The European Union’s General Data Protection Regulation (the “GDPR”) that came into effect on 25 May 2018, is touted as the most widespread and robust change to data privacy and protection law in the world. Many entities around the world have been engaged for many months trying to put in place processes and mechanisms to ensure their compliance with the GDPR. Now that the regulation is effective, it will be interesting to evaluate whether on the basis of purposive interpretation, the letter and spirit of the GDPR has in fact been followed by those under its jurisdiction. In the course of this article, we will take a look at some of the most common changes and announcements made by companies around the world in order to be compliant with the GDPR and compare these changes with the corresponding GDPR principles/requirements that they have been made in response to.
Obtaining Explicit Consent
One of the core requirements of the GDPR is to ensure that companies and entities take the explicit and active consent of all data subjects prior to collecting, storing and/or using any of their personally identifiable information (“PII”). This is in line with the GDPR’s underlying principle of ensuring that the data subjects always take priority and are the most important stakeholders. Additionally, prior to introduction of the GDPR, many experts in the field of data privacy and protection who reviewed the regulation contended that in order to take a data subject’s explicit consent, it seemed like the regulation specifically required some action or activity on the part of the data subject, such as clicking a button or an option. This is believed to be necessary to clearly and unambiguously show their agreement to a company’s usage of their PII. Consequently, if this requirement is indeed mandatory, the established practice of implying a data subjects acceptance of terms through their continued usage of a website/service, would not be sufficient any more.
On a plain reading of the regulation, it would seem like all of the above-mentioned information will need to be specifically be provided by the companies/entities to the data subjects. However, most companies/entities have only been making the above disclosures in vague language. For example, instead of specifying which/what kinds of third-parties the PII is or may be shared with, many companies have simply included a blanket statement stating that the PII will be shared with third-parties/service providers ‘as may be necessary to provide the services’. Such statements provide no information as to who the PII is being shared with, what functions the third-parties are performing on the PII etc., things that the GDPR seems to hold as critical. Further, companies have used such vague language in other disclosures as well. It is possible that this may defeat the very purpose of the disclosures, as the data subjects are not truly aware of how and where their PII is being used, preventing them from being able to take informed decisions regarding the same.
Providing Data Subjects with Options
The GDPR recognises that many companies need to use and rely on multiple third-party service providers in order to provide their own end-service to the customers. Further, in the course of using such third-party service providers, many companies start adding and offering fringe/additional features and services to their customers. However, a lot of these features are often not connected or related to the core service being provided by the company – for example, Facebook may provide its users with targeted advertising on its platform, which is not connected to the main function of social networking. Yet, as the number of features available grew, in an effort to generate greater revenues companies started to club and offer all features together to their customers. This effectively meant that customers had no options with respect to which features they felt were useful and which ones weren’t – they could either subscriber to and use all features or use none.
Many data privacy experts around the world found the above situation to be unfair, as it may force users to either have their PII used for additional unnecessary purposes, or to pay for additional features that are not required by them. The GDPR sought to address this problem by stipulating that companies should stop bundling products and features together, instead specifying which features and services are necessary or critical to the core service. Any add-on features or services should explicitly be communicated to the users, and the users should have the option of deciding whether they want to subscribe to these or not, and whether their PII should be used for the same or not.
Unfortunately, it seems like this is another requirement of the GDPR that has not been followed. Companies are either continuing to club features and services or are devising ways to skirt the stipulations by arguing that even certain add-on features are critical to the core service. One of the prime examples of this is Facebook, which continues to make the usage of PII for the purposes of displaying personalised advertisements, games, application suggestions etc., mandatory for all users. In effect, one cannot use Facebook’s social networking platform unless they agree to their PII being used for all of the above purposes as well. This matter has already been acted on by Max Schrems, a prominent Austrian data privacy campaigner. He has filed a case worth USD 3.9 billion before the European regulator, contending that Facebook continues to use coercive tactics to collect unnecessary PII regarding its users, which it then uses to conduct automated profiling (an activity which requires the specific, separate, explicit consent of data subjects under the GDPR).
In principle, it seems as though the GDPR contains some extremely strict and robust stipulations. Yet, as has been shown above, there are many interpretations of this regulation, and companies around the world are already starting to find ways to read and implement the law in different ways. While it remains to be seen if these practices are in fact in contravention of the GDPR or not, if these practices continue the GDPR could be rendered no more effective than existing data protection laws, potentially failing to protect data subjects in the way that was initially expected. Thus, the way the above cases are handled, specifically the lawsuit filed against Facebook, could set the tone for how seriously companies take the need to adhere to the GDPR’s requirements. In our opinion, it will be more beneficial for the European regulator to take a strict view of the stipulations under the GDPR and set a precedent that pushes other companies to ramp up their compliance activities as well.