What GDPR and OSS Licenses have in common
If you’re like a lot of software engineers, you probably love open-source software (OSS) but hate the GDPR.
That’s a shame!
There’s a lot to love in the GDPR, and I’d like to highlight a lesser-known “feature” that it shares with OSS: they both are designed to multiply their impact by leveraging the power of communities.
One of the lesser known features of the GDPR is the requirement for data processing agreements (DPAs). Two companies must enter into a DPA before they are allowed to transfer personal data between each other.
For example, when one company (data controller) wants to use another company (data processor) to process personal data on its behalf, the controller *must* enter into a DPA with the processor to be compliant. Additionally, the processor needs to enter into DPAs with all the other companies they use.
And so on…
The end result is that privacy protections spread from one company to another organically and multiply each time. This gradually increases the scope and impact of the GDPR until user data is protected end-to-end.
Similarly, the writers of open-source software projects allow other users to copy and reuse their source code, as long as they agree to the terms of their OSS license. Examples of these licenses include GPL, MIT, and Apache. All of them typically require that the original license text is preserved and maintained in all copies of the source code This allows the code to be reused while protecting the interests of the code’s original authors.
It’s not unusual for a single open-source project to include licenses from hundreds of other projects. This web of interconnected licenses forms strong protections for the OSS community overall.
So, what’s my point? In general, most of the focus on the GDPR is the big, visible news like multi-million dollar fines and huge compliance costs. However, when I think about the overall impact of privacy regulations, I think about the millions of DPAs that exist, and the power of all those bonds to build a stronger fabric of trust on the Internet.