“In order to serve you better”: promises and pitfalls of the GDPR


“In order to serve you better”: promises and pitfalls of the GDPR

How the European Union reshaped digital privacy law — and clogged your inbox

During the last few days of May, I, like many of us, received waves of emails and notifications informing me that the privacy policies of my favourite applications and websites were updating.

Steam told me it had added a new privacy policy with “explanations” of the types of data they collect. PayPal informed me it was “updating and streamlining” its privacy policy. I received an email from MeUndies with the subject line “Updates to our Privacy Policy,” but the body of the email was an ad for its new line of sweatpants.

I clicked through them, agreeing to the changes with little more than a glance and a swipe.

This annoying mass of emails were the direct result of a new law that began to be enforced on May 25 by the European Union (EU) called the General Data Protection Regulation (GDPR). While the GDPR marks a stark shift towards stricter regulation within the tech industry, many believe it’s too late. Perhaps many more are simply indifferent.

In the spirit of online privacy, I decided to dig into the GDPR to understand how, if at all, it could affect us. And, will it matter?  

A ‘techlash’ in full swing

The GDPR comes at a time when technology companies are under sharp criticism. Such criticism is unprecedented tech behemoths have previously regarded as an all-powerful force.

In 2017, the consumer credit reporting agency Equifax announced a security breach that impacted 145.5 million people in the US. Hackers gained access to Equifax customer’s sensitive information, including their medical histories, social security numbers, bank account information, and license numbers.

The Cambridge Analytica scandal, reported by The New York Times in March, showed how the data firm harvested information from 87 million Facebook profiles to build voter profiles for the 2016 Trump presidential campaign. The leak resulted in significant outrage, which culminated in Facebook CEO Mark Zuckerberg testifying before Congress.

Meanwhile, the hashtag #DeleteFacebook trended on Twitter. Despite this, however, Facebook has seen little drop in its user base or profits and its stock saw a 4.5 per cent increase throughout the duration of Zuckerberg’s testimony.

A few months ago, at its annual Google I/O event, Google announced the creation of an artificial intelligence product called Google Duplex. The technology allows computers to make lifelike phone calls, fooling humans into believing they’re speaking with a person. While those in the Google audience cheered, the backlash was already forming on Twitter: had Google gone too far?

For the first time, widespread skepticism has plagued the tech industry. An unprecedented pattern has emerged: tech giants are repeatedly apologizing, accepting blame for their mistakes, and admitting they have overstepped regardless of if it was intentional or not.

The criticism is underlined by the realization that technology is progressing at a rapid pace — whether we like it or not. From smart homes and the internet of things, to artificial intelligence and social media moguls, tech companies have become larger than ever.  As companies like Google, Facebook and Amazon increase in size and capability, it’s important that privacy legislation evolves alongside them.

Legal ramifications

It is within this privacy-sensitive environment that the GDPR comes into play. Some say the GDPR is the strongest protector of user-rights the world has seen, while others wave it off as nothing more than a public relations stunt. PayPal co-founder and Silicon Valley star Peter Thiel said that Europe created the law out of “jealousy” of the success of US tech companies.  

Nevertheless, after four years of consultation with relevant stakeholders, the GDPR was adopted by the EU Parliament in 2016. The complete law is 11 chapters long, with 99 sub-articles.

The foundation of the GDPR has three parts. First, companies need the consent of users to collect their data. Second, users must only share data that is necessary to make a service work; for example, while Uber needs the location of your phone to function properly, the service would not need your relationship status from Facebook or your employment history on LinkedIn. Third, users must have the ability to revoke their consent at any point in time and pull their data completely.

The legislation also states that companies must notify users within 72 hours if there is a security breach.

Today, companies must comply with the legislation. If they fail to do so, they could be fined up to four per cent of their annual global revenue — for Facebook, that amounts to about $1.6 billion.

Understanding the potentially significant adjustments they would have to make, the EU gave companies two years to adjust their platforms for compliance. Within these two years, many companies hired firms that specialized in the GDPR to ensure they were correctly following the dense and arguably complex law.

UnitedLex is one of these firms. In an interview with The Verge, the chief privacy officer of UnitedLex, Jason Straight, said: “There are some companies we’ve talked to, where they say, ‘Are you kidding? If we told them how we were using their data, they’d never give it to us in the first place.’”

Straight would respond: “Yeah, that’s sort of the point.”   

