The whos, whats, and whys of issues related to personal data and data protection in open-source projects on GitHub

TL;DR

This study analyzes how data protection regulations like GDPR influence discussions and issue resolution in open-source GitHub projects, revealing increased privacy-related discussions and identifying key roles involved.

Contribution

It provides the first empirical analysis of how data protection regulations impact issue discussions and resolutions in open-source software development on GitHub.

Findings

Significant increase in privacy-related issue reporting after GDPR implementation.

Feature requests for privacy enhancements are the most common issue type.

Most privacy issues are resolved without opposition.

Abstract

Data protection regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the US affect how software may handle the personal data of its users. Prior literature focused on how data protection regulations are discussed for software in operation, or how this topic is discussed in various channels outside of the software development process. Yet, what is missing, is a perspective on the impact of such regulations on the software development process. In our work, we address this gap, and explore how discussions during the development of software are impacted by regulations, who reports and discusses issues related to personal data and data protection, and how developers react to those issues. To that end, we used inductive coding to analyze 652 issues from Open Source GitHub projects and used the codes to quantitatively analyze the relation between the roles, resolutions, and data protection issues to understand correlations and predict resolutions of issues. Most notably we observed a significant increase in reporting when GDPR came into effect. The most common issue types were feature requests for privacy enhancement, which were mainly reported and discussed by frequent reporters and frequent committers. But especially issues regarding privacy enhancement were also frequently reported by one-time reporters. Most of the requests were solved without opposing votes. All in all, our findings indicate that data protection regulations effectively start discussions about privacy within the software development community.