Open Source Privacy Standards
This repo stems from work in the WordPress GDPR compliance project, discussions held at FrontEnd United 2018 with members of the Drupal community, and preliminary conversations with members of the Joomla community. It has been set up ahead of a workshop I am leading at WordCamp Europe 2018 on developing for privacy and data protection.
Open source contributors bring a range of cultural as well as legal views of privacy to their work. To date, the legalistic approach to privacy has dominated open source development. This means that privacy has by and large been seen as a legal obligation, defined and constrained by requirements set forth in national and international regulations.
In practice, where privacy compliance has been integrated into open-source projects, project goals have been defined by a "tick box" approach to meeting legal requirements. This approach misses equally relevant areas of privacy which do not fall into those particular boxes. This approach is also, by nature, retrospective, applying fixes and changes to existing work.
What has been missing all along has been a common definition of what we mean when we are talking about "privacy" outside specific regulations and laws.
Defining privacy as a set of principles, and not as a legal obligation, will help open source projects to view it as a positive cultural value. This approach takes a more holistic view of user protection as a concept and a journey rather than a tick box and a destination. This approach is also, by nature, proactive, requiring best practice to be integrated into a project from the design phase.
This repo will host the first iteration of a best-practice approach to privacy in open source development as a cultural value, grounded in the universal concepts provided by a range of global non-regulatory frameworks.
These universal principles can be immediately adopted by a range of open source projects, ideally with each principle mapped to each project's internal development and coding standards.
In a world where privacy expectations are changing by the month, open source projects now face pressure from site administrators to provide a healthier standard of user privacy. Administrators also expect to be given the tools and resources they need to make the right choices.
For their part, open source projects now face pressure from governments and politicians keen to portray our work as being part of the problem or, worse, to accuse us of active complicity in illegal behavior. A privacy issue or data breach which takes place on a site or application can be seen as a reflection on the open source software project, and not always without reason.
By adopting a collaborative best-practice standard for privacy in open source development outwith specific regulations and laws, open source projects will be able to prove to governments and regulators that we are indeed able to self-regulate our work, staving off the threat of future punitive actions or hard regulation. Guidelines will also help projects to develop tools and resources which will assist end users with that self-regulatory compliance.
Privacy is already defined in multiple international (non-regulatory) conventions, international standards, and self-regulatory guidelines. These frameworks contain many commonalities. To arrive at the first iteration of these common standards, I have used the folllowing as our starting point:
- The OECD Privacy Principles (1980)
- The Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data (1980/revised May 2018)
- ISO/IEC 2001 International Standard on Information Technology / Security Techniques / Privacy Framework (2011)
- APEC Privacy Framework (2005)
- FTC Fair Information Practice Principles (2000)
I welcome the insight and differences of opinion which might be provided by further frameworks, conventions, and international standards.
The Privacy by Design framework merits special discussion.
This is a draft framework for open discussion. Please create an issue or a pull request to participate.