Significant privacy-related changes to WikiTree for GDPR [closed]

+106 votes

Hi WikiTreers,

I want to talk about some big privacy-related changes we may implement soon.

Some of you have heard of the European Union's "General Data Protection Regulation (GDPR)". It's a very far-reaching law with significant consequences for everyone on the Internet. It doesn't just affect Europeans because it's very hard for sites like WikiTree to precisely separate everyone who could be an EU or UK citizen, or just living in Europe. Moreover, genealogy sites are especially vulnerable to the GDPR because there are "special categories" of protection for anything having to do with genetic information, race, ethnicity, etc.

For more info on the GDPR, you may want to start with this blog post from Roberta Estes.

We may need to make two fairly radical changes in the next few weeks:

1.) Set all profiles of living people as Unlisted unless they are a member, at least temporarily.

You could still choose the privacy level for your own account profile, but not for anyone else.

Later we might be able to allow profiles of living non-members to have public information again if a member will certify that they have explicit permission from the person, or that the person is a celebrity and the profile is based on information they have made public, etc. We don't know yet and will have to proceed carefully.

2.) Delete all DNA test information on living non-members.

You will no longer be able to enter information about tests for other living people, e.g. when you manage the test kit for a family member who is not a genealogist.

We may also need to prohibit mentioning someone else's DNA test in a source citation.

I know that these changes will negatively impact our Notables Project, our DNA features, and many other things you and I care about.

I would like to say that we could debate the logic of these changes and come to conclusions in the open, collaborative, community-based way that we normally operate. We cannot, though I do want to hear your input and ideas, especially about the impact of these changes on aspects of WikiTree that we may not have considered. If you're a lawyer offering legal advice, please say so.

I would also like to say that these are all the GDPR-related changes we will be making, or that I could tell you what changes we will be making in the future. The fact is, we just don't know a lot of things about how the GDPR will be interpreted and enforced. Nobody does.

I can tell you that we will continue to communicate about it, and that my personal commitment to our shared mission to grow a free, collaborative worldwide family tree has not changed.



closed with the note: Changes have been made
in The Tree House by Chris Whitten G2G Astronaut (1.4m points)
closed by Eowyn Walker

Indeed Laura. It might be time to close this discussion because some do not look at all the previous comments and we all end up repeating ourselves, and that is not for me a perfect example of anything but only of how not to communicate. Many of us have been breathing deeply since the beginning of this thread, on all sides of optics and argument. I do resent though being labled and calmly and respectfully ask that we close this discussion now.

Yes, beautifully stated, Laura.
Excellently put Laura.  We live in our own nations, but there are so very many interconnections between them in modern times that the laws and customs of one country do inevitably impact on others.  One way of looking at the EU privacy legislation is to perceive it as a law made by one group of nations impacting on another group.  Another way to look at it is that if North American groups exercise a custom of publishing information about private individuals, some of whom are in the EU, then that is a custom (and absence of law) of one group of nations impacting on another group.  People do find it difficult when the laws, or customs, of their nation are challenged by those of other nations, and especially when decisions have been made unilaterally by another group.  In an increasingly interconnected world, we need to find ways of negotiating that aren't just based on who has the most economic power or the most powerful weapons, but on true respect for each other's needs.
Respectfully signing off on this thread now.
Thanks everyone, I'm closing this thread now.
Actually, one last comment.  California and Canada recently passed similar laws so this really isn't about just the EU anymore.  We need to get past that.

And now this thread is closed. :)
@Isabelle If you are, like me, an EU citizen and an elector the you should know for a fact that the leadership of the EU is NOT elected to the positions they hold by the electorate and has an agenda of its own that is not always acceptable policy by the electorate. If you are not aware that the cabal at the top of the EU is not actually elected perhaps you should look more closely. That does not means this particular piece of legislation is bad, but much is.
@Eowyn  Ooops.... sorry!

Ridiculous There is no Russians over here pullin voting levers people think for themself and know fake news when they hear it, if you dont want your information shared, dont list it in public, now you have the gov. deciding what to list , not the people who posted it say at

Thank You Chris.  I understand your chioces and decisions you have had to make.  I support your decisions.

56 Answers

+29 votes
Chris - is there a way we can get a bot to go through and make the changes? I'm not even sure all the profiles that would be impacted by this, and I'm 100% sure that even if I did, it would take quite awhile to hunt them down and make the switch. I'm thinking if we want to be accurate (and stay out of hot water related to this law) we may need to get the bot to fix these.
by Scott Fulkerson G2G Astronaut (1.3m points)
It's my understanding that as individuals we wouldn't be held accountable for breaking any GDPR rules because we are using a registered site. An application would have to be run centrally to give privacy to living profiles.

A consideration for this application would be for sources added to profiles where the birth of a possible living relative therefore a now UNLISTED profile (less than 100 years old with no death date) is added in the PUBLIC profile of either parent.

I hope I've said that correctly? So hypothetically: Jane Doe is born in 1920 with no death date. Therefore her profile is now unlisted and her privacy protected. However,  it known her father died the same year she was born and her birth, with mothers maiden name is listed as a source on his profile....  His profile is currently marked as open by the profile manager; I'm not sure how this could be tackled centrally?
Scott, we will try to do most of this automatically.
It sounds to me as though this regulation will basically END news reporting in the EU.

"We had another vicious bombing today in someplace. There was an undisclosed amount killed and an unknown number injured. Most were treated at some place. The police have identified the perpetrator as someone who lives at somewhere but have yet to find a motive behind their actions. Back to you Ted."
I hope in your automation of this process you've remembered to take into account the "before this date" and "after this date" buttons.  I've been editing some profiles where the creator used these a lot, and noticed I was getting some warnings about people being born too near their parent's birth date on saving which I wouldn't have expected.
ok despite me losing some people which is fine according to the new laws I am loving the way everything is automatic for example, I put a person in as living it changes after death is found

brilliant so much time saved
Let's be clear are we only talking about are we only concerned with living people, if so why cant just hidden name work , it is what they do at everything else may be public with the exception that some people want their parents private by choose and even then you may see it public at Ancestry, what is the big mistry if so
+32 votes
Bummer, but legally required.

What will this do to the Relationship Finder and Connectors functions?

Will the living people show up as "unlisted"? Or will the path die when it hits an "unlisted" profile?  What if the living (unlisted) person is my own parent, entered and managed by me? (my parents are both dead, so hypothetical in my case.)
by Janet Gunn G2G6 Pilot (128k points)
Thank you for replying, Guest.  It's my opinion that we do have a very reliable way to determine who the GDPR applies to, and that is whether a profile has a European place in either the birth or death location fields.  We who do genealogy, especially in the Americas, have a skewed idea of how many people ever migrate to a new continent, how many people are born in one continent and die in a different one.  Because many of us have immigrants in our ancestry and immigration in the news constantly, we tend to think it's much more common than it really is.  If you consider all of the 7 billion people now living, plus all of the people who have ever lived, and consider how many ever moved to a new continent, it's a really tiny number.  I'd love to hear researched numbers, but I'd venture to say it's one in a million, maybe less.  That makes the location information 99.999% accurate (as to continent), and that's pretty reliable to me!

Now of course we do have to handle the exceptions, some mentioned in this and similar threads (e.g. born outside Europe and now working in Europe, etc).  It's been awhile since I read the GDPR docs, and I'm not an expert anyway, but it does not sound like a "Gotcha! Pay up!" kind of deal.  If you make a best effort to have GDPR compliant policies and implement them, then you only need remedial mechanisms if and when you are notified of an exception.  I imagine Chris will appoint a GDPR Compliance Manager (the GCM, probably a leader or higher), plus a backup, and post their contact info publicly in the appropriate places.  Then anyone can notify the GCM and they can notify the relevant profile manager(s), give them 3 days to rectify the issue, then if not satisfactorily resolved, fix it themselves.

