In the recent article about Oxford Ancestors shuttering, I briefly mentioned GDPR. I’d like to talk a little more about this today, because you’re going to hear about it, and I’d rather you hear about it from me than from a sky-is-falling perspective.
It might be rainy and there is definitely some thunder and the ground may shake a little, but the sky is not exactly falling. The storm probably isn’t going to be pleasant, however, but we’ll get through it because we have no other choice. And there is life after GDPR, although in the genetic genealogy space, it may look a little different.
And yes, one way or another, it will affect you.
What is GDPR?
GDPR, which is short for General Data Protection Regulation, is a European, meaning both EU and UK, regulation(s) by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU/UK and processing of data of residents of the EU/UK by non-EU/UK companies.
There are actually two similar, but somewhat different regulations, one for the UK and one for the EU’s 28 member states, but the regulations are collectively referred to as the GDPR regulation.
Ok, so far so good.
The regulations are directly enforceable and do not require any individual member government to pass additional legislation.
GDPR was adopted on April 27, 2016, but little notice was taken until the last few months, especially outside of Europe, when the hefty fines drew attention to the enforcement date of May 25, 2018, now just around the corner.
Those hefty fines can range from a written warning for non-intentional noncompliance to a fine of 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is GREATER. Yea, that’s pretty jaw-dropping.
So, GDPR has teeth and is nothing to be ignored.
Oh, and if you think this is just for EU or UK companies, it isn’t. It applies equally to any company that possesses any data of any EU or UK resident in their data base or files, providing that person isn’t dead. The law excludes dead people and makes some exceptions for law enforcement and other national security types of applications.
Otherwise, it applies to everyone in a global economy – and not just for future sales, but to already existing data for anyone who stores, transmits, sells to or processes data of any EU resident.
What Does GDPR Do?
The intent of GDPR was to strengthen privacy and data protections, but there is little latitude written into this regulation that allows for intentional sharing of data. The presumption throughout the hundreds of pages of lawyer-speak is that data is not intended to be shared, thereby requiring companies to take extraordinary measures to encrypt and anonymize data, even going so far as to force companies to store e-mail addresses separately from any data which could identify the person. Yes, like a name, or address.
Ironic that a regulation that requires vendor language be written in plainly understood simple wording is in and of itself incredibly complex, mandating legal interpretation.
Needless to say, GDPR requirements are playing havoc with every company’s data bases and file structure, because information technology goals have been to simplify and unify, not chop apart and distribute information, requiring a complex network of calls between systems.
Know who loves GDPR? Lawyers and consultants, that’s who!
In the case of intentional sharing, such as genetic genealogy, these regulations are already having unintended consequences through their extremely rigid requirements.
For example, a company must appoint a legal representative in Europe. I am not a lawyer, but my reading of this requirement suggests that European appointed individual (read, lawyer) is absorbing some level of risk and could potentially be fined as a result of their non-European client’s behavior. So tell me, who is going to incur that level of risk for anything approaching a reasonable cost?
One of the concepts implemented in GDPR is the colloquially known “right to be forgotten.” That means that you can request that your data and files be deleted, and the company must comply within a reasonable time.
However, what does “the right to be forgotten” mean, exactly? Does it mean a company has to delete your public presence? What about their internal files that record that you WERE a customer. What about things like medical records? What about computer backups which are standard operating procedure for any responsible company? What happens when a backup needs to be restored? If the company tracks who was deleted, so they can re-delete them if they have to restore from backup, then the person isn’t deleted in the first place and they are still being tracked – even though the tracking is occurring so the person can be re-forgotten.
Did you follow that? Did it make sense? Did anyone think of these kinds of things?
Oh, and by the way, there is no case law yet, so every single European company and every single non-European company that has any customer base in Europe is scrambling to comply with an incredibly far-reaching and harsh regulation with extremely severe potential consequences.
How many companies do you think can absorb this expenditure? Who do you think will ultimately pay?
Younger people may not remember Y2K, but I assuredly do, and GDPR is Y2K on steroids and with lots of ugly teeth in the form of fines and penalties that Y2K never had. The worse scenario for Y2K was that things would stop working. GDPR can put you out of business in the blink of an eye.
Categories of “Processors”
GDPR defines multiple levels of “processors,” a primary controller and a secondary processor plus vaguely defined categories of “third party” and “joint controller.”
The “controller” is pretty well defined as the company that receives and processes the data or order, and a “processor” is any other entity, including an individual person, who further processes data on behalf of or as a result of the controller.
There appears to be no differentiation between a multi-million-dollar company and one person doing something as a volunteer at home for most requirements – and GDPR specifically says that lack of pay does not exempt someone from GDPR. The one possible exception that exists in that there is an exclusion for organizations employing less than 250 persons, ”unless processing is likely to result in a risk to the rights and freedoms of the data subject.” I’m thinking that just mentioning the word DNA is enough to eliminate this exemption.
Furthermore, GDPR states that controllers and processors must register.
