GDPR is Here, and Complaints are Already Pouring In

In case you were wondering about the deluge of email notifications concerning privacy policy updates from a number of companies the past few weeks, blame it on GDPR, the single most important data privacy contract that went into effect in the European Union yesterday.

GDPR (take the quiz here) stands for the "General Data Protection Regulation," an exceedingly complex 88-page legalese-laden document that forces companies across the world to (i) get E.U. citizens' explicit consent to collect their personal data and explain what it will be used for, (ii) let them see, correct, and delete it upon request, (iii) make it easy for users to shift their data to other firms, and (iv) report privacy breaches to regulators within 72 hours or risk fines upto US$ 23 million or 4 percent of their revenue (whichever is greater), if they want to continue operating in the region.

The European Union's GDPR regulations (Image: Pixabay)

Predictably the move has sent businesses into a tailspin, with many companies still not fully ready to comply with the rule despite having had two years to prepare for it. Instapaper, the read-it-later service owned by Pinterest, informed that it "will be temporarily unavailable for residents in Europe as we continue to make changes in light of the General Data Protection Regulation (GDPR)." U.S. media publications like the Chicago Tribune and Los Angeles Times blocked EU users from accessing their sites rather than run the risk of paying fines.

Popular ad-blocking tool Ghostery suffered from an embarrassing, self-inflicted screwup Friday when the privacy-focussed company accidentally CC'ed hundreds of its users in an email titled "Happy GDPR Day — We've got you covered!" that ironically went on to affirm its commitment to GDPR, while revealing their addresses to all recipients.

The GDPR consent message that you are likely to see in this blog if you are from the EU

Even more troublingly, a privacy group noyb.eu led by activist Max Schrems has filed complaints against Google (Android), Facebook, WhatsApp and Instagram for forcing users to consent to their data privacy policies for purposes of targeted advertising in order to use the services:

The new General Data Protection Regulation (GDPR) which came into force today at midnight is supposed to give users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users: Tons of "consent boxes" popped up online or in applications, often combined with a threat, that the service cannot longer be used if user do not consent. One the first day of GDPR noyb.eu has therefor files four complaints against Google (Android), Facebook, WhatsApp and Instagram over "forced consent". Max Schrems chair of noyb.eu: "Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the “agree”-button – that’s not a free choice, it more reminds of a North Korean election process."

The question is here not about adhering to GDPR in spirit (which they do, as you can glean from the above screenshot), but in seeking users' explicit consent to allow their information to be used for purposes other than what they are meant for (in this case, advertising).

Article 7(4) of GDPR specifically lays down conditions for consent:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

In other words, users can consent to their personal data being processed to offer them valuable benefits in return for using the service (for example, suggest new places to visit based on their current location), but not necessarily to tailor ads, the data collected in this case not necessary to accomplish the intended goal of the service.

Key concepts under GDPR:
  1. Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [Article 4(1)]
  2. Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her [Article 4] Silence, pre-ticked boxes or inactivity should not therefore constitute consent [Recital 32]
  3. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law [Article 4]
  4. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller [Article 4]
Check here for more details.

Comments