It's still hard for me to see how you can justify applying GDPR rules to non-EU subjects, especially if you set up an exception handling procedure.  I'll go along with whatever is done, but I feel that those of us from the DNA community, especially a part of the DNA Project, should be advocates for maintaining the maximum DNA feature support that is possible, even if we have to live with some GDPR compliancy limitations to *some* users.  Chris did present it for feedback, and obviously doesn't want to needlessly kill WikiTree features, especially those where WikiTree excels over other solutions.  I imagine he would welcome feedback that could help him limit the damage.

the usual incomprehensible governmental gobbledygook

It's quite readable compared to usual laws and regulations. See (the actual regulation text starts on page 32)

> It's my opinion that we do have a very reliable way to determine who the GDPR applies to, and that is whether a profile has a European place in either the birth or death location fields

It's not that simple:

GDPR applies even if born elsewhere and nationals of a non-EU country: "This Regulation applies to the processing of personal data of data subjects who are in the Union" (Article 3(2)).

On the other hand, while born in Germany, a friend of mine who emigrated to the US wouldn't be subject to GDPR regulations while dealing with a non-EU organization - except while visiting the EU.

Why wouldn't Her Majesty's right to personal protection of her data be just as valid as anyone else's data.
Because she's a public figure and her information being "out there" comes with the job.

No I'm sorry Ros Haywood, I don't agree. The intent of the EU law is to protect the personal data of all EU citizens. I'm going to be very interested to see if all the date of birth and names of partners and their children of 'people of importance' that qualify for a Wikipedia entry are drastically rewritten by either another contributor or 'forcibly' redrafted by Wikipedia management. If someone managed to find out your date of birth or other personal details then published them on their website, would you argue that because the information is now in the public domain it should stay? Why are the birthdates of all actors available on IMDB? Is that a condition of working in the industry? Publishing dates of birth of famous people has nothing to do with them being what they are (appearing on our TV screens or in films etc.)

Royals are not the same as other "famous people". How could the Queen be the Queen if the information that she is the eldest legitimate child of the previous King is not public? I'm with Ros - the data linking the Queen to her ancestors is public. Not that it will change a thing however. Her profile will go Unlisted like all the others, not to worry.
W Robertson, how/where do you "look at suggestions for people related to me."?
I go to a grandparent's profile. On the menu under their wikitree id, I select "suggestions". This gets me suggestions of people closely connected to them,  but not necessarily managed by me.  For example,

They just come up as Unlisted generic with no other  information or, you get something like this:


Sorry, Trump-66's family tree is not public and you are not on their Trusted List.


not that I want to be related to Trump-66 :)

I attempted to see if I could still see my relationship to him, a living person of prominence in another country. I could not. However, I was able to see my relationship to his father who is deceased.
+46 votes
Thanks very much for this post Chris.

The GDPR will impact all use of DNA Databases world-wide. It will also affect the sharing an collaboration with other living individuals who are working their own or others Genealogy.

I am thankful that you are being proactive in protecting WikiTree from the possibility of legal actions which could affect the health and future of our great big ole shared tree.

This is just a change. A change we will need to learn to work with and adapt to as we continue our goals and in support of the WikiTree mission.

by Mags Gaulden G2G6 Pilot (592k points)
+32 votes
Although this may cause some frustrations I think it is positive that you are being proactive in protecting Wikitree from potential GDPR repercussions.
by Lynda Crackett G2G6 Pilot (635k points)
+30 votes
Thank you, Chris, for such a clear explanation.  Change is inevitable for all of us.  And, thank you Mags for weighing in on the DNA questions.
by Kathy Zipperer G2G6 Pilot (406k points)
+38 votes
Hi Chris

A difficult message to deliver to us and handled in the most eloquent way, thank you.

I'm in the UK and I've been preparing my team for GDPR for the past 8 weeks. It's being taken very seriously over here and businesses across the country are reviewing procedure and practices.

It is only right that our wikitree leaders do the same, to protect the tree; and hope in the next 12 months more clarity will come from the EU about what we can and can't see/do/say/write.

by Lizzie Griffiths G2G6 Pilot (120k points)
+39 votes
From the UK end, for the most part, what is and is not permissible under the new EU GDPR rules on the disclosure of information about living people is a carryforward of what has been the position under UK data protection legislation for quite a number of years, and I think the same is true for at least some other EU countries. One of the things that has changed is that the rules on what constitutes consent by the individual have tightened - it has to be active consent for which an evidence trail will be required. My own approach, as someone living in the UK, has always been to play safe, and not to put personal information about other living people on my Cayley family history website or on genealogical sites like Wikitree. If I think someone may still be alive, I do not create a Wikitree profile for them. Besides the legal position, this seems to me a matter of courtesy, and respect for the fact that some people prefer to minimise the internet tracks they have.

I regard basic public domain information about celebrities etc as another matter. To give an obvious example, I would not see any problems under GDPR with basic life event information and immediate family relationships for living members of the British Royal Family. It would be a pity if this sort of information disappeared because of GDPR worries. But drawing boundaries and ensuring they are observed is likely to be problematic. So, initially at least, it seems to me to make sense to have a universally-applied set of rules.

On DNA, I am conscious of some worries about the uses to which DNA information about living people on genealogical sites may be put: I would expect this to be an area of growing discussion in genealogical circles.
by Michael Cayley G2G6 Pilot (163k points)

Well said, Tamara. I am with you 150%. And has the Wikitree Honor Code been forgotten in some of the discussion on GDPR? “We respect privacy. We privacy-protect anything we think our family members might not want public. If that's not enough for someone, we delete their personal information.” That can be given effect only if non-members have a determining say in what, if any, information about them is put on Wikitree. And what goes for people in our families should surely, a fortiori, go for non-members outside our families. This is commonsense ethics.

Hi Michael,

I'm hearing you and upping my support of everything you write to 175%!  I would like WikiTree to consider a policy of membership-only living profile creation (or, if a family member consents, they can have family membership instead of full membership).  I think, in the joy of participating in our collective hobby, some might forget that these are real people we are messing with.  I think everyone posting information about living people online (on any platform) should 'stop, drop and roll' and consider the ethical implications of their actions.  Ethical considerations for Internet Genealogy ​would be a great course to take!

A lot of the material now found online was created before anyone could even conceive of this extraordinary thing called the internet.  Birth notices are a case in point.  You can find birth notices of people you would reasonably expect to still be alive on Trove.  Pre 1954 announcements aren't even copyright protected.  So, you can plaster the date and place of birth of a living person all over the internet if you feel so inclined.

Is this okay?  No, it is not.  A proud parent in 1953 would be acculturated to placing a birth notice (it's what you did) expecting this to be read briefly by anyone wishing to trawl the personals (who actually purchased the newspaper) and possibly placed in a scrapbook or two.  They would not expect for it to be viewed by a global audience 65 years later for free. 

If I locate information on individuals I assume to be living on Trove I file it away (privately) for later and this goes for BDM information released on living individuals.  I am also being very thoughtful about information obtained from (now deceased) family members I interviewed almost two decades ago when they could reasonably expect their candid recollections of family members would only be shared with the extended family.  Information obtained in the public arena (a cause of death on a death certificate) is very different from Aunt Bertha's stories of the dead person's predilections which caused their demise.  Let's be kind to the memory of Aunt Bertha who might be doing the whirling dervish in her grave at the thought of her indiscrete interview being viewed worldwide.  And, think of her living closely-related descendants and the harm that can be done.

Internet-based genealogy is a moral quagmire and I would like the historians of the future to think kindly of us.  I don't think there's anything wrong with leaving the research of our currently living tree members to future generations,


Hi Tamara, thanks for that!

For deceased people of the last 2 generations, I am also careful. As a straightforward example, if I discover that a deceased parent or grandparent of someone probably still living was not married when one of their children was born, or was apart from their spouse when a child was conceived, I would not want to make that apparent in a Wikitree profile unless the surviving members of the family had freely said (without any prompting by me) I could do so - and I would hope all Wikitree members would take the same approach. In addition to trying to be a decent and ethical human, I can easily conceive of circumstances where making this sort of information public could have legal implications for living people.

