GDPR has arrived: Issues Faced by Internet Giants

June 25, 2018
General Personal Data Protection Regulation (GDPR)

Data protection and right to privacy are in the midst of the media firestorm since the Cambridge Analytica scandal. The saga is significant for unraveling ways in which data can be mined and used for purposes other than the one originally consented for by the user. Alongside tackling the issue of potential third party abuse of the users’ personal data, internet giants like Facebook and Google are now facing the challenge of complying with EU’s new and stricter privacy policy, the General Data Protection Regulation (GDPR), which came into force on May 25, 2018. As remarked by Jeffrey Chester, the founder of the Center for Digital Democracy, “It’s changing the balance of power from the giant digital marketing companies to focus on the needs of individuals and democratic society.”[1] On one hand, the policy is gaining popularity as an incredible breakthrough in the realm of right to privacy, on the other hand the companies are finding it difficult to develop a fitting model that fully complies with the policy majorly due to the uncertain nature of possible claims under the terms of the policy.

Under GDPR, the definition of personal data has been constructed broadly to include “any information related to a person that can be used to identify them, including their name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation.” Further, all companies that process the personal data of people residing in EU would have to comply with the regulation even if they do not fall within the territorial limits of an EU state. Due to this, all the companies, irrespective of their field of operation, are facing difficulties in having full compliance with the regulation. The huge costs involved in initiating an extensive mapping exercise to understand the data flow and type of data, which is important to ascertain one’s role as a “data processor” or “controller” under GDPR definitions, are discouraging the companies from continuing their services in the EU region. A website called GDPR associates, in their article “Understanding GDPR Fines”, highlighted the fact that complying with GDPR may be a little onerous for companies that don’t have the engineering resources of Facebook or Google and estimated the expected expenditure to be between $1m and $10m.[2] Even more, GDPR relies on two different tiers of fine, the lower tier comes in at up to €10 million or 2% of the company’s annual global turnover, while the higher tier comes in at up to €20 million or 4% of the annual global turnover[3]. The steep penalties including massive fines have convinced firms to choose the safer road and not take risks. Some examples are online businesses such as Unroll.me and gaming company Ragnarok Online that have blocked EU users from their sites and the U.S. retailer Pottery Barn that has also stopped shipping to EU addresses.[4]

Furthermore, for the internet giants the “consent” provision is undoubtedly the trickiest parts of the General Data Processing Regulation (GDPR). Under GDPR, to use any data for business, the user is required to give an affirmative consent to the privacy policies written in a clear and straightforward language. After such consent is rendered, the businesses will be allowed to collect and process data only for the well-defined purpose agreed to by the user. Further, the EU citizens are also granted the right to obtain the data that a company has collected about them i.e., they have the right to be forgotten” and get their data deleted if they withdraw their consent for it to be held by a company. In an effort to comply with the policy, companies worldwide have been sending their customers notices about their updated privacy policies and have been asking them for their consent.

The most important and contentious element of the consent factor, however, is that the consent must be freely rendered by the user.[5] The provision states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” On the basis of this requirement, just within a week of the policies coming into force, a group that campaigns for data protection rights in Europe filed legal complaints against Google, Facebook, Instagram and WhatsApp over their infringement of data protection rights. The main contention was that the companies are forcing the users to consent to their new terms of service in order to continue using their services. Facebook, for instance, lets the users decline enrolling in certain features like face recognition, but on the other hand forces them to accept the overall terms of service in order to continue using their accounts. They also cited instances where Facebook would tempt consumers to accept its terms and conditions by planting misleading notification messages, like the little red bubbles in the icons at the top of the Facebook home screen that pop up when someone has a direct message, to lure users into accepting the policy to get the access—even if the user did not have such notifications or messages in reality. This has been marked as violation of the Article 5(1)(a) of the GDPR by the advocacy group as it neither amounts to ‘fair,’ nor ‘transparent’ practice of obtaining consent. Similarly, Google also sending obligatory notices on Android phones without agreeing to which the android users are not able to use their devices. [6]

For these internet giants, the expected argument in opposition to the allegations would mostly be that GDPR does allow companies to collect and use data if it is essential to the operation of their businesses. However, what actually has to be assessed is whether the data sought to be collected and processed by a company essential for the working for the company and its delivery of services. If not, consent is essential to utilize the collected data for any other purpose under the GDPR norms. Such a provision would bring under scrutiny the profitable practice of targeted advertising carried out by the internet-based companies. The determination of the case would depend upon the characterization of the policy as essential and non-essential by the respective businesses.

___________________________________
[1] Available at : https:/www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines./
[2] Available at: https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/.
[3] Available at: https://www.inc.com/james-paine/five-things-you-should-know-about-gdpr.html
[4] Available at https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect
[5] Article 7(4), GDPR.
[6] Available at: http://www.adageindia.in/digital/facebook-and-google-get-their-first-gdpr-complaint-and-its-over-forced-consent/articleshow/64324978.cms

For more information please contact us at : info@ssrana.com