Unless you’ve been on a trip to Mars it can’t have escaped your attention that the European Union General Data Protection Regulation (GDPR) came into force on 25 May 2018.
A family tree is an unlikely place for GDPR issues to surface, since it’s mostly about dead people to whom GDPR doesn’t apply. But every tree has some live ones and family historians who host their own genealogy websites need to think about the implications of GDPR and “what lies beneath.” There are aspects of GDPR that go beyond cookie consent and privacy statements.
The Genealogist’s GDPR Dilemma
In the past few months we have all seen a flood of requests to consent to cookies and accept site privacy policies. Wherever you go the now-familiar prompts pop up, and we may have become blasé about accepting them.
Each of these is asking us to approve the information that is associated with our online account on that site. And so it should. But if we’re running a family history site we have information that goes deeper than that because every living individual also has an entry on the family tree. My tree has hundreds of them and 99% do not have an account on the server because their details were entered by the family historians. The amount of information varies, but usually has a minimum of full name, date of birth and the names and dates of birth of the parents – just the kind of information that could be used in identity theft for example.
Doesn’t GDPR only apply to companies?
It’s true that GDPR was conceived primarily to control the corporate excess we have seen lately with massive breaches leading to the leaking of millions of records. Because corporations were the main target most of the available literature focuses on them too. This creates the false impression that we are exempt. The regulation is quite clear – there is only one exemption for personal use, and it is strictly limited:
2. This Regulation does not apply to the processing of personal data: ... (c) by a natural person in the course of a purely personal or household activity
That means you can collect information about yourself or members of your household – effectively so you can run your day-to-day life. That doesn’t include collecting information on your extended family.
This is why genealogy is a GDPR edge case. The drafters did not have family trees in mind as a typical use case. They were driven by the excesses of corporations who abuse our data but, as so often happens, the law of unintended consequences led to us being caught in the net.