And there are tales I have been told, and things of which I have personal knowledge, about the last 2 generations of deceased close family members which I would never never put on Wikitree, or anywhere else on the internet, even where I was sure they were 100% accurate, because of the embarrassment they could cause living people.

To me, to be boring and repeat myself, this is all common sense. Irrespective of the law, our passion for genealogy should not override the values of decency and respect for living persons' privacy and feelings. Let us enjoy Wikitree - but responsibly. It is a wonderful resource which I really regret not having discovered until last year. And let us keep working to improve the accuracy of, and increase the amount of, historical genealogical information on Wikitree.
Hi Michael,

Your last paragraph is it, in a nutshell.  It is common sense.  But it is the loudest voices which are often heard so, yes, keep repeating yourself.  

As an Australian, most of my research isn't here.  I have years of work to do here without even touching another profile.  On the odd occasion I've been able to connect to the tree it is to an unsourced GEDCOM upload or a profile that needs a lot of work.

And, the profiles I create require a lot of work!  I haven't been here for long and it took around a month for me to perfect a system that works for me.  So, I'm going through the first profiles I created and improving them.  And, there's always new research to add to an existing profile.

I do like WikiTree and I'm pleased I found it but there's a big BUT.  Some of the responses on this thread are (let me be polite and kind here) a little hard to read and utterly at odds with what I believe to be the ethos of WikiTree as interpreted by the Honour Code.  I am somewhat sceptical that the Honour Code will always prevail (even though it should).

And, as such, I think that WikiTree should default to 'unlisting' living people with no other option available with or without GDPR concerns.  It's the right thing to do.
Tamara - I agree with all you say.
To Tamara and your reply to my question.  While you give a good argument, that was not my question, my question was this, do I get to view my own Profiles that I create which show my own DNA results to me, not everyone else on Wikitree. My question was what does unlisting mean? Does this mean that I cannot view my own Profiles of my own children and their DNA results which show on their trees?

Re: Privacy concerns, while I agree with you that the world should not view these profiles, I was talking about me being able to view my own profiles. And no, I am not a liar, if I gave and bought my children's DNA tests for them on Ancestry. they certainly agreed, and some of them are registered on Wikitree as members.

Another question I have on DNA results. Me and my daughter and her father and his family show up together on many of my Profiles, her son, my grandson, which I bought his DNA kit and he registered on Wiktree, and on Ancestry, he is shown as parent/child relationship with my daughter and me, why doesn't his appear on our Profiles, I uploaded our DNA on GEDMATCH, but his doesn't show up on any Profile. My daughter and me and her father's family show up together on many of my family's profiles, but not her son or my grandson. Since my father died when I was five years old and all males in his line died, he was the only male we could test, so does anyone know why this is?

Dona Floyd Kimmons

Hi Dona,

I've re-read what you asked in the first instance.  It's a little difficult for me to respond as your question (and my response) are both in a different thread.

Let's start with what may be perceived as the most inflammatory for people reading your comment with having no context.

"And no, I am not a liar, if I gave and bought my children's DNA tests for them on Ancestry. they certainly agreed, and some of them are registered on Wikitree as members."

I did not call you a liar (everyone exhale).  In using the House, MD pop culture reference of 'Everybody Lies' I tried to convey the rules of evidence insofar as you stating on an online forum that you have the consent of your children as evidence of that consent.  It is not. I even wrote:

"I'm not calling you a liar, by the way, I'm just employing rules of evidence."

To use another example: you cannot have surgery providing oral consent.  You must sign consent forms and, in order for that consent to be valid, it must be informed consent.  So, I hope that clears that up.

As for unlisted profiles, you may have missed my second edit which I'm reproducing here:


You'll still see your children if they are unlisted.  Other people won't see them.  I've unlisted my own parents (to protect their privacy) but you can still see my tree and place me within WikiTree.

And while you might not feel that I answered your question, you did write "And why do we have to follow European laws, when most of my records are public anyway in courthouses?" 

Which I answered at length.  Your original question seemed to be centred on GDPR issues so I focussed on those.

I see you posted another question and got the answer you wanted.  I would love the WikiTree leaders to start an information campaign on ethical genealogy and the benefits of unlisted profiles (for nuclear families).  That might clear up a lot of confusion.

All the best,


Thank you for clearing this up for me. I am sorry if I sound inflammatary, I didn't mean to sound that way, I was just confused about all of these new things, and it is hard enough for me to even learn how to properly use Wikitree, I am still trying to learn. This new thing is  just confusing to me, and I am still trying to study this, but thank you for your new reply. My children do not live in this state,one lives in Pennsylvania, and I live in Texas, and one is extremely sick and unable to even write anymore,  so getting written consent is not reasonable for me, the most they do is texting on cell phones, and I don't even own a cell phone, nor do I know how to use one, I am older, and new  technology baffles me still,

especially even communicating with my own children, who only do texting now. Please be patient with me, I am still trying to study all of these new rules, thank you.

Dona Floyd Kimmons
I dont know why we cant have a seperate process just for doing Triangulations to confirm DNA ancestors, I'm mean were just talking figures and %s  Last names are all that really matter if I have a hidden Example match that is living what does it matter all you need is a number
I read the new rules, and I had to go to living people in my own family and make them responsible for their own DNA data, and I am no longer their Profile manager, they are, and some choose not to put their data on Wikitree, and I do understand that,, and I have so mahy people in my tree, but most of them are not living now. If you become aware of any of mine that are wrong, let me know, I tried to make my tree private on my living people, but I also have other relatives working on these same trees,, and I do not know what they are doing o their own Profile pages, and on mine, I am not the Proifile manager any longer, they are, as I thought that is what the new Privacy law asked us to do.

Dona Floyd Kimmons
+31 votes

What impact will this have on creation of duplicate profiles?

For example suppose my Brother decides he wants to start doing some genealogy as well. He has already got a profile on Wikitree (Started by someone who I haven't worked out the connection yet) and is currently red privacy. He still comes up as searchable. There is an unlisted profile listed as well when you search for his name (Jeremy Kellett). 

What will prevent the creation of a new profile by him or other people if they can't see that there already is a profile especially if the current profile just says "unlisted person"?


by Darren Kellett G2G6 Pilot (244k points)
Nothing will. No one living will be able to see any other living person's profile, including duplicates of their own or any they have created, unless they've been specifically invited. Otherwise you'd have a potential GDPR violation, so the entire living tree will become one gigantic mess of uncoordinated duplicates, like grafting all the private user trees into one giant tangle.
This will be a problem for sure and in the future will mean a million merges needing to be done. Perhaps wikitree needs to make it a rule that we are no longer allowed to make profiles for non-member living people at all. I would be more than happy with that personally.
Perhaps it's time to just drop a nuke on the entire site and HTTP 301 redirect to since we only do dead people now and that's where the dead people are.

I don't agree Nathan. Wikitree is far superior to findadgrave, poles apart, no comparisonWe don't need living people's info online for all to see or glean info from to be a great site, or to be good genealogists. It is a respectful and responsible move, I welcome it. 

I think maybe Nathan is being facetious? Anyhow, does being on Findagrave assure that one is dead? Can Findagrave assure anything except that a picture is a picture of something real? Or, I suppose anything can be photoshopped. (Now I'm being a little facetious.)
I am sorry for allowing my frustration to infect my comments last night. I have treasured the positivity of this community and have had little sympathy myself in the past for folks who complain about having to collaborate on wikitree or having their work undone.

This is something different though. WikiTree has always been about openness and sharing combined with privacy controls for the living. A blithe suggestion of just *deleting all our shared work* on the living tree wholesale without exporting it, without giving us a place to go to continue our collaborative work on the living tree, that is a major breach of trust and that will be very hard to swallow.

