The Court of Justice of the EU just ruled that Jehovah’s Witnesses must obtain consent from people before they take down their personal details during door-to-door preaching in order to comply with EU data privacy rules. See here the Reuters press note and here the more detailed European Court’s press release. It will obviously also apply to Mormon missionaries. The implementation as such seems simple: whenever missionaries make a promising contact, and want to record name, address and other data, they should ask permission. But how to record that permission since proof may be needed at a later date? On a written form with proper ID and signature? To what extent would this complication affect Mormon missionary work, since it may be assumed that the Church will obey the law, but also that many people would not want their name and address to be recorded in the data of a “sect”? The latter is precisely what triggered the lawsuit and the European Court’s decision. As a missionary, what were your experiences in tracting practices to keep track of (potential) investigators? How were such data kept and passed on to new missionaries? Would it still work under the new regulations?
The new European privacy laws no doubt raise other issues with Church membership records.Under what form should they be kept? What about access and availability of all information to each person concerned? What about records of members who don’t consider themselves members anymore and the obligation to inform them? What about the (electronic) ease with which people should now be allowed to request their data to be deleted? What about the restrictions to make personal data available outside the EU, since Church HQ in Salt Lake presumably has access to these data? GDPR seems to affect us in many ways. I am not an expert in these matters, but wonder to what extent the Church is working to comply with the law. Local leaders will probably be confronted with issues.
(This post was slightly expanded since the first version)
As you know, Wilfried, we didn’t get in much in Belgie and Nederland (70-72). So, in order to avoid multiple visits, we marked the address (street and house number) in our little pocket tracking book as visited, indicating no answer, reject, and if asked to come back, the name and number of potential investigators ( as I recall). Not very sophisticated system.
I didn’t even think how the GDPR would affect LDS missionaries, or the LDS church at large in Europe.
Privacy has taken on new meanings and expectarions in the informartion age, but personally I’m not convinced past and current legislation dealing with privacy in developed nations is much more thought-out than knee-jerk, not yet anyway.
Most hmans in these developed countries still remain largely ignorant, or inconsistent, on what privacy should involve from personal contexts to social xontexts to beyond.
In Finland twenty years ago, missionaries did various things–the simplest was to tick off squares in a cross-ruled notebook representing each flat in an apartment block. Real contacts received pages in the Area Book, which ensured they would be bothered for years to come no matter how many times they turned the missionaries away. Finns absolutely hated and presumably still do hate the idea of anyone keeping any records about them without their knowledge, and we missionaries had some vague notion we were probably already breaking a law by keeping the records we did.
I for one like changes like this ruling, since they force us to treat the relationships we form with other people in a religious context the same way we would any other adult relationship and to respect their wishes. I sometimes wonder what would have happened if when as a missionary someone “stood us up” for an appointment we had made, we reacted in the same way I would now if a business associate blew off a meeting (i.e. impress upon them that my time is valuable too). And on the flip side, how things would have gone if we had listened to folks with a genuine desire to know and understand them rather than just to correct them.
Are the new privacy rules violated when a missionary shares (via email or blog) details with loved ones about investigators (or friends of the Church, as we said in SW France)?
Thanks, Mark, for writing down your Dutch mission experience. I remember that simple system as I used to work with the missionaries back then.
Anonymous, I can agree that the current legislation will need improvement, but at least it is a needed step in the right direction, taking into account the commercial and political abuses of lack of privacy protection.
Just a Guy, I appreciate your detailed comment on the situation in Finland. Indeed, the new regulations remind us about the ways we need to treat other people in proper and respectful ways. It opens up another problematic area: the way missionaries and local members talk about investigators and take notes about them in their council meetings. Also here privacy issues are at stake.
Chet, also an interesting point you bring up. I have seen missionary blogs or Facebook pages, in public or semi-public view, where the missionary talks about the progress of his/her investigators, with their names and other personal details, like their challenges to overcome. That would certainly constitute a breach of privacy. Anonymization would certainly be warranted in such cases.
I think missionaries now keep a kind of digital area book, so there is some sort of electronic record now of investigators wherever the missionaries are at. I would assume at some point phones could be used to gather a signature from the investigator to give info. Otherwise a record without info would need to be created. Like a pin on a map? I wonder if there is a workaround that complies with laws for less serious investigators.
Fascinating and will be interesting to see how the missionaries here in the EU comply with the law. I was talking with the missionaries and they said in Germany investigators are few and far between, so they need any lead they can get for someone that will talk with them.
