c2L07 - Data Protection Basics for Families
Last modified by Daniel Nübling on 2022/08/03 08:12
Data Protection Basics for Families
Data protection is not really fun, but in an increasingly digital world it is an absolutely necessary right that secures citizens' freedom. To exercise their rights, citizens in the EU need to know about these rights. This lesson provides a basic overview of the relevant elements of data protection.
Method / Process description
- Exercise: To prepare participants for this lesson, begin with an exercise that challenges a sense of privacy. Explain to participants that the lesson will begin with a security check of their smartphone apps. Ask them to pick up their smartphones and unlock them. To make the check objective, participants should swap the unlocked smartphones with their neighbors so they can do the check for them. Observe how the group behaves: Do people get nervous? Does anyone dare refuse to hand over their phone? Have everyone return their phones and explain why you did this first exercise:
- To demonstrate that everybody has data he or she wants to protect.
- That you should carefully check when anybody wants access to your data.
- That you have the right to object to give somebody else your data (as long as the person has not proved a legal interest in your data)
- You can also do the exercise with participants wallets if there are not enough smartphones in the group.
- Input: Introduce the basic idea of data protection (see Module 4 Security, Privacy and Safety > 3. My Data My Rights > 3.2 The European General Data Protection Regulation (GDPR) )
- Highlight that data protection does not primarily target at protecting data but to protect the freedom of individuals.
- Explain what the EU General Data Protection Regulation (GDPR) is.
- Explain what personal data is: https://gdpr.eu/eu-gdpr-personal-data/
- Explain the basic rights of the GDPR:
- Consent — Whoever process your data has to ask for your consent before collecting, storing or distributing data.
- Documentation — Whoever holds your data must keep detailed documentation about what data is being stored, who has access, how it is stored and why they store the data.
- Access to Information — Everybody has the right to request information what data is stored about him or her from somebody who processes his or her data.
- Data Erasure — Everybody has the right to request that his or her personal data is removed (as long as no legal obligations are touched, like e.g. storing invoices for taxation).
- Data Changes — Everybody has the right to request that inaccurate data is adjusted.
- Object - Everybody has the right to object to data processing (again as long as not legal obligations are touched)
- Special Protection of Sensitive Data — Data about race, ethnicity, sexual orientation, gender, political views, religious beliefs and other types of profiling as well as kid's data are under special protection.
- Give some examples that highlight why data protection is important:
- Nazi regime in World War II:
- In Amsterdam officials had created detailed records about inhabitants also indicating their religion. These lists were abused later by Nazis to deport Jewish people to concentration camps (https://en.wikipedia.org/wiki/History_of_the_Jews_in_the_Netherlands#The_Holocaust).
- The police in Vienna had gathered lists of suspected homosexual people (the so called "pink lists"). These lists were later abused by the Nazis to deport these people to concentration camps (http://theviennaproject.org/wp-content/uploads/2014/09/TVP-Article_Homosexual-Victims1.pdf).
- Illegal data requests by German police: Several hundred internal illegal data requests could be verified on German police computers (https://www.zeit.de/politik/deutschland/2020-07/nsu-2-0-polizei-datenabfrage-verfahren-rechtsextremismus-hessen). Although not finally proved there is sound speculation that some of the requests are related to the incidents of "NSU 2.0" where politicians and lawyers were anonymously threatened using their private contact information that was only known to the police (https://www.dw.com/en/germany-frankfurt-police-unit-to-be-disbanded-over-far-right-chats/a-57840014).
- Amazon employees listen to Alexa records: By default the Amazon Alexa setting is activated that employees can listen to records for "service optimization". Most users were not aware of the function although it interferes with the most private and protected space we have: our home: https://time.com/5568815/amazon-workers-listen-to-alexa/
- Nazi regime in World War II:
- Exercise: Split the class in groups of 3-4 people. Discuss and gather for 10 minutes in the groups where in everyday life the GDPR has an impact or is visible to participants. Also write down questions. In plenum gather the group results on the board.
- There may be confusion about images and videos. Here it is important to understand that photos and videos are data and contain data, but beyond that there are additional laws that govern how images of people are processed. Often multiple laws apply to the use of imagery:
- Right of publicity (also personality rights): Gives individuals the right to control the use of one's identity, such as name, image, or other identifiers. https://en.wikipedia.org/wiki/Personality_rights
- GDPR: There is hardly any photo of a person that does not include any data. Digitally taken images include data in the image files about when and where a person was at a certain moment. Images are tagged with additional information, e.g. in image processing software or on social media. Even analog pictures that are stored in some form of register are subject to the GDPR.
- Copyright law: protects original works (like photos or videos) from being illegally distributed or published. https://en.wikipedia.org/wiki/Copyright_law_of_the_European_Union
- There may be confusion about images and videos. Here it is important to understand that photos and videos are data and contain data, but beyond that there are additional laws that govern how images of people are processed. Often multiple laws apply to the use of imagery:
- Input: Anybody who stores and processes data in the EU is responsible for the data. This can also affect private people, e.g. parents that are responsible for the address lists of a class, people responsible in sports club for the member administration. Check out if there is a website in your country that explains the regulations (e.g. for Germany: https://deutsches-ehrenamt.de/datenschutz-verein/) Some basic measures to protect data are:
- Make a register of the data you store:
- Which data do you store?
- Why do you store it and is there a legitimate interest or legal obligation to store it?
- Where do you store the data?
- How long do you store the data?
- Which external parties get access to the data and do they comply with the EU law (e.g. storing data in the cloud)
- Control access to the data:
- Define who needs to access and use the data (e.g. billing data in your sports club is only relevant for your treasurer, coaches don't need to see it).
- Protect the data:
- Keep it safe from external access, e.g. by storing it in a locked room or in a safe.
- If you store data digitally, make sure that no one from outside has access (e.g. by encrypting data and devices, protecting devices with passwords or other access security, restrict access by other users)
- Backup the data
- Make a register of the data you store:
- Exercise "Data Protection for Families": Split the class into groups of 2-3 people and hand out each group the worksheet . Let the groups search for the answers on the Internet for 15 minutes and get back together in plenum and exchange about the results.
- Information about age and article: https://www.betterinternetforkids.eu/en-GB/practice/awareness/article?id=3017751
- Data protection authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- How to exercise your rights: https://noyb.eu/en/exercise-your-rights
- Reflection:
- At home participants analyze a privacy statement and try to identify the principles that were addressed in the lesson
- If anyone is interested further in the topic, there is a very good documentary: "Democracy - Im Rausch der Daten", which explains how the EU GDPR came about. It also shows a lot of the work behind the scenes of the EU institutions: https://www.bpb.de/gesellschaft/digitales/democracy/ (also available on YouTube, where you can set the language of the subtitles).
Download material
- Worksheet
References
- A Year in the Life of the GDPR: Must-Know Stats and Takeaways - https://www.varonis.com/blog/gdpr-effect-review/
- Exercise your Rights (NOYB): https://noyb.eu/en/exercise-your-rights
Status quo regarding the child's article 8 GDPR age of consent for data processing across the EU https://www.betterinternetforkids.eu/en-GB/practice/awareness/article?id=3017751
Short facts
| Target group | Adult class |
|---|---|
| Setting | Plenum |
| Time | 1-2 units à 45 min. |
| Material |
|