If this had been mostly accepted here in the G2G announcement and there have been some feathers ruffled, you have seen nothing yet because the average editor doesn’t pay much attention to G2G until they log in one day and find that Wikitree as they know it along with all the work everyone has put into it is gone. Then you will see some storms on G2G. There had better be a big click-through announcement on login well in advance of implementing this proposal (and 25 Mar GDPR day is coming) as doing this without actual notice is going to bring out the pitchforks and torches.

And saying “this is required by European law” or “but it’s for privacy” will not make anyone happy. The GDPR as it is written is directly in conflict with our first amendment right to share our stories about our own families and other families we have interest in. It is no good in the name of privacy to enforce a rule sharing is by default forbidden for all personal information we possess about others.

It’s a basic right to tell others I have a son named Toby who is five, an aunt named Roberta after my grandfather who was born like me in Pennsylvania, that’s I have one male first cousin on my fathers side and two female first cousins on my mothers side, etc. certainly up to the limit where someone has an objection. Don’t let Europe come in and tell me what I can publish here in America about my own family on an American platform and that I have to delete this comment because it contains “personal data” about others without their individually recorded consent in advance.
I have no problems with your expression, Nathan. This is a big issue and it isn't directed at individuals. I notice that the range of opinions goes from. "Don't dare mess with my first amendment rights" to "I wish it was even more strict." We are but one community riding on a very large ship that we don't steer. We can only do our best to protect our stuff along the way and rearrange the furniture as we see how it settles out. Along the way, this is how we can communicate and there's nothing wrong about that as long as we don't tear at the threads of this community.

I haven't been with WT as long as many of you, but I venture to say that it has never been a perfect fit for everyone. Change is hard.
Oh, about your last paragraph, Nathan... I remember just a few weeks ago I was grousing about the fact that I wasn't allowed to display my connection with my wife as I wanted to. I thought the rationale was dumb and I still do... but c'est la vie... we move on.
We may have to move on, but we may not move on at WikiTree. This response really isn’t helping; it’s not directed at individuals—really? Individuals spent many man-years building a tree together about millions of individuals which is just going to go dark and become unavailable just like that. Please don’t tell me it’s just he way it is and it’s no skin off our nose.

Yes there have always been a few who want it to be even more restrictive or control vast swaths of “their” tree that they are no closer related to than thousands or millions of others. Why don’t *they* move on if they don’t want to collaborate on the long dead? You can build a private tree that only you can control on or with any number of applications for free already.

As for the living we have always had the rule here don’t post anything you don’t think they would want posted, and that the person themselves can always have ultimate control about what if anything stays on their profile.
Nathan, living people aren't being deleted -- they are just being made unlisted. You can still invite family members to collaborate on the profiles with you, and when the person dies or joins WikiTree they can be made private/public/open.

Honestly, I don't think the average user will even notice the change. They will still be able to see everyone they added like before, unless they are signed out.
Nathan, I wasn't saying this doesn't affect us as individuals. I'm saying we don't have to rip each other as individuals. I was actually trying to support you to express yourself. You said you were sorry for allowing your frustrations to show and I was trying to tell you that's ok. So many of us have put a lot of work into this and of course we are passionate about it. I'm on your side, friend.
+9 votes
I would be so happy to see the DNA info removed from my profiles! I hope we can implement stronger and longer privacy for our profiles too, like going back 200 years like we used to!

I do mostly European genealogy. How will this affect my ancestors from the 1500s, 1600s, and 1700s?


by Living Troy G2G6 Pilot (158k points)
I think it only applies to living people.
Your ancestors from the 1500s, 1600s and 1700s are not living, so it will not affect them.
Yes, that is right. The EU rules do not apply to information about deceased persons.

Why would you want to make a profile private on someone who has been dead for 200 years? Or do you just mean not open so just anyone can edit it?
It would be better if we consult with someone before we edit their ancestors who are less than 200 years old. I like everyone to be green. My parents are already private and they would love unlisted. My grandson, a minor is unlisted, but that is the only way for me to connect to his father's side of the family.
for it to become one tree we have to open up as many files as we can!  What about others connected, your cousins and their trees need to hook up Sharon, look at the big picture, here
+40 votes
I'm sorry if this is over the top, but I understood that Wikitree corporate is a U.S. entity. I put many hours of my life into building our shared tree here on the understanding that the promise that this shared information would be kept forever free and protected by the 1st amendment that is a product of a revolutionary war that the U.S.A. fought to free itself from regulation and interference with our liberties from across the pond.

Change #2 will make DNA connections next to worthless and trash the considerable investment I've made in my family's genetic genealogy. I have gone out of my way to help get people tested in exchange for their consent to share, now it won't be shared at all unless they are interested in joining, which I can assure you most are not.

Change #1 may easily eliminate 50% of the entire utility of a shared family tree on Wikitree to begin with. The connection to our ancestors begins with the living. If every nonmember becomes unlisted and cuts off the family tree altogether, then we are left with a dead tree with no leaves.

The two combined mean that we are retroactively wiping out the immense collective value and effort of the thousands of members current and past of this project.

There is another choice; stop dealing with the EU and don't comply. Let them try to enforce their GDPR or judgments in U.S. courts. We have a 1st amendment here, if we don't use it, we lose it. Which appears to be what is happening now.

In another thread we have fears being stoked about potential law enforcement use of shared DNA matches, here we have members rolling over and giving up on the entire project because some EU bureaucrats overreached; well-meaningly as they might have intended.
by Nathan Kennedy G2G6 Mach 3 (30.0k points)
Nothing hurried about it. The big companies have been preparing for this for months. Ancestry was already making changes last year in readiness. An example being when they implemented the change to having DNA test takers set up their own accounts.
The only reason I used the word 'hurried' was that there seems to be a flurry of "we're changing our privacy policy" emails arriving in my inbox.  If they had been preparing for months (which I'm sure they were), then why did they wait until two weeks before The Day to tell me about it?
The big companies have handled it such a way that changes having a major impact have been handled long before the implentation date for the legislation. The impact for customers at this stage in their handling is not so significant. No need to make a big issue of it now as the work is done. You just need to decide whether or not you are prepared to agree to their updated policies.
Jillaine:— Ancestry’s new privacy pollcy indicates they’ve set up a separate division in Ireland (which is a member of the EU) to act as the gate-keeper for their EU users, while the original US service center will contiue to be the gate-keeper for the rest of the world.  This will obviously allow Ancestry to have a different set of privacy policies and consent forms for EU end-users, should the company find it advisable, while applying looser rules to their non-EU end-users, but as far as the end-users are concerned it will probably all appear to be seamless.

While I’m no expert, it seems to me that the main dIfference is that the EU requires a higher degree of transparency than the US does as to the potential uses of the personal information the end-user is sharing in order for the person’s consent to the sharing to qualify as “informed” consent.  It cannot be so vague as to be left to the person’s imagination to try and figure out what the potential consequences of the consent might be.  
The EU also appears to be implementing a higher standard of data security on the repositories of people’s personal information than the US does, and backing it up with enhanced reporting requirements, so that data breaches will no longer be able to be kept secret from the people whose personal information has been stolen for many months, or even years after discovery, as has happened in the past.

More on how other companies are handling the new EU privacy protection regulations..  

1) FTDNA has announced they will be shutting down and effective May 24. Details here:

2) The operators of have decided to retire and are shutting down their site effective May 23.  Details here:

@Russ, thank you for again summarizing the dilemma succinctly. No one has yet given any reason that EU's laws are holier than Saudi Arabia's or the People's Republic of China as they apply to WikiTree.

@GR Gordon: Thankfully your sad view that simply exchanging databits overseas makes me subject to the all the laws of the country where they end up is not in fact the law of the United States or its political subdivisions. Were it so, please reply to Russ.

