Europe’s new data privacy rules, the General Data Protection Regulation, have taken effect, but what they actually mean remains to be discovered. And whether the GDPR, as it’s known, really helps protect your private data may depend on complaints that Max Schrems, an Austrian privacy activist, filed against Google, Facebook, Instagram and WhatsApp on the day the regulation went into effect.
It’s not a U.S. law, but the GDPR applies to all companies, located anywhere in the world, that offer goods or services to EU residents, or that monitor online activities of people in the EU. As a result, many large multinational companies have chosen to comply with the GDPR worldwide, rather than trying to differentiate between customers and users located in the EU and elsewhere.
Although the GDPR is in many ways similar to the EU’s previous privacy rules, it offers the tantalizing possibility of giving people real control over their data for the very first time — though it might take years to sort out.
Giving notice
Like many privacy rules, the GDPR is based on the principles of notice and choice. A company that wants to collect your personal information must first give you notice about what data it proposes to collect and what it plans to do with it. You then choose whether to allow the company to collect the data. The concept is part of the Fair Information Practice Principles, a set of privacy guidelines first formulated in a 1973 federal report that now form the basis of many privacy regulations in the U.S. and abroad.
In the mid-1990s the U.S. Federal Trade Commission began urging operators of websites to post privacy policies that provide this type of notice. In 2003, the state of California began requiring a posted privacy policy on all websites collecting information from California residents. As a result of this prodding, most commercial websites now display a privacy policy to anyone curious enough to click on a hyperlink labeled “Privacy” at the bottom of the website’s home page.
People aren’t better informed
These ubiquitous privacy notices don’t actually help people make informed privacy choices. Privacy policies are so long and complex that few make the effort to read them, and even fewer can understand them.
A study in 2008, at the dawn of the smartphone revolution, found that a person would have to devote more than 240 hours a year just to read the privacy policies of the websites they visited. A decade later, with app-filled tablets and smartphones common across the world, that time commitment can only have grown.
Even if you could read — and understand — all that legalese you still wouldn’t know how your personal information will be used, for one simple reason: The website’s operator itself does not know how the information it collects will be used.
As people click from one webpage to another, use mobile mapping apps to get directions, tap “Like” buttons on Facebook and engage in innumerable other commercial and noncommercial activities, they generate data. This data makes its way into a complex ecosystem populated by data brokers, data analytics companies and advertising networks.
All that data gets bought and sold, combined with other data and processed with sophisticated analytics techniques. The result is a trove of information and inferences about people’s conduct and preferences that can be used by faceless entities in ways that might affect anything from the price of credit to the availability of insurance.
There’s no real choice
Perhaps more significant is an additional point that has been little noticed: Even if you know how data collected by a website will be used, you don’t have any effective choice to engage instead with a more privacy-friendly website.
I recently analyzed the privacy policies of the 25 most-visited commercial websites and found that their privacy policies in substance are almost identical. Almost all of them use cookies and other technologies to track visitors’ online activity. Almost all collect markers that uniquely identify the devices people use to browse the web. Almost all allow third-party advertising networks to collect users’ personal information and send them targeted ads. The same is true of mobile apps.
When faced with an unfavorable privacy policy, there’s no other option — and no way to limit what the website does with the information it collects. Your only “choice” is to stay off the internet and trade in your smartphone for a walkie-talkie.
A glimmer of hope
The GDPR may offer a way forward that allows consumers to reclaim control of their information. It says a user’s consent to collection of personal information may be invalid if she is required to consent to collection of data that is not necessary to provide the service she has requested.
For example, under this provision, a mapping app could require you to consent to its accessing your location before it will provide you with driving directions. But it could not require you to allow it access to your contacts list, because that’s not needed to provide the mapping service that you have requested.
That’s where privacy advocate Max Schrems’ complaints come in. He argues that Facebook and Google violated this aspect of the GDPR by demanding much broader consent than is strictly necessary. For instance, if you want to use Facebook to share posts with your friends and see their posts, you must consent to Facebook’s collection and use of any personal information that it references in its privacy policy.
The companies, naturally, maintain that their privacy policies fully comply with the GDPR. It remains to be seen whether they are right. A 2017 interpretation from an EU privacy working group supports Schrems’ claim, but the GDPR itself is not as clear on this point as it could be. The real decisions will be made over the next several years — and while they’ll happen in European courts, they could profoundly affect U.S. users of websites and mobile apps too.
John Rothchild, Associate Professor of Law, Wayne State University
Shares