GDPR and SaaS: Data processing agreements only in business products? [updated with GitHub statement]
While doing my data stocktaking and writing my record of data processing activities I had in mind that I use GitHub for the storage of my Git repositories which, possibly and most likely, could include personal data of my customers (remember: even a name or e-mail address counts as personal data under GDPR).
In my definition GitHub is a processor in the sense of GDPR, like for example a cloud storage provider like Dropbox, Spideroak, AWS, Tresorit or a web hoster. So it's reasonable to sign a DPA (data processing agreement) like I did serveral times in the past and sometimes this is even a smooth process. Regarding DPAs, Joshi Kuphal, Sebastian Greger and Baltasar Cevc assembled a list of what services "already" have a mention of GDPR or supply a dedicated contract to download, sign and send.
In this list there is also a GitHub entry, linking to a blog post in the official GH forums: "English forum entry" and there is a quote from the official GitHub blog post:
If you are a Corporate Terms of Service customer and you need a Data Protection Agreement with us, please contact support. We will be happy to provide one. Please understand that with the GDPR compliance deadline coming up, our volume of requests is high, but we will respond to you as promptly as possible
So I did contact them and they answered very quickly in light of the buzz around General Data Protection Regulation everywhere:
However, we are only able to sign those agreements with companies on our Corporate Terms of Service and all of your organizations look to be on our Standard Terms of Service.
Disclosure: I am using a Developer account on GitHub - the product description on their marketing page has no indication that you can't use this account commercially - as I'm doing.
After I explained to the support employee that I was referring to my account marcus-herrmann and not any organization of mine, GitHub replied in the next mail:
For personal user accounts our Privacy Statement is a sufficient processing agreement. In the case of corporate organisations who are controllers for other data subjects' personal data, an additional data protection agreement may be required, but for individual users on our standard terms, our Privacy Statement provides the necessary protection.
The thing is: I am a freelancer, therefore a data processor for my customers and using my Developer yearly account for my solo-business.
Until now, that seemed to be the perfect product for me, because:
- I did not see a mention in their Standard Terms Of Service or in the product description that commercial use is prohibited (and I reckon I'm not the only one understanding it like that)
- The next smallest business plan would cost at least three times the amount I'm paying right now and would include many features I don't need including an organisation for my business as a solo-freelancer.
I always thought that GitHub is aiming at teams/agencies and the like with their business tiers. But the gist of the mails we sent back and forth regarding DPA suggests that GitHub and I only can sign a Data Processing Agreement once I choose a product that is far too big for my needs. Or is this a grave misunderstanding?
Being not a lawyer (still) but been working on GDPR a lot lately (as we all did, right?), I wrote on Twitter about my frustration and bewilderedness. Baltsar Cevc, a lawyer who specialises in IT, and one of the guys maintaining the DPA list, seems to agree. Also fellow twitter user and person-aiming-for-compliance-with-GDPR Jonathan Gall joined the twitter conversation - and reports that obviously Dropbox does the same thing. You can only sign a DPA (therefore comply with GPDR) when you change to business products, regardless if you need all the services and features you get.
If this situation is not resolved, this is one more thing very hostile to freelancers caused by the GPDR.
Update 2018-05-18 with statement from GitHub:
It seems that GitHub understands our concerns. Their support just wrote:
I've spoken with our legal team about your situation. We agree that you should not be forced to upgrade to receive the level of data protection you require. [...] Our legal team will give another look to our Privacy Statement with a specific eye to ensuring that it meets the needs of small businesses on our Standard Terms of Service.