@Dale: You are inadvertently proving my point. Even as someone who doesn't outwardly profess to care much about living member profiles, you seem to prioritize them for your own watchlist. Presumably if you further cut your watchlist down to 1500 nearly 20% of them would be living. Others may have different figures. And your watchlist is not reflective of either the composition of WikiTree as a whole, of how other members value the existence and use of those profiles, or of the actual utility of living profiles to members who use the tree. For many members, (including adoptees and others looking to connect with living cousins, genetic genealogists, those with an interest in notables, etc.), connection to living profiles is hugely outsize in importance, whether or not it is to you.
Charging someone with a crime and successfully prosecuting someone for a crime are 2 completely separate things. Especially where the "crime" isn't a crime where it actually took place.
I don’t think it is being classified as a crime anywhere, even in the EU.  It’s a civil enforcement action with thenalty being a civil fine, similar to what happens in many big cities to storeowners who fail to keep the sidewalk in front of their building clear of snow and ice sothat pedestrians can pass safely without having to walk in the street with the cars and  only on a grander scale.  No one is going to go to jail for breaking the rules, they’re just going to have to cough up some money to pay civil fines that will not even give them a criminal record. So, there’s a lower standard of proof, and a different standard for imposing liability.  And in an internet connected world, it would not be surprising to discover that the United States has made some Treaties with the EU providing for mutual full faith and credit to be given to judgments issued by of each other’s civil courts and allowing US courts to enforce them, similar to the way Michigan’s courts recognize judgments issued by a Florida court in a lawsuit tried under Florida law.

Most importantly, It won’t be you and me and the other end-users of the WikiTree site the EU will be going after in any event.  No, they’ll go after WikiTree for failing to protect EU residents from whatever we may have done, and it will be WikiTree, not you and me who is taking the risk of getting hit with these truly horrendous fines.  So far, at least three other genealogy sites have opted to shut down entirely rather than accept that risk and make the financial and manpower investment necessary to protect themselves.  This is a problem that no one had any way of forseeing when WikiTree began.  

Personally, I am very grateful that the organiztion has decided to take on this problem with all the risks that it entails and do the best that it can to remain in business and honor its promises to give us a free platform for sharing our family tree data to the maximum extent they can afford to allow.  Let’s please give them a break while the full impact of these new rules gets sorted out, hopefully with some other operation being the guinea pig (I could give a list of my druthers, but I don’t want to bore you to death).
@ Nathan, You missed my point. The profiles for living members, with the exception of some Notables, are not only members of my family for the most part but these changes will not affect them much. This is because not only can I see everything on them but the relationship finder works thru them both ways. The only danger with this change is some duplicates could be created and some merges could result in the future, both of which happen everyday already.

I tested both the relationship finder and the connection finder with someone else's account, I know of several other WikiTree members that live close to me, so I am sure they work. The "Damage" is being overstated.
@ Nathan, You and I show a blood relationship on the relationship finder so if you want to see what happens with the unlisted profiles just run that on my profile and that will show you because my father is still living and I already set him to unlisted.
+21 votes
Since Ales managed the server during last weekends Clean-a-thon, does this mean that all the wikitree servers are in Slovenia which is why they come under these EU rules?

Does this also mean that I cannot add my mothers DNA details even if both of us do NOT live in the EU but we are both still living?

So there would be no point to even having my mother do a DNA test at all.

 I'm curious as to how this ruling will affect the DNA companies - especially those that test people from Europe?
by Robynne Lozier G2G Astronaut (1.1m points)
I'm interested too, plus public online records on familysearch etc what happens to the source material, surely this is covered and therefore subject to the same rules as wikkitree and other websites?
It shouldn't be that hard for the DNA industry to organize itself so that the people with names don't see unencrypted genome data, and the people with genome data don't see unencrypted names, and not even the CIA can put them together without a password known only to the customer.  And if they haven't done that all along, people should be asking why not.
I can see two results coming from this and neither is all that pleasant in one way or another.

1) The only way to utilize someone else's DNA going forward will be a legally binding document that provides a release of sorts against prosecution, and a permission to use the DNA information in any way. The problem here is that someone has to create such a document and test the waters so that it's a proven document to release WikiTree and the contributor from all potential harm.

2) The DNA contributer has to die, which removes them from consideration in the law. While the amusing picture of testing someone's DNA and then bumping them off sounds absurd, I'm sure there will be those who will consider this (albeit briefly, one would hope) and discard this as foolish compared to the consequences. Since DNA testing hasn't really been around all that long, it's unlikely that there will be many "dead DNA takers" out there, so it will become a bit of a waiting game to see how long it will be before one's relative's DNA will be usable for public genealogy again.

Just my 2 cents.
RJ, please review the post by the Genetic Genealogy where he/she specifically advises against “anonymizing” DNA data for compliance. Anonymize DNA data is still itself specifically radioactive “personal data” under this regulation, and as has been demonstrated again and again, can be deanonymized under real world conditions.

So it we are allowing a strict reading of the GDPR to govern, potentially even removing DNA info and unlisting are not enough because anonymizing unlisted family connections with [private] still leaks info about unlisted relatives relations and other sources can be used to deanonymize who the [private] person is.
As to how this is affecting other companies, Ancestry has just updated thrir privacy policies and terms of service to take the EU regulations into account.  They appear to have set up a separate unit, based in Ireland (an EU country) to service their EU customers separately from their customers in the rest of the world.  I’m not sure what the effect will be on information-sharing between customers in the two divisions (i.e.: will what they see when they access the site be the same as what we see when we access the site.)
+33 votes
It wouldn't be as bad a hit if we could default to "private with public family tree" for the living and "private" or "unlisted" for those under 18. But if all living non-members now become unlisted that kills so many projects, breaks so many family trees, and makes the connected part so much harder to maintain.

Surely since it is a US based site there could be something along the lines of requests for something to be hidden rather than hiding everything. Once you take a step into the dark ages of political correctness and bullying politicians trying to dictate control over internet content it is a slippery slope trying to get that control back.

We certainly don't want the whole world to be one big China with online scores dictating what privileges we will be allowed to have.
by Steven Tibbetts G2G6 Pilot (355k points)
I agree with everything you said, Steven. Scary times are getting scarier.
It may be a US based company, BUT if the servers are in Slovenia - as witnesed by Ales's great management of them - then does this mean Wikitree does come under these new EU laws?

If the answer is yes, then maybe Wikitree needs to find new servers outside the EU.

The  reason I ask about Slovenia is because the tracking programs for the clean-a-thon all had Slovenian times on them and not GMT or EDT.

Well put, cousin descended from Deacon John Shaw, who came to Weymouth in the Great Migration, while I am still able to see this.

Do you think he would have approved of Antonio Tajani dictating the relations between between Americans on American soil? (Yes I just made a WikiTree profile on him with public bio and family tree.)

The info is US based. The error checking program is in Slovenia with Ales. And as far as Deacon John Shaw, I had that whole mess straightened out until it went on a tangent again. (sigh)

But evidently this only affects LIVING people. So if they are still alive but not active members it may all be hidden. That means alot of notables vanishing, connections being broken, and basically chopping the trunk out of the world tree.
Shaw may be dead but we are living and connected through living people who are not members of this site. I only discovered that migrant ancestor because of our living connection. This is part of the vitality we cannot lose.

How right you are, Shaw!  I, also, broke through two brick walls and have found many valuable profiles by becoming connected to living people who are not members of this site.

Servers can be managed remotely from anywhere in the world. Most internet server maintenance is done this way. They often reside in giant shared data centers some physical distance away from end users. The only reason to be physically present on site is to maintain hardware.
Profiles of living individuals who are not members are not being DELETED (unless they're under 13 years of age) nor are they being DISCONNECTED -- they're being UNLISTED.  As Dale has pointed out elsewhere in this g2g, the connection finder still works.
Thank you Pilot Smith for clearly correcting my comment.

