Europe’s new data privacy rules, the General Data Protection Regulation, have taken effect, but what they actually mean remains to be discovered. And whether the GDPR, as it’s known, really helps protect your private data may depend on complaints that Max Schrems, an Austrian privacy activist, filed against Google, Facebook, Instagram and WhatsApp on the day the regulation went into effect.
It’s not a U.S. law, but the GDPR applies to all companies, located anywhere in the world, that offer goods or services to EU residents, or that monitor online activities of people in the EU. As a result, many large multinational companies have chosen to comply with the GDPR worldwide, rather than trying to differentiate between customers and users located in the EU and elsewhere.
Although the GDPR is in many ways similar to the EU’s previous privacy rules, it offers the tantalizing possibility of giving people real control over their data for the very first time – though it might take years to sort out.
Like many privacy rules, the GDPR is based on the principles of notice and choice. A company that wants to collect your personal information must first give you notice about what data it proposes to collect and what it plans to do with it. You then choose whether to allow the company to collect the data. The concept is part of the Fair Information Practice Principles, a set of privacy guidelines first formulated in a 1973 federal report that now form the basis of many privacy regulations in the U.S. and abroad.
People aren’t better informed
These ubiquitous privacy notices don’t actually help people make informed privacy choices. Privacy policies are so long and complex that few make the effort to read them, and even fewer can understand them.
A study in 2008, at the dawn of the smartphone revolution, found that a person would have to devote more than 240 hours a year just to read the privacy policies of the websites they visited. A decade later, with app-filled tablets and smartphones common across the world, that time commitment can only have grown.
Even if you could read – and understand – all that legalese you still wouldn’t know how your personal information will be used, for one simple reason: The website’s operator itself does not know how the information it collects will be used.
As people click from one webpage to another, use mobile mapping apps to get directions, tap “Like” buttons on Facebook and engage in innumerable other commercial and noncommercial activities, they generate data. This data makes its way into a complex ecosystem populated by data brokers, data analytics companies and advertising networks.
All that data gets bought and sold, combined with other data and processed with sophisticated analytics techniques. The result is a trove of information and inferences about people’s conduct and preferencesthat can be used by faceless entities in ways that might affect anything from the price of credit to the availability of insurance.
There’s no real choice
Perhaps more significant is an additional point that has been little noticed: Even if you know how data collected by a website will be used, you don’t have any effective choice to engage instead with a more privacy-friendly website.
A glimmer of hope
The GDPR may offer a way forward that allows consumers to reclaim control of their information. It says a user’s consent to collection of personal information may be invalid if she is required to consent to collection of data that is not necessary to provide the service she has requested.
For example, under this provision, a mapping app could require you to consent to its accessing your location before it will provide you with driving directions. But it could not require you to allow it access to your contacts list, because that’s not needed to provide the mapping service that you have requested.
The companies, naturally, maintain that their privacy policies fully comply with the GDPR. It remains to be seen whether they are right. A 2017 interpretation from an EU privacy working group supports Schrems’ claim, but the GDPR itself is not as clear on this point as it could be. The real decisions will be made over the next several years – and while they’ll happen in European courts, they could profoundly affect U.S. users of websites and mobile apps too.