Bits of Freedom makes privacy law work in practice
My Data Done Right: a new tool for generating personal data requests
It's now a year since the General Data Protection Regulation (GDPR) came into effect, reinforcing the privacy rights of Europe's internet users. Under the GDPR, you have the right to access data that relates to you, the right to get personal data corrected or added, the right to be forgotten, and the right to move your data somewhere else ('data portability'). Significant advances, at least on paper. In reality, however, things don't always work the way they do on paper. Having rights and using them are two very different things. It's all very well being entitled to access your data, but how do you know who to ask? And how do you actually do it? After all, every organisation has its own procedures. With support from SIDN Fund, Bits of Freedom has therefore devised an open-source tool called My Data Done Right, which helps internet users get over such hurdles. David Korteweg talks about the project, collaboration with SIDN Fund, and what happens next.
Bits of Freedom campaigns for internet freedom for all. "We've been working for years to improve the way that internet users' privacy and other rights are protected in the Netherlands," says David. "With My Data Done Right, we're aiming to give people increased scope for action. The aim is to make it easier to use the rights given by the law." The tool is just one of the many ways that Bits of Freedom works to protect everyone's digital rights.
How does it work?
My Data Done Right makes it easy to ask for access to your personal data, or to get it transferred, corrected or deleted. You generate a request by answering a number of questions on the My Data Done Right website. First, you select the appropriate request type and say what organisation you want to approach. Then you give details of the data that needs attention. After that, the tool prompts you to say how you're known to the organisation (e.g. by your name or e-mail address). You also need to say whether you want to send your request by e-mail or post, how you want to receive the response, and what language you want your request written in. (The choice is currently Dutch or English.) Once you've answered all the questions, your request is generated. All that's left for you to do is send the request to the postal or e-mail address that's given. An intensive development process led to the tool's launch on 25 October 2018. "We began by defining the requirements that the tool had to meet. Naturally, we felt it was vital to protect users' privacy, and that principle has guided every aspect of the tool's design. When you generate a request, for example, the data you provide is held locally by your browser. None of it comes our way: Bits of Freedom doesn't retain any information about you on its server, not even temporarily."
"Our database of contact details now covers more than 1,500 organisations," continues David. "All the information has been entered by volunteers using an online environment. There's a web form for adding in the addresses and other relevant details of data processing organisations to the database." Although it's been a labour-intensive undertaking, the database is now largely complete. For the time being, it's restricted to the major players in each sector, including public service providers, social media companies and retailers.
SIDN Fund: "Interest in privacy issues has been growing since the GDPR came in. My Data Done Right is a valuable online tool that's empowering citizen-consumers to actually exercise their privacy rights. At the same time, the information about data processing organisations held in the tool's database sheds light on how those organisations are complying with the law. The project is very much in line with SIDN Fund's objective of promoting the autonomy and freedom of internet users. Further plus points include the tool's accessibility and the fact that no personal data is recorded. It's also good that Bits Of Freedom plans to actively make My Data Done Right available to other internet rights lobby groups around Europe. Naturally, SIDN Fund hopes that, in time, the tool will come to the attention of an even larger and more diverse user group."
"Everything is open source. And the database can be accessed by means of an API, so other applications can make use of it. It's also easy to add local organisations in other countries." David and his colleagues have developed the tool with support from SIDN Fund. The assistance made it possible to bring in external developers to work on the design and build the frontend and backend. "We've worked with SIDN and SIDN Fund before. They're both important players in the internet ecosystem, and the Fund's aims match our own very well. The support enabled us to turn our plans into something tangible, which will be useful for a long time to come."
All the tool's basic elements were in place within six months. And thousands of requests have already been generated and submitted. However, Bits of Freedom isn't content to leave it there. The team is now working on a feedback mechanism, enabling users to say how data processing organisations deal with their requests. That will enable analysis to identify organisations that repeatedly fail to respond, for example, or don't handle requests correctly. Problems can then be reported to the regulator or the media. Another of Bits of Freedom's aims is internationalisation. "We've deliberately designed the tool to make it adoptable by campaign organisations in other countries. After all, internet users have the same rights throughout the EU. It would be great if local versions of My Data Done Right were available in all EU member states."