The European Union General Data Protection Regulation (GDPR) went into effect today, and it brings significant changes to how companies that deal with EU citizens’ data can collect and process it.
GDPR Makes Explicit (Opt-In) Consent The Law
Most online services previously tended to enable all of their data gathering checkboxes by default, because that’s how they could get the most users to “agree” to that collection. By far the most significant change the GDPR brings is that this practice is no longer legal in the EU. Users will also get more control of their data, including being legally empowered to request that companies delete all the data they have on them.
There are still some grey areas in the law, such as companies being allowed to claim that they can collect some classes of data without consent if they have a “legitimate interest” to do so. The intention of the EU politicians wasn’t to allow companies to claim that any data whatsoever can be called a “legitimate interest.” However, some online services may still push the legal limits on this, and courts may have to step in to clarify the issue.
New Data Processing Agreements From Online Services
Over the past few weeks, you may have noticed that most of the companies to which you’ve subscribed in the past have started sending you emails to agree to their new data processing terms. This is happening because the data previously gathered by companies on their users does not qualify for consent, so they need your explicit consent for the use of that data.
Although they had two years to prepare, most waited until the last minute to implement the changes, all while claiming that they're making the changes because they care deeply about your privacy. Additionally, the emails usually come with a warning that if you don’t agree you may lose access to your account. That’s a condition that may not be legal in some cases, because that shouldn’t qualify as free consent.
Other companies may have simply warned you that their terms have changed and that you don’t need to do anything beyond that. This is usually sent by companies that have already obtained your explicit opt-in permission to collect your data in the past.
GDPR Hall Of Shame
After getting tired of receiving so many GDPR emails all of the sudden, Owen Williams from the Netherlands built a website called the “GDPR Hall Of Shame,” where he calls out companies that implement GDPR poorly.
Among those “shamed” by Williams are Verizon-owned Oath websites (Yahoo, TechCrunch, Engadget, etc), which seem to use an opt-out rather than opt-in method for sharing users’ data with hundreds of Verizon partners; Razer, which says that unless you agree to its new terms your mouse or phone will stop working; Zoom, which gives users only the options of receiving more marketing emails or fewer; and other companies.
Twitter also seems to be forcing users to agree to the new terms or their account will be deactivated:
Google, Facebook, WhatsApp Accused Of Violating GDPR
The None Of Your Business (noyb) privacy rights group, founded by Max Schrems, also accused Google, Facebook, and Facebook subsidiaries WhatsApp and Instagram of violating the GDPR due to the companies “forcing” users to consent to their new terms.
Schrems is the same Austrian activist who fought against U.S. intelligence agencies’ mass surveillance operations targeting EU citizens as well against the American companies violating EU citizens’ rights with their data collection. His lawsuit eventually brought down the Safe Harbor agreement and he’s currently in another lawsuit that may end up invalidating the new Privacy Shield and other loopholes American companies have found to avoid properly complying with EU data protection laws.
In a public statement, noyb said:
An end of “forced consent” does not mean that companies can no longer use customer data. The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent. With this complaint we want to ensure that GDPR is implemented in a sane way: Without just moving towards “fishing for consent”.
The “take it or leave it” approach embraced by some both large and small companies will likely not sit well with the EU’s executive body, the European Commission, which may soon start taking action against the companies they see as most blatantly violating the GDPR. If found guilty, the companies could end up paying up to $20 million or 4% of their global annual turnover, whichever of the two is the greater sum of money.