Right about now, you’re probably asking yourself if this means you if you’re managing multiple DNA kits, working with genetic genealogy, either as a volunteer or professionally, or even managing a group project or Facebook group.
The answer to those questions is that but we really don’t know.
ISOGG has prepared a summary page addressing GDPR from the genetic genealogy perspective, here. The ISOGG working group has done an excellent job in summarizing the questions, requirements and potential effects of the legislation in the slide presentation, which I suggest you take the time to view.
This legislation clearly wasn’t written considering this type of industry, meaning DNA shared for genealogical purposes, and there has been no case law yet surrounding GDPR. No one wants to be the first person to discover exactly how this will be interpreted by the courts.
The requirements for controllers and processors are much the same and include very specific requirements for how data can be stored and what must be done in terms of the “right to be forgotten” requests within a reasonable time, generally mentioned as 30 days after the person who owns the data requests to be forgotten. This would clearly apply to some websites and other types of resources used and maintained by the genetic genealogy community. If you are one of the people this could affect, meaning you maintain a website displaying results of some nature, you might want to consider these requirements and how you will comply. Additionally, you are required to have explicitly given consent for every person’s results that are displayed.
For genetic genealogists, who regularly share information through various means, and the companies who enable this technology, GDPR is having what I would very generously call a wet blanket effect.
What’s Happening in the Genetic Genealogy Space?
So far, we’ve seen the following:
- Oxford Ancestors has announced they are shuttering, although they did not say that their decision has anything to do with GDPR. The timing may be entirely coincidental.
- Full Genomes Corporation has announced on social media that they are no longer accepting orders from EU or UK customers, stating that “the regulatory cost is too high for a small company” and is “excessive.” I would certainly agree with that. Update; On 3-31-2018 Justin Loe, CEO of Full Genomes says that they “will continue to sell into the EU via manual process.”
- Ancestry has recently made unpopular decisions relative to requiring separate e-mails to register different accounts, even if the same person is managing multiple DNA kits. Ancestry did not say this had to do with GDPR either, but in reading the GDPR requirements, I can understand why Ancestry felt compelled to make this change.
- Family Tree DNA recently removed a search feature from their primary business page that allowed the public to search for their ancestors in trees posted to accounts at Family Tree DNA. According to an e-mail sent to project administrators, this change was the result of changes required by GDPR. They too are working on compliance.
- MyHeritage is as well.
- I haven’t had an opportunity to speak privately with LivingDNA or 23andMe, but I would presume both are working on compliance. LivingDNA is a UK company.
One of my goals recently when visiting RootsTech was to ask vendors about their GDPR compliance and concerns. That’s the one topic sure to wipe the smile off of everyone’s face, immediately, generally followed by grimaces, groans and eye-rolls until they managed to put their “public face” back on.
In general, vendors said they were moving towards compliance but that it was expensive, difficult and painful – especially given the ambiguity in some of the regulation verbiage. Some expressed concerns that GDPR was only a first step and would be followed by even more painful future regulations. I would presume that any vendor who is not planning to become compliant would not have spent the money to have a booth at RootsTech.
The best news about GDPR is that it requires transparency – in other words, it’s supposed to protect customers from a company selling your anonymized DNA out the back door without your explicitly given consent, for example. However, the general consensus was that any company that wanted to behave in an unethical manner would find a loophole to do so, regardless of GDPR.
In fairness, hurried consumers bring this type of thing on themselves by clicking through the “consent,” or “agree” boxes without reading what they are consenting to. All the GDPR in the world won’t help this. The company may have to disclose, but the consumer doesn’t have to read, although GDPR does attempt to help by forcing you to actively click on agree.
I’m sure we’ll all be hearing more about GDPR in the next few weeks as the deadline looms ever closer.
May 25, 2018
Now you know!
There’s nothing you can do about the effects of GDPR, except hold on tight as the vendors on which we depend do their best to navigate this maze.
Between now and May 25th, and probably for some time thereafter, I promise to be patient and not to complain about glitches in vendors’ systems as they roll out new code as seamlessly as possible.
Gluttons for Punishment
For those of you who are really gluttons for punishment, here are the actual links to the documents themselves. Of course, they are also guaranteed to put you to sleep in about 27 second flat…so a sure cure for insomnia.
- The EU document: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- The UK document: https://www.gov.uk/government/collections/data-protection-bill-2017
- Parliament BIll HL Bill 66: https://publications.parliament.uk/pa/bills/lbill/2017-2019/0066/lbill_2017-20190066_en_1.htm
- Information Commissioner’s Office Website: https://ico.org.uk/
- Irish Data Protection Commissioner: https://www.dataprotection.ie/docs/gdpr/1623.htm
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Transfers
- Family Tree DNA
- MyHeritage DNA only
- MyHeritage DNA plus Health
- MyHeritage FREE DNA file upload
- 23andMe Ancestry
- 23andMe Ancestry Plus Health
- Legacy Tree Genealogists for genealogy research