Privacy for your passion project
Do you really have to think about privacy in a passion project? Are there other rules for you, and if not – where do you start?
The European privacy rules (GDPR), Schrems II, legitimate interest and the likes is stuff most of us look forward to putting aside when we get home from work. But if you spend your spare time on a coding project of your own, you'll soon run into many of the same issues. Do you really have to think about privacy in a passion project? Are there other rules for you, and if not – where do you start?
Do privacy rules apply to my passion project?
Yes. This might be debatable – the European privacy rules in fact does not apply to individuals. But that is when you process personal information for private reasons. Your passion project offers a service, and even though you may not have registered a corporation, it's reasonable to assume that it will be impacted by the European privacy rules. Anyway, there's not a lot to gain by chancing that there won't someday be a user that comes along asking bothersome questions.
I don't make any money on my project, does the rules still apply?
Yes. Turnover and profits are in no way required for you to be liable under the privacy rules. And before you think you have found a clever loophole – you may still be fined. Most people think of 4% of total turnover when talking about GDPR fines, but the complete legal text is actually
"administrative fines up to 20 000 000 EUR, or (...) up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher"
Should you have a turnover of 0, you may still, at least in theory, get a chill 20 million euro fine if you don't have your ducks in a row. If that isn't motivation enough to keep reading, I don't know what is.
I can't possibly understand the entire GDPR! Help me!
There are two ways to attack this. The first is the rigid and correct way. If you don't have the necessary competencies in privacy, and can't get it by other means, processing of any personal information is illegal.
But, there's no fun in that! So let's attack this from the other and more pragmatic point of view: Given that you follow some simple and general principles you will most likely comply with most rules of the GDPR, and not least you'll make a very privacy friendly passion project!
The most important thing is getting conscious about what kind of personal information you collect and process. As such, a quick refresher on what personal information is might be useful. GDPR states that personal information (or personal data) is "any information relating to an identified or identifiable natural person". Short and precise. If the information relates to a person that can be identified, it's personal information. For instance name, phone number, e-mail, IP-address, and location.
After this step you might conclude that you process only a very limited amount of personal information. The typical passion project might process name and e-mail of its users, but rarely large amounts of personal information.
The next think you should ask yourself is:
- Do I need all this information?
- What do I use this information for?
By answering these questions, we are getting close to take action on what the GDPR describes as "data minimisation" and "basis for processing". Information that you don't need should obviously not be collected. If you thought it was a good idea to have the postal address of your users "just in case", just stop that right away. Not collecting more than you need to deliver the service you provide is the core of data minimisation.
An overview of what you use your personal information for is important to understanding what basis of processing you have. Do you use e-mail address to verify the user and allow them to log in? That is necessary to deliver your service. Do you also use the e-mail address to send a newsletter with updates about the newest functionality? That's not something you have to do, so for this, you would need the users express consent first.
What do I have to think about when I make my service?
If you ask yourself WWDPAD – What Would the Data Protection Authority Do? – you'll be well on your way to fulfil article 25 of GDPR that demands "Data protection by design and by default". In plain English, your system shall help your users make the best choices from a privacy standpoint. If you ask the user if they would like to join your newsletter when they register, the checkbox can't be pre-ticked. If performing a certain action in your system could trigger transferral of personal information to a third party, that should be easy to understand. If a user deletes their account, your system should automatically delete information you no longer need to store.
Put simply, everything you create should attempt to make the most privacy friendly choice default, and your system should attempt to protect the privacy of the user every step of the way.
What about requests for information, privacy notices and other difficult stuff?
This is luckily not as difficult as it sounds. It's not very likely that you will get too many requests for information (just make sure I don't start using your service), so answering them manually will be doable. It will probably also be quite easy for you to delete a user, if someone requests it.
A privacy notice is mandatory, but as you most likely process very few pieces of personal information for very limited purposes, this will be quick to write. There are no formal requirements for the design of the privacy notice, other than that it shall be written in "a concise, transparent, intelligible and easily accessible form, using clear and plain language". In other words, it's a good thing you are not a lawyer! Just write down what you do and why, and you'll probably have done your job.
So it wasn't as scary as you thought?
GDPR has gotten an undeserved reputation as being difficult to understand, and demanding to implement. It's my opinion that only some thinking, and maybe an hour or two of coding, can ensure your project is so privacy friendly that the data protection authority would approve. By thinking like the data protection authority (WWDPAD), not collecting more than you need, and considering one extra time why you need the personal information you collect, you can go back to your backlog and start on the next task!