Some people, apparently myself included, have emotional knee-jerk reactions to certain words on subjects close to their heart. ;)

There's just lots of confusion about the impact of these changes. And I won't be surprised if we find out there is even something different that will affect things that we haven't thought of yet.
Indeed.  Yet, thanks to your posts, I realize the limits of my infinitesimal knowledge of genealogy.  So, I'll graciously bow out and let my "betters" sort out such tricky conundrums.  Thanks again for your responses!

I stand corrected on something.

The relationship finder is NOT working anymore if one end of the request is a living individual with an unlisted profile. (Not sure about the connection finder.)


Jillaine, The relationship finder still works for me. I just checked Scott Fulkerson and myself, we both have unlisted parents between us,  and it worked fine. What browser are you using? I have seen problems with Edge recently.

I checked the relationship between Queen Elizabeth II and myself; said it wouldn't work because I wasn't on her TL.

Did it ever work with private profiles? I rarely use the relationship finder but when I tried it with one of the few WikiGenealogists I'm related to, it did not work because her profile is red private. And that was months before the GDPR related changes went live.

+28 votes
So adoptees will no longer be able to find their biological families. This will hit the adoption angels and adoptees big time I think.

Does this also means that youtube may have to remove ALL those videos of people who put up videos of their DNA results - and there are thousands of them?
by Robynne Lozier G2G Astronaut (1.1m points)
Not to mention any European living notables on Wikipedia..IMDB...etc. unless it's specifically released by the person or their legal representatives.
I dont think so Natalie - this ruling specifically only applies to DNA and genetic genealogy - not to public and private biographical information.

I dont think any Notables have done any DNA tests that I am aware of.

Robynne, while public figures may be a special case, the GDPR is not at all limited to DNA, would it were so, it's all personal data. That's why they want to unlist all living nonmembers, e.g. defoliate the tree with Agent Orange.

"Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer's IP address."

Name and family relations is personal data, much less a thumbnail portrait or approximate age!

Drats. Thanks.

So - now everyone on my watchlist who is still alive now, must become private, if not unlisted?

Most of them are either from New Zealand or the USA - NOT EU citizens at all.
Some adoptees will still be able to find their birth parents via DNA I think?  To find a parent via DNA information on WikiTree they would now need to get a DNA match to someone dead on WikiTree (whose DNA is allowed to be posted), and for the profile manager of that person to want to help them, and to have enough information about their birth parent for them to be able to track them down.  I did hear of a case recently where it was said an adoptee tracked down the birth parent to try and get money out of them, and this caused great distress to the natural father's wife, but I would imagine (assuming it happened as I was told, which I can't personally vouch for) such a case is very exceptional.
It isn't just adoptees.

Plenty of blacks who are related to slaves lose this valuable tool. The existing public documents on slaves leaves a lot to be desired, but a DNA test can bridge that gap by leaps and bounds.

This is just devastating in that regard.
Yvonne, please clarify.  If I was an African American trying to link to an enslaved ancestor, how would these changes impact my ability to research that?

When slave descendants track their tree back through the Jim Crow/post-slavery sharecropper era, often records become very sparse, speculative, or nonexistent.

But in some cases one traces ancestors successfully back to an enslaved mother on a particular slave plantation and based on names it is possible to speculate as to for instance whether a plantation owner, family member, or another slave was the father. Or whether a group of slave children were in fact siblings, etc. There are many related puzzles where the documentation is inconclusive but DNA evidence provided powerful insight into a families roots—based on genetic tests of multiple living descendants. It was Y DNA comparisons between living Jefferson and Hemings descendants that established TJ as the father of her children, for instance.

These changes mean we cannot input or cite DNA data from slaveowner or slave descendants unless they have joined the project, which leaves only the speculation and incomplete data when DNA could help bridge the gaps.
Nathan, thanks for the illustrative explanation.  Got it.
+58 votes
Chris,  I spent 22 years buying Rights and Permissions.  I would have one suggestion, and that is you work with a Rights and Permissions lawfirm and not corporate lawyers.   I can tell you corporate lawyers are just not versed in all the twists and turns of Rights and Permissions law.  The differences among copyright, trademark, estate rights, artist rights, performance rights and then the added differences with these on an international level are mind boggling.  I worked for a large company that had a very large staff of in-house lawyers and everyone of them directed me to work with a Rights and Permissions firm for these kind of things.  If you want the name of the one we used the most feel free to private message me or email me directly and I am happy to provide you what I know.
by Laura Bozzay G2G6 Pilot (722k points)
+25 votes
I don't think this too far off topic, but can anyone tell me if the new law will also affect the IMDB - INTERNATIONAL MOVIE DATABASE which lists the movies and TV shows by actor  and WIKPEDIA biographies?  Especially Wikipedia, where a lot of research starts?
by Eddie King G2G6 Pilot (633k points)
Michael, you wrote, "Media freedom is also a fundamental right under both EU law and the European Convention on Human Rights, and GDPR cannot, and does not, remove that freedom."

So what is "media" and why is WikiTree not under that umbrella? Is there a special "media" club for members only? If so, this is an extremely dangerous assault on the free flow of information, which will be granted into the hands of only a few.

The more paid lawyers a "media" organization can hire, the more "freedom" it has to dictate What Is Truth.

Totalitarian speech control marches on.
My understanding is that ‘media’ in this context means primarily news media, as it often does in at least European English: the Press, news organisations, broadcasters, reporters etc., including news websites. Not, as I understand the law, organisations like Wikitree. The term probably now extends to bloggers, though I am not aware of that having been legally tested. The European Convention on Human Rights does not, as far as I can see, use the word ‘media’ and the relevant Article is worded in broad terms about freedom of expression, but the EU Charter of Fundamental Rights does use the word.

The EU Charter of Fundamental Rights also gives citizens a fundamental right to the protection of personal data about them. The European Convention on Human Rights includes a right to respect for private and family life - which extends to protection for personal data.

Both sets of rights - media freedom and personal privacy - are of long standing. Neither is totally unfettered. GDPR does not make any significant change to the balance between the two sets of rights in situations where they may clash. (There have been some major court cases over the years which have turned on that balance.)

There have long been more specific rules in EU countries for protecting personal data. In the UK - and probably all EU countries - GDPR makes negligible change to the sort of information that falls within European data protection rules.

We will all have varying views on the right to privacy for personal data about the living, and no doubt the law, traditions and practices of the US are not the same as those of Europe: I would not want to enter any debate on the respective merits and demerits of the differing approaches. EU law is what it is. It remains to be seen what GDPR will mean in detail for sites like Wikitree, but I am sure those who have set the new policy on Wikitree information about living people are wise to have adopted a cautious policy at this stage.

I stress I am not making any political statements.
Michael, on your point, "GDPR makes negligible change to the sort of information that falls within European data protection rules."

Well, in this case, that "negligible" change is suddenly translating into a lockdown of total public invisibility for perhaps half of the profiles extant on WikiTree.

So I think I have to stand with my first assessment of the totalitarian speech control in this thing.

Steven, as I have indicated, it is not the intention of GDPR to make any signifcant change to the sort of personal data protected in law. But one of its main aims is to close loopholes on how protected personal information can be handled and used. One of the reasons for the inclusion of the right to privacy in the European Convention on Human Rights and in the EU Charter was the history of what happened in Europe between 1918 and 1945. It was seen as part of protecting democratic values and freedoms. Facebook’s current controversies (Cambridge Analytica etc) are an extreme illustration of why the EU and national legislatures continue to attach importance to privacy issues - and there are constant concerns about the use to which data harvesting can be put, and the power and influence it can give.

Also to me (and I will be blunt, Steven, as you have been), it is unethical for someone to bring together a load of information about me, a living person, on a website without my say-so, without telling me, and without giving me an opportunity to make sure it is does not contain falsehoods or aspersions. I note in passing that the code of practice of the main UK association for professional genealogists includes a commitment to discretion and to respect for the privacy of information obtained: that, to me, is commonsense ethics. If I have - like many celebrities - clearly allowed information to enter the public domain, that information is of course not protected - but I cannot see how Wikitree can ensure that those contributing information distinguish between private information and information which those to whom it relates have consciously allowed to enter the public domain.

