Over the last week or so, your inbox must have gotten inundated with emails from all the different companies telling you about updates to privacy. Some we got recently include Google Analytics, Microsoft, Twitter, and Airbnb. It’s as if Internet services around the world suddenly got very concerned with your privacy after the Facebook-Cambridge Analytica debacle, right? Although the timing makes it look like that, the real reason why all of these companies are suddenly waking up to privacy is something called GDPR — the General Data Protection Regulation — a new European Union standard for data rights for all of its citizens, and something that actually affects us all.
The GDPR was already going to happen, and had been debated and discussed for a long time, giving companies a long window to start implementing compliance. However, like students preparing for exams, companies also like to leave things for the last minute, which is why we’re suddenly seeing a bunch of them take action all together now, with GDPR coming into effect only one month away. Others, such as Facebook, are also making some changes to minimise the impact of GDPR, migrating the vast majority of users out of the EU jurisdiction.
The GDPR legislation was passed in 2016, and is meant to add more restrictions to how data is collected from users. It provides European users with more control over how their data is collected, requiring them to actively opt in, in language that is easy to understand, and inform people that they can withdraw their consent at any time. Users should be able to request information about how a company might collect their data, what it collects, and why.
This matters not just to users in the EU but many around the world, as a number of Internet companies sign up users under the jurisdiction of places like Ireland for a number of reasons. That’s something which is likely to change a little now, and Facebook has already taken the lead on that. But what’s actually happening now?
Looking at the mails we’re all getting from the companies now, you wouldn’t think that the privacy changes that they’re making are nothing but proactive changes based on user needs. For example, the mail from Twitter — which is fairly typical of the genre — makes one passing mention to «new data protection laws», but in a sentence about Twitter’s «ongoing commitment to transparency.» And it starts by saying, «We believe you should always know what data we collect from you and how we use it, and that you should have meaningful control over both.»
Google Analytics’ mail is more upfront, with the GDPR in the subject and the first line, but then, that’s a tool meant for businesses more than the end-user. Then there’s Microsoft. One of the ideas behind the GDPR is to make terms of service easier to understand, but you wouldn’t realise that from Microsoft’s email, which continues to be hard to read, and buries the details behind multiple layers of links. Worse, after you’ve clicked a link to get to the Services Agreement, and then clicked a second link to get to the Privacy Statement, you’ll see the Personal data section which has a tiny mention of collecting data from third parties.
You have to dig deeper and click yet again — in a layout that makes it non-obvious — what that last sentence means. If you’ve granted permission to a Microsoft product to access a social network (if you’ve linked your Facebook or Twitter on an Xbox console), Microsoft has access to that data. It also buys data from data brokers, uses your IP address to track your location data, gets data from partners, and scans government databases to get more information about you and build a more detailed profile. And that’s just the first paragraph.
In India, there’s a further wrinkle that could change things even more — we’re close to getting our own rules on privacy soon, although there’s not been much public debate on this topic, so it’s hard to say what to expect at this point. An expert committee on data protection was set up last year, and the results of that should take shape in the coming months. Companies that have users in India will likely be affected by this as well, although of course, the scale of the impact might not be as global as the changes being brought about by GDPR.