Marking street maps, writing down contact info on your planner (or in a personal notebook, as I did) and the areabook are the three most used recording methods used by Mormon missionaries I guess. The solution regarding the GDPR may be fairly simple: do not record any personal data until someone has shown interest and agreed to a second contact. At that moment permission should be asked for recording personal contact information. That could be done on a standardized contact-form (maybe in block-note format) that has on it a pre-printed notice that the person agreed to share this information, with a date to fill out. The question will be if an autograph is needed or not, because that would be a bit awkward in the informal setting that conversations between missionaries and persons that show interest normally take place. Missionaries could ask oral permission in words as: “In order to contact you for our next visit, may we write down your address/phone nr./e-mail?” The other way around, when someone loses interest and want to sever the contact, missionaries could ask: “May we keep your contact information for the coming year, so that later on missionaries could follow up to see if that might be a better moment in your life to investigate our faith further?” When the answer is no, contact information should not be kept in the areabook or anywhere else. If yes, the date on the contact form indicates the one year time frame for the follow up. When those interested continue to thoroughly investigate the church, that might be a moment to record more information (household members, ages etc.) and then ask for an autographed permission on eg. a progress sheet. In council meetings the information shared could be limited to using first names of family names at first. Then, when written consent is given by investigators, more information could be shared. Once someone is baptized and becomes a formal member, again written consent is needed to share this personal information with (other) ecclesiastic leaders, for online / e-mail notices, for financial recording etc. I’m curious when official church guidelines concerning the GDPR will be communicated to European members. And if there will be separate guidlines for ‘the mission’ and the stake and ward-organisations.
In Argentina 2007-2009, we would write down promising contacts as “Potential Investigators” — first in our planners, and then in forms that went into a paper form in the Area Book. Due to turnover and poor record-keeping practices, I rarely saw such a form used (much less used well) and those I did see were rarely over a year old. Digital records would make a huge difference in durability and privacy. Only missionaries had access to paper Area Books; I suppose the Church itself would have access to digital ones!
RL, you are right, digital recording of the agreement to keep personal data, would indeed be the easiest way to proceed. I think that in practice, however, many people will be unwilling to do so. Certainly in Europe, there are already various obstacles to overcome before people are willing to listen to missionaries, let alone allow their identity to be recorded without clearly knowing what will happen with those data and moreover related to a kind of “suspicious” religious movement. So basically GDPR seems a major hurdle. It made me also wonder how the “online missionaries” will function within that system.
Richard, thank you very much for your detailed suggestions. Yes, you are right: it will have to be done in various steps, the first ones without personal data, and then moving to next levels of detail, each with proper justification for the need and proper agreement. Like you, I wonder when and how church guidelines concerning the GDPR will be communicated to church units in Europe. As of now, I haven’t heard a thing and we are lagging behind.
MH, I appreciate the input from Argentian experience. I do remember the same poor record keeping practices in Belgium and also the challenges next missionaries had to decipher some of the codes used for “friendly”, “unfriendly”, “suspicious”, “with small children”, “husband not home”, and so on. Digital record keeping could improve it, but I think the GDPR rules would be easily broken by missionaries not aware of restrictions.
Interesting. In my long-ago European mission we had too many missionaries with nothing to do but knock on doors in case someone would actually talk to them. In one small city the missionaries kept track at least of which doors they knocked on. The report I received was that every residential door in the city had been knocked on 19 different times in a 24 month period. This was a good way to get accused of harassment — even without recording personal details of the occupants.
I have been wondering how, without record keeping in possible violation of the GDPR, one could even try to honor requests not to come back to a particular residence. But then, such requests were rarely made — we were mostly ignored at doors that were not answered or that were shut in our faces without a word. (I was glad for some very welcome exceptions to that common behavior.)
Already for some time, the missionaries in Finland have shown the teaching record sheet from the area book and explained to the prospective investigator that this is the kind of information they will gather. I have been to teaches and seen that process. During the last few years, there have been some news stories about JW’s and their sometimes questionable record keeping practices. When LDS missionaries are forthright and explain what they record and why, the reaction has been mostly positive.
Indeed a painful reality in many West-European countries, JR. During the two pro-US decades after World War II door-to-door tracting worked quite well. By the 1970s willingness to respond to this kind of tracting started to wane. Statistics wuold probably show how it continued to decline. That’s why traditional door-to-door tracting has been drastically reduced, as far as I know. Instead: more pressure on members to provide contacts, but they also should realize that giving personal data of third parties to missionaries, who record them in their system, could be interpreted as a violation of GDPR, unless these contacts have been informed ahead. It just requires clarity in the procedures.
Niklas, interesting comment. Straightforward explanation by the missionaries in a friendly atmosphere, with the record visible to the prospects, and the assurance that they can request deletion at any time, is no doubt a way to go. Proper instructions to the missionaries then become paramount.
Not exactly expecting a full legal response here, but how would GDPR address for example someone handing someone else a business card? Does the recipient have to get the giver to sign a privacy release form in order to prove that the giver willingly gave them the information? Or are business cards no longer a thing in Europe? What about phone books? Are those essentially outlawed by GDPR? I mean I had heard of GDPR with all of the privacy policy updates, but I figured it was concerned largely with website record keeping. If it extends to a missionary talking to someone on the street, how are up to this point normal daily interactions affected. If I’m a business person at a convention and doing run of the mill networking do I now have to record when someone gave me their contact info and record their affirmative consent? Do I have to give them yearly opt outs? That seems a rather onerous intrusion into daily life.