Finally, I quote the Wikitree Honor Code. “We respect privacy. We privacy-protect anything we think our family members might not want public. If that's not enough for someone, we delete their personal information.” That can be given effect only if non-members have the determining say in what, if any, information about them is put on Wikitree. Not so different from the principles underlying GDPR.

Well, but totalitarianism always marches forward in the claimed interest of The Greater Good.

Centralized control of things like Privacy as a legal mandate becomes Tyranny.

Freedom always puts maximum power in the hands of the individual. Tyranny removes that power, and puts it into the hands of the central authority.

And as we have seen repeatedly throughout history, the anonymous specialists within the central authority always end up weaponizing such tools, on a selective basis, against the individuals who become targeted as enemies of the authority.

Terrifying things are happening all around Europe today, involving state-enforced speech control. This will become yet another state weapon for that purpose.

The case is proven just by the fact that WikiTree leadership, thousands of miles away from Europe, is implementing it as a fundamental change so drastically to its basic structure. There is no argument left to be made.
Steven, I respect your right to have those views - and it will be clear that I have a very different view from you on rights to privacy. This is not the place for political debate or for argument about whether GDPR and its predecessors - and data protection laws in non-EU countries - are justified or not. I do not know if you live in the USA but, if you do, that no doubt conditions some of your attitude: the US is unusual among developed countries in not yet having fairly comprehensive data protection and privacy laws.

As far as Wikitree goes, I think it is only beneficial that GDPR is forcing us on Wikitree to look again at how we handle privacy. Like one or two others, I have been a little dismayed by some of the comments on the GDPR issue. Irrespective of the law, we must always remember that when we are talking about information relating to living people, these are real people whose wishes and feelings about privacy for their data must be respected. That is just good ethics, and common sense, and is reflected in the Wikitree Honor Code. It may be that Wikitree systems and procedures have been insufficient to give living people the protections they should have, and the way some information on Wikitree has been added may in some cases have gone against the Honor Code. Attentive readers will note the careful circumspection with which I have worded that last sentence.
I fully expect within the first year of this law a number of suits to be filed in the World Court.  As fines are levied on corporations outside of the UE we will see those corporations banding together to file cease and desist orders of the UE overstepping their legal authority as it relates to non UE entities.

I also fully expect many of these corporations to come out with documents you will be required to sign giving away your privacy rights in order to use them.  

I fully expect there will be modifications as the reality of this sets in and people realize what they lose or gain depending upon their viewpoints.

Privacy is a major issue in this world of instant communication and social media.  The UE has decided to swing the pendulum  to the protection side.  Many companies outside of the UE may simply decide to quit doing business with any UE nation at which point the populace will have to decide if it is worth it to lose access to things they have become accustomed to.  

From where I sit, this law is going to be challenged on many levels in the coming year so most companies with large data bases will segregate things and watch how the legal winds blow... changes are in my opinion inevitable.
Laura, there is no provision in GDPR for me to sign away my privacy rights. For self-evident reasons. What I can do is give consent to my information being used in ways that have been made transparently clear to me - and the organisation at the other end has to operate within what I have agreed to. That is not just true of GDPR. It is the norm in data protection legislation in non-EU developed countries. The great majority of developed countries have data protection legislation on broadly the same principles, and follow a general approach advocated by OECD. This is not just the wicked EU.

GDPR does not represent a major swing of the pendulum: it closes loopholes in previous law which had the same overall aims,. It gives greater standardisation across Europe of fine detail and administrative requirements, which may make life simpler for some data handlers. And, as we all know, it seeks to extend the application of the law to non-EU entities dealing with people in the EU even if they have no presence in the EU and all data handling is done outside the EU. From the Wikitree perspective, that appears at first sight to be the biggest change, but I am not altogether sure it is: I think I am right that Wikitree does some of its data handling within the EU and because of that might well be within EU data protection laws anyway.

I am sure you are right that there will be some court challenges on extra-territoriality. Not just for aspects of GDPR but also for some aspects of other countries’ rules. All developed countries with data protection laws extend them to a significant extent to extra-territorial activities and entities, as they have to if the laws are to be effective. The minimum approach is normally to apply the law to foreign entities undertaking data handling activity in their territory and to prevent the rules being sidestepped by arranging for data to be handled abroad, even if that is by an independent third party. At least one - Japan - explicitly goes as far as the EU are now seeking to do on extra-territoriality; the laws of one or two other countries could be interpreted as going a bit further in some respects. (I base the last few sentences on summaries of different jurisdictions’ laws given on the website of a major UK law firm.) I for one will be watching legal developments with interest! Not just from the Wikitree-type perspective - there are non-genealogical reasons as well because of other things I do - and because I have a deep concern for privacy issues.

For Wikitree, GDPR has currently brought privacy issues to the fore. But I suspect this was bound to come soon anyway. All the more so given what has been happening with Facebook, Google’s use of personal data, etc. etc. And, in the genealogical world, there are starting to be real concerns about the desire of some to get hold of DNA test results for other purposes - and not just law enforcement as has happened recently: and that someone has had a DNA test could itself become sought-after information with commercial and other value. I may sound paranoid, but long experience tells me I am not.
Michael, I beg to differ.  I have seen some of the "new" privacy statements and have literally been forced to sign one without any option of opting out because that link conveniently did not work, just to use my existing email.  

Any time you agree to someone else's privacy terms you are in effect signing away your rights.  You may be willing to do it, or you may feel coerced but you are giving up rights.
Laura, I obviously cannot comment on what your email provider has done and whether it complies with GDPR etc. But if I thought one of my email providers was requiring me to sign away all my privacy protections, I would change provider instantly. And make a formal complaint to both the provider and the data protection authorities. This would not be about the efficacy of GDPR. It would be about what a particular company has done. GDPR, like any other law, cannot prevent companies contravening the law: it does give customers rights of legal recourse, and the authorities the ability to levy hefty fines, where companies do so. And what a company can legally ask you to sign up to has to be compatible with GDPR and other legal rules like the law relating to fair contracts and any other privacy laws. In the UK the law on fair contracts gives additional protection to personal information and customers’ general legal rights, which would include data protection law.

I would, though, be amazed if you have surrendered all your protections. Unless your provider is egregiously disreputable, it will be committed to protecting the privacy of your email address, other contact details, password, email content, information about who you exchange emails with, their email addresses, and any payment information if you use a paid service. If I thought these things were not protected, I would change provider, and make a formal complaint.

Under GDPR, where consent is required it is opt-in consent. That is one of the main tightenings-up. The starting point is that the customer has not given consent. No longer can a company say that, buried in the small print, was a statement that information would be passed on to other organisations so they can send marketing literature unless you tick an opt-out box. If you are an EU resident and your email provider needs your consent for something, it needs your active consent, and if you believe it has not complied with that, there are grounds under GDPR to complain. Again this is not about the efficacy of GDPR - it is about what a particular company may have done.

My own email providers have yet to ask me for any consents. They may not need to. There is a general rule in GDPR that a goods or service provider can do whatever is needed to fulfil a contract, without asking permission - it still has to protect personal data of course. A rule of that kind is obviously needed. That is likely to cover all that an email provider really needs to do. Consent is needed only where an email provider wishes to go beyond that.

What service providers are required to do is notify customers about changes in terms and conditions. That is because of contract law rather than GDPR. Many organisations have been revising T&Cs as part of their getting ready for GDPR, to make it more transparent how they handle customers’ personal information - GDPR requires such transparency (as in the UK did previous data protection law, but GDPR has tightened thngs up a little). Customer consent is not required if this is all a service provider has done, and if the use of customer information is confined to what can reasonably be regarded as needed to fulfil contracts and legal obligations: but some companies are asking customers to click a box saying they have read the new T&Cs.

