functionalities of the platform) or under a “legitimate interest of the entity or of third parties” (among other bases).
Anyone involved activity in open source, such as our clients, among other entities, has a legitimate interest in understanding and gaining insight on aspects related directly or indirectly to different aspects of software development about specific FOSS projects in which they are interested or involved (such as the sustainability and resiliency of the projects, the performance, and the dynamics of the community). They thus have a legitimate interest in analysing the project data, including personal data of project members and participants.
This legitimate interest is due to, depending on the case, one or multiple reasons, like an interest in supporting FOSS projects with specific advice about key points learned from the analysis of the data, or an interest in potentially using the products (programs) produced by FOSS projects and knowing if the project (and code) is sustainable, etc. Where express consent has not been obtained, this interest must be weighed against the fundamental rights and freedoms of the developers and other persons whose data has been processed. This is so that entities cannot just claim “any” legitimate interest, that may even override fundamental rights.
We have done this balancing act, taking into account several factors:
- The project participants have expressly made their personal data public on these platforms;
- Most of the terms of use of these public platforms now provide that the users permit access and compiling of that personal data, and in some cases expressly permit data analytics;
- The data that is accessed is limited to identification and contact data relating to project participant, and their activities on the project (usually in their professional role as software developer), and does not impinge on their personal / domestic life;
- Contributions (and authorship and reputation) are a “personal” thing, and thus it is very difficult to eliminate the personal data (“adopt less intrusive measures” as the law says). Some of the analytics can be anonymous or pseudonymous, but in many cases the identification of the developers is sometimes a key factor in understanding the characteristics of the FOSS Project under analysis.
To sum up…
All in all, we consider that the interest of the community and in particular those entities investing in open source is legitimate enough so as to warrant the collecting and processing of personal data on the public platforms and other open spaces, to do this type of analytics, and that this is not outweighed by fundamental rights. In addition, one could also argue that processing of personal data made available in the source code repositories for this type of analytics is a “compatible secondary purpose”, in relation to the original purpose for data collection by the source sites (e.g. for attribution of authorship, attaining community recognition).
If you are interested in knowing more about how Bitergia prepared for GDPR and all the steps we have taken, please go to our Privacy Statement . Our aim is to provide FOSS projects insights according to legal and privacy terms, so contact us to get more information about our analytics services!
And last but not least, we would like to thank ID Law Partners and Malcolm Bain, the lawyer who is helping us in everything related with GDPR.