No, Jared, of course GDPR does not pertain to passing out business cards or to talking to people on the street. It pertains to the systematic recording and processing of personally identifiable information of individuals for certain purposes, like names and addresses for commercial mailings, medical data, consumer preferences, political affiliation, etc. You mention phone books: principle applies there too: when getting a phone number, people can indicate if they want their info to be publicly available or not and they can change that choice at any time. People also have the right to know what is being kept about them.
To quote from the GDPR: “keeping personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.”
There are countries in the world where church members, for their safety, would not want the church to keep records on them. Same for investigators.
While they should, judging by past experience, I doubt the church will do anything. Throughout April and May I, like most folk, was bombarded by emails from organisations informing me of coming changes to the law, of how they would store and use my data, and requests to continue to do so. A number of these were from organisations outside the EU who operated within it. I’m still waiting to receive one from the church.
Wilfried, I always appreciate the fact that when you write a post at T&S you remain politely engaged with the comments that follow. That’s why I’m disappointed with your condescending “of course” at the beginning of your reply to Jared, as if he is stupid or simply clueless.
If the GDPR “does not pertain to passing out business cards or to talking to people on the street” then why should it pertain to missionaries talking to people in their homes? What is the difference between those three kinds of social interactions? They seem more alike than different to me. None of them is for “commercial mailings, medical data, consumer preferences, political affiliation, etc.” So why would the missionaries be singled out for concern? I’m not saying that missionary reactions don’t fall under the GDPR, I’m saying that the your examples don’t seem to clearly illustrate the differences. Is it really as simple and straightforward as your dismissive “of course” makes it seem to be? My personal experience with seemingly simple government regulations makes me think that it’s not.
KLC, my interpretation of Wilfried’s response was that a private individual is not liable under GDPR, but an individual who is representing an organization is. The question then becomes when is an individual representing an organization and when are they representing only themselves. For example, if a member is given contact information by someone through a normal everyday interaction, but then after a while that person then becomes interested in the Church and asks their friend about it, is the member then liable to document that friend’s opt in before inviting them to meet with the missionaries? Members technically represent the Church as well.
When are we legally representing the Church and when are we not?
Another example, not church related: someone joins a multi level marketing organization like Mary Kay. Since that person now represents Mary Kay in some capacity, does that person now have to contact every person that they have contact information for and gain their consent to retain that information in order to be compliant with GDPR, or only if they send that information to Mary Kay? Does GDPR only apply if the information is centrally controlled?
I’m not arguing against privacy here or against GDPR in general. I just didn’t know that GDPR was as wide in scope as it apparently is. Seems like it would potentially be complicated to be a small business owner or independent sales representative under it.
Benk, indeed, as far as we have seen, no word yet from the Church on GDPR specifically. On the other hand, in the past, the Church has repeatedly stressed that membership lists should be treated confidentially and cannot be used for any other purpose than Church-related. There is concern for privacy, but obviously GDPR requires more.
KLC, thank you for rebuking me. I did not realize that my “of course” could be interpreted as condescending. I deeply apologize if it gave that impression. That was not my intent. I’ll do my best to avoid such carelessness in the future. As to your remark, the matter pertains to missionaries systematically recording data in written or electronic form about people they met, in behalf of the missionary purposes of the organization. There is a breach of privacy rules as the Jehovah’s witnesses found out.
Jared, yes, you confirm what I just wrote in reponse to KLC. As to giving contact information, it would only become a problem, it seems, if it becomes part of a data system. When local church leaders would, for example, request members to provide names, adresses and family information about people who could be interested, and collect those in a list, one starts to systematize with personal data.
The purpose of my post was not to argue about the correctness of relevance of GDPR, but only to probe to what extent the Church is already involved in compliance and what it would mean for missionaries and members.
GDPR should not apply to a missionary making a record of a contact in their notebook or iPad.
GDPR would apply if the church currated that information.
However, anyone paying attention to how governments work, understands that the law is only half the story. The interpretation of the law by judges and it’s implementation by administrations and regulators is where the rubber meets the road.
And the EU had this to say:
“The Court concludes that EU law on the protection of personal data supports a finding that a
religious community is a controller, jointly with its members who engage in preaching, of
the processing of personal data carried out by the latter in the context of door-to-door
preaching organised, coordinated and encouraged by that community, without it being necessary
that the community has access to those data, or to establish that that community has given its
members written guidelines or instructions in relation to the data processing”.
Just so that’s clear, if you as a member make a note in your diary for future reference it just to receive your observations, you are in violation and should get a permission form.
Certainly, if someone hands you a business card, or if your have a discussion with someone about their business, an then make notes on it, you are also in violation.
Gdpr is more of a boondoggle than Obamacare, regardless of your thoughts on privacy or healthcare.
It’s pretty clear to anyone paying attention the ultimate purpose of GDPR is to assure any firm ia guilty and then gain power over it by mere threat of action.