For many companies, the law is extremely significant because it may force a shift in their business models. There is a common tradeoff between many social media companies and users: the product or service remains free, while the companies sell our data to advertisers. Our data allows companies to target us with advertisements based on our education, interests, circle of friends, and more. In this model, the user is the product being sold.  

Felan Parker, an Assistant Professor of Book and Media Studies at U of T specializing in digital media, film, and games, wrote in an email to The Varsity that this idea is called “audience commodity.”

“As many other critics and scholars have pointed out, high-profile data ‘breaches’ like Cambridge Analytica are not really aberrations or exceptions, but business as usual,” wrote Parker.

Under the GDPR, the business model based on “audience commodity” might have to be adjusted by social media companies if users are unwilling to give up their information.


Does the law even matter?

Given the borderless nature of the internet, it is not entirely clear how the law will affect those of us outside of the EU. Many companies are making service changes even if they are not based in the EU; others are choosing to suspend certain services to their European customers.

A great deal of these changes are because international companies truly do not know how the law may affect them. Eliminating large portions of usership or radically shifting a service to comply with the law are large changes for businesses, and represent the potential for a new era of cross-border legal regulations.

If the law does impact us in Canada, will it be significant? Many companies are already skirting the rules.

For example, while most companies that emailed us were notifying us of changes to their privacy policies, some were using emails as our implied consent. The New York Times reported that the question-and-answer website Quora used an email notifying users of privacy updates as a form of consent. “Your continued use of the service will be considered acceptance of our updated terms,” read Quora’s email.

Other companies are taking advantage of ‘pop-up fatigue,’ knowing the majority of people will click through the updates without careful consideration.

On the day the GDPR came into effect, Facebook and Google were sued by Max Schrems, a privacy activist, claiming the two companies were coercing people into give their information. Additionally, on July 2, the European Consumer Organization, a pan-European consumer group, released a report outlining how the updated privacy policies from companies like Facebook and Google are not meeting the requirements of the GDPR in full. Clearly, the law is not fully effective in practice.

When asked if it is a company’s responsibility to protect users’ privacy or if it is the responsibility of users themselves, Parker responded that it is “complicated.”

“Outside of regulation, which they staunchly oppose, the major platforms have not had all that much incentive to change the way they do things or be more transparent,” he explained. “Facebook hasn’t seen a significant drop in its userbase or profits. They are monopolies and are practically too big to fail.”

In an email to The Varsity, Leslie Shade, a Professor at U of T’s Faculty of Information, wrote that, under the GDPR, it is the company’s responsibility to provide “clear, transparent privacy policies.” Shade noted that there are a “range of literacies” involved when making an accessible policy, from describing legal jargon to aesthetics and design.

“Issues of digital inclusion play in here as well,” wrote Shade, referring to the accessibility concerns companies face when creating new privacy policies that adhere to the GDPR.

Protecting your privacy

Fundamentally, the GDPR represents a stark shift in societal attitudes towards our digital privacy. For that reason alone, the law is significant.

“Privacy is an essential aspect of human dignity and autonomy,” wrote Shade. “It’s part of our freedoms, it’s intrinsic to citizenship. It’s a social value. It’s something we want to control.”

In light of the law, many companies are adding new tools to allow users to see information about their data. Many of these tools are largely unknown, yet they offer a new degree of awareness of the information companies have about you knowledge that was previously clouded with secrecy.

Microsoft has released “Privacy Dashboard,” Twitter has added “Your Privacy Data” and the option to opt-out of interest-based ads, and Facebook introduced “Privacy Checkup” and “Ads” to see which advertisers have access to your data.  

Additionally, there are plenty of resources available outlining ways to secure your digital information. The Citizen Lab, a research lab at U of T specializing in cyberspace and security, has come out with a tool called Security Planner, which has plenty of solutions to help ensure you’re protecting yourself online. The recommendations vary from using two-factor authentication to obtaining a privacy screen when you’re using your laptop in public.

As well, The Varsity’s own student’s guide to protecting your information online lists services that balance privacy with convenience.

Given that the GDPR is still in its early stages, it is still unclear what impact it will have in the long term. “Facebook and the other major platforms will comply with the GDPR laws, and [they] have made some steps towards greater transparency and privacy controls for users worldwide, but it remains to be seen how much this will change their underlying business practices,” wrote Parker.

Moving forward, users should take advantage of privacy tools, despite the difficulties associated with keeping track of which companies have what information about you. The tech landscape is undoubtedly growing and privacy legislation should follow suit. The GDPR is a step in that direction so go forth and read those pesky emails.