To Sign or Not to Sign, that is the question?
For readers of this site who live in Europe, particularly the UK, the non-catchy acronym that is causing a stir is the ‘GDPR’.
What is GDPR?
GDPR stands for General Data Protection Regulations. So will this affect the Organization’s activities in the USA and Canada and Australia and around the world? Yes, it will. To explain why, as an example certain US tax laws affect companies around the world even if they have no US employees or offices, if they happen to have US citizens as Investors or American assets as Investments then the non-US company has to comply with US Tax Law if they want to keep either those US investors or investments. Now GDPR is an EU regulation that applies to all EU countries whereby any organization that wishes to carry on business and process personal data of residents of an EU country has to comply under the threat of heavy fines (up to 10% of revenue or 10 million euros). The legislation comes into force on May 25, 2018. Therefore the Organization needs to comply.
There is much information available including: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
What are the main requirements?
In plain English, the GDPR wants every request for data to be clear in:
- What data is requested?
- Why the data is needed?
- How the data will be used?
- Clear reasoning as to why the business wants to use the data for the reasons they’ve indicated.
- Parental consent for children’s data (under the age of 16) will be required.
- Consumers must have the ability to change their minds and request their data be deleted.
- A real choice as to whether the consumer wants to hand over their data or not.
- A simple but clear way for the consumer to actively and freely consent to their data being used.
In order to comply with the new rules around consent, there are a number of things required from the data holder [the organization]. They include:
- Ensuring all of your marketing materials, consumer contact forms, emails, online forms, and requests for data, give your customers and potential customers, the option to share their data with you.
- You’ll also need to have reasons as to why you might use and store that data.
- Another requirement will be proving the benefits of sharing that data – but clearly giving the consumers the ability to actively consent to you doing so or not, perhaps with a tick box or following a link.
- Communications will also need to include details on how to request your information is deleted from your and your partner’s records in their databases.
What has been the response of the organization?
The organization has created a form that they want every baptized witness to sign by the 18th May 2018. It has the designation s-290-E 3/18. E refers to English and March 2018 version. (There is also a letter to the Elders giving instructions on how to handle those who show reluctance to sign. See below for extract. The full letter can be seen on www.faithleaks.org as of 13 April 2018)
How does the “Notice and Consent for use of Personal Data” form and the Online policy documents on JW.Org match up to the requirements of the GDPR legislation?
What data is requested?
- “Publishers willing provide personal data to their congregation as outlined in the book ‘Organized to do Jehovah’s will’ so that they may participate in religious activities in connection with their worship and so that they may receive spiritual support.”
- A quick scan of the ‘Organized’ book only reveals Publisher record Cards and Territory Assignment Records that obviously would have data implications. A search for ‘data’ found nothing and ‘records’ only found the Publisher and Territory Records.
- “Publishers may provide additional personal data … as they engage in other religious activities. Personal data may include name, date of birth, gender, date of baptism, contact information or other information related to spiritual well-being, field ministry activity, or any roles held among Jehovah’s Witnesses.”
- “publishers consent to the use of their personal data by Jehovah’s Witnesses for religious purposes including the following:”
- “participating in any meeting of a local congregation of Jehovah’s Witnesses and in any volunteer activity or project;”. Why would our personal data other than our name be required for participating in a meeting in a local congregation? A volunteer activity or project is understandable, but does this include study group hall cleaning, does it include preaching?
- “choosing to participate in a meeting, an assembly or a convention that is recorded and broadcast …” If you publicly speak then it could be argued you give implied consent.
- “attending to any assignments or fulfilling any other role in a congregation which includes the publisher’s name and the assignment being posted on the information board at a Kingdom Hall …” So what assignments are included? Undoubtedly the Life and Ministry Meeting assignments, Public Talks, Watchtower Study Conductor, and Watchtower or Book Study paragraph reading. Presumably, it also extends to attendant’s duties, microphones, sound, literature, accounts, territory servant. However it is not spelled out, and there is no reason why it is not.
- “maintaining the Congregations Publisher Record Card;” If you refuse to sign the consent form, does this mean you are no longer considered a publisher? Or will they still continue to keep at least this data regardless?
- “shepherding and care by elders of Jehovah’s Witnesses;” So would this stop (if you have ever received any!) if you withheld consent?
- “recording emergency contact information to be used in the event of an emergency.” Presumably this is for natural and man-made disasters but would presumably also include access to your medical records in cases of emergency hospital treatment, without the specific consent given on the current edition of the ‘Medical alert’ card.
- “Personal data will be kept for an unspecified period of time for as long as the purposes stated above or other legitimate purposes apply.”
- The impression from their on-line policy documents is some data will always be kept once they have your data as a publisher. Even if you leave quietly as opposed to disassociated or disfellowshipped they will keep a record of this status.
To Sign or Not to Sign, that is the question?
That is a personal decision, but here are some additional points to bear in mind that might help you.
Consequences of not signing:
The organization “may not be able to evaluate the publisher’s suitability to fulfil certain roles within the congregation or to participate in certain religious activities.” This statement blatantly breaks the GDPR rules as it is not specific as to what the publisher may no longer be able to participate in. There is also an implied threat that if one does not sign the GDPR you will not be able to continue to receive privileges. Therefore, giving or withholding consent is not possible on an informed basis. This statement should at the very least state all the roles and activities it would affect along with a proviso that perhaps states ‘and such roles and activities that this list may be updated to include in the future.’ Because of the implied threat you should be aware that any existing roles might be removed because of non-compliance.
“The secretary will inform the body of elders.”
From the letter to elders named ‘Instructions for use of Personal Data S-291-E’ of March 2018
Consequences of signing:
“Personal data may be sent, when necessary and appropriate, to any cooperating organization of Jehovah’s Witnesses.” These “may be located in countries whose laws provided different levels of data protection, which are not always equivalent to the level of data protection in the country from which they are sent.” where the data will be used “only in accordance with the Global Data Protection Policy of Jehovah’s Witnesses.” What this statement does not make clear is that when moving the data between countries the stricter requirements of data protection will always take precedence, which is a requirement of GDPR. For example, under GDPR data could not be transferred to a country with weaker data protection policies and then be used according to the weaker data protection policies as this would be attempting to circumvent the requirement of GDPR.
“the religious organization has an interest in permanently maintaining data regarding an individual’s status as one of Jehovah’s Witnesses” This means, currently as well as future, it also means ‘active’, ‘weak’, ‘inactive’, ‘disassociated’, ‘disfellowshipped’.
“Upon becoming a publisher, a person acknowledges that the worldwide religious organization of Jehovah’s witnesses … lawfully uses personal data in accordance with its legitimate religious interests.” What the organization may view as “legitimate religious interests” may be quite different to your view.
Once you sign consent there is no simple online form to remove consent. You would have to do it in writing via the local body of elders and all the repercussions that could bring.
- Withdrawing consent is not as easy to withdraw as to give.
- Requirement: “A data subject’s [your] consent to processing of their [your] personal data must be as easy to withdraw as to give consent. Consent must be “explicit” for sensitive data. The data controller [the organization] is required to be able to demonstrate that consent was given.”
- Covert pressure to give consent is being made. (‘If you don’t sign you are not obeying Caesar’s law,’ and ‘not complying with God’s organization’ are phrases mentioned after reading the official letter about the consent form to the congregation)
- Requirement: “that consent is not freely given if the data subject had no genuine and free choice or is unable to withdraw or refuse consent without detriment.”