This is all off topic and we should probably not be taking up further space in this thread on your email experience.
+28 votes

Chris, this is really disappointing, and seems like a huge over-reaction.  I don't understand why everyone else in the world has to be subject to what is supposed to apply only to EU subjects.  When this was announced, I was all for catering to the GDPR, for those who fall under its control, *and* for those who choose more extreme privacy controls.  But most of us DO NOT fall into those groups, and DO NOT want additional restrictions.  Many of us understand the small risks, and choose to make our data available for the many benefits provided by such availability.  We have complete permission for anything under our control.

It just seems as if the rest of the world must conform to one party's rules.  If the EU decided coffee was unhealthy, and banned it for all Europeans, would the rest of the world have to ban it too?

I strongly agree that it should be absolutely clear that permission is required to expose any GEDmatch ID.  I personally feel that the GEDmatch web site covers that completely, and that permission has been granted before they will issue an ID.  But if you want to run a campaign that emphasizes the need for permission for such, or even requires a statement of such on the DNA Tests page, that would be onerous, but acceptable.  I have previously stressed that it's good to ALWAYS use an alias associated with a GEDmatch kit, and to use a non-identifiable email address.  To me, that completely satisfies GDPR rules.

PLEASE, find a way to hide and unlist and remove info ONLY from those who are identified as EU subjects.  If that requires us to put a statement on our DNA Tests page affirming that, then that's OK.  Perhaps something like "I affirm that permission has been received for ALL DNA data entered here, and I affirm that no one associated with any DNA kits on this page is an EU subject".

by Rob Jacobson G2G6 Pilot (130k points)

Key word  MAY

This implies may not. Sometimes you warn someone and it doesn't happen. This is much better than already done and you can't prepare at all.


+29 votes
As tragic as all of this may be if it comes to pass, what is the possibility it can be limited to the EU portion of Wikitree? I'm not trying to be callous about it being over here in the US but it doesn't affect dead people and it doesn't really affect anyone NOT a citizen of the EU. So if the damage must happen, can it be contained to a minimum by having the bot target living European profiles only?
by Steven Tibbetts G2G6 Pilot (355k points)
I believe the protection extends to anyone residing jn the EU, regardless of whether or not he or she is a citizen of the  EU, so conceivably a US or Canadian citizen could be covered if he or she happens to live in the EU.
For data handlers outside the EU, GDPR applies to data relating to people "who are in the [European] Union". That would on the face of it include non-EU citizens living, temporarily or permanently, in the EU. Whether it extends to people holidaying or making short temporary visits to the EU is more arguable - it may well be that one of the principles of EU law - the doctrine of 'proportionality' - or some other legal principle means it does not. But it would seem clearly to cover, for example, students at EU colleges and universities. It also applies to processors who are natural or legal persons in the EU, and I believe that some of the hugely valuable backroom work for Wikitree is done by people who reside in the EU, so I think it may be very arguable that what they do for Wikitree is within the scope of GDPR.

For data handlers who are within the EU, my reading is that GDPR applies to information about people anywhere in the world, but I may have missed something.
+30 votes
The focus in GDPR legislation is aimed more at informed consent for use of personal data than blanket removal. Before unlisting our living non-members I would suggest that each of us makes an effort to ask the living non-members that we manage to give consent for use of their data by joining Wikitree. Perhaps Chris could consider amending the instructions to make this suggestion and specify what information they should be given about the process and what level of membership would be appropriate.
by Lynda Crackett G2G6 Pilot (635k points)
+25 votes
This new law only applies to living European citizens. I think it's personal responsibility for those who manage these profiles. The same system as WikiTree use for images etc.
by Joop van Belzen G2G6 Pilot (133k points)
I believe there's also culpability for anyone connected to, doing business with, or otherwise involved with a living EU citizen. The FAQ on their webpage implies penalties for non-compliance. I think everyone is just being overly cautious as EU courts have been known to prosecute US based companies who do business in EU. I would find it much more likely for them to target Ancestry or the Mormon Church than WikiTree (if they're going after genealogical violations of some sort), but who knows.
I have permission from my sister to use her DNA here on WT. I am the one who uploaded it. I would really hate to delete it. I guess if I really have to for the sake of Wikitree I will. My cousin uploaded his own DNA do I have to delete his? He has an active family member badge on his page but no contributions, does this matter?
If your cousin added his own DNA then it won't be removed.
GDPR is not confined to information about EU citizens.

As far as data handlers outside the EU are concerned, the new law applies to information about living people who are in the EU, not just EU citizens. But that limit - confining GDPR to people in the EU - applies on the face of it only to data handlers outside the EU: for data handlers in the EU, my reading, unless I have missed something, is that GDPR applies to information about people anywhere in the world.

GDPR applies to 'processors' of information who are in the EU. If, as I believe, some of the backroom work for Wikitree is done by people in the EU, that may additionally bring their activity for Wikitree within the scope of GDPR if they come within the GDPR definition of 'processor'. The territorial scope provisions would on the face of them again mean (unless I have missed something) that if Wikitree uses 'processors' in the EU, GDPR applies to information they handle relating to people anywhere in the world.

There may be even an argument that I, as an individual in the EU, am a 'processor' in the EU when I put information on the site, and if that is so, it would again appear to me to apply to information relating to individuals anywhere in the world. 'Processors' do not have to be paid. The explicit exemption for what people like me do is limited to what we do for 'purely personal or household activity.'

The full implications of some of this are unclear at this stage, and more clarity will doubtless come over time.
Then it's more complicated than I thought. We will see what the consequences are in the future.
+17 votes
I am the only one in my family to do a dna test and have it attached to my profile which in turn propogated to the rest of my tree. how will this affect the living persons, parents and child (as my grandparents are no longer alive), in my tree.
by Chris McCombs G2G6 Mach 5 (56.1k points)
Based on the immediate proposal and current function, I believe all living profiles and living DNA connections would become unlisted and only those on the trusted list would be able to see the DNA connection listings. And if any profiles were sourced or marked as “confirmed by DNA” with another tester who was not a member that would have to be removed too (sounds like that would not apply to you yet.

But if conservative GDPR compliance moved forward it might not stop there. Could be argued that this exposes GDPR data on your unlisted parents, and they would either have to join, give documents consent in some way, or their relationship and your DNA *and* genealogical connections/relationships to anyone through them removed from the tree. That’s not being directly proposed quite yet but it’s most of the way there in this proposal. You would already be navigationally cut off from the public tree since your parents would be unlisted.
Not all living profiles Nathan. Just those who are not members.

Related questions

+17 votes
2 answers
305 views asked Apr 27, 2018 in The Tree House by Living Terink G2G6 Pilot (277k points)
+5 votes
2 answers
172 views asked Jun 9, 2018 in WikiTree Help by Jillaine Smith G2G6 Pilot (825k points)
+10 votes
2 answers
221 views asked May 9, 2018 in Policy and Style by Nan Starjak G2G6 Pilot (331k points)
+33 votes
5 answers
688 views asked May 25, 2018 in The Tree House by Chris Whitten G2G Astronaut (1.4m points)
+26 votes
5 answers
+13 votes
2 answers
467 views asked May 14, 2018 in Policy and Style by Barry Smith G2G6 Pilot (245k points)
+28 votes
3 answers
1.2k views asked May 14, 2018 in The Tree House by Edison Williams G2G6 Pilot (366k points)
+5 votes
1 answer
290 views asked May 12, 2018 in WikiTree Help by Lance Martin G2G6 Pilot (115k points)
+34 votes
4 answers
472 views asked May 7, 2018 in The Tree House by Eowyn Walker G2G Astronaut (2.0m points)
+2 votes
2 answers
230 views asked Sep 26, 2018 in The Tree House by Chris Orme G2G6 Mach 2 (22.8k points)

WikiTree  ~  About  ~  Help Help  ~  Search Person Search  ~  Surname:

disclaimer - terms - copyright