GDPR has been in place two weeks now, much to the relief of the many individuals who were swarmed with emails requiring fresh consent to the receipt of newsletters and other marketing messages. Leading up to the 25th May, customers have also been notified of the changes to the privacy policies most tech companies inevitably had to make. Assembly has studied how they compare, with particular regard to the validity of GDPR’s safeguards outside the EU, and to the legal bases adopted for treatment of personal data. The result is a mixed picture, where only some services have given their customers the same level of protection across the world, and consent is far from being the main basis for data processing.
So far only a few services have extended GDPR’s standards to the rest of the world
One of the most talked about aspects of the introduction of GDPR has been the way in which companies would have applied the new rights and requirements to their entire customer base. Partly for marketing reasons (telling your customers you give them the highest privacy standards sounds good) and partly for consistency reasons (using the same processes and safeguards could optimise costs), several tech companies either explicitly stated, or were expected, to apply GDPR standards without distinction.
However, as shown in Assembly’s Privacy and Data Protection Tracker, only a few of the main tech companies have done so. In particular, this has been the case for Spotify and Sonos; other services have partially aligned their EU and non-EU privacy policies (e.g. Google, Twitter, Snapchat, LinkedIn). Things are less clear for Facebook: the policy does not make any explicit distinction, and recent statements of the company reassured that privacy standards would be the same “at least in principle”. However, the company also decided to move data of 1.5bn users out of Ireland, thereby taking it away from the control of Irish and EU authorities.
Consent is not the main legal basis for the processing of personal data
The GDPR has strengthened users’ rights to give meaningful and informed consent to collection and treatment of personal data. At the same time, much like its predecessor i.e. the Data Protection Directive of 1995, it allows data processing to occur under several legal bases other than consent. It is therefore unsurprising to see that, among the services observed, the vast majority relies on the performance of a contract, and on legitimate interests, as the main legal bases to obtain and process users’ personal data. Consent is generally limited to specific aspects of data collection, often for the performance of side services and features.
Reliance on contract performance and legitimate interest is largely inherent to these companies’ business models. Most of them provide services for free, i.e. without charging fees to the user; in return, they find it legitimate to obtain user data to target advertising and marketing messages. However, it is likely that some of these privacy policies will be under EU regulators’ scrutiny in the coming months, especially if they result in some take-it-or-leave-it policy, whereby the customer has no other choice but agree to it if they want to use the service.
Obtaining a copy of one’s own data is still not always a straightforward exercise
The right to data portability is one of the novelties introduced by GDPR. It means that users are entitled to request copies of the data held by a company about them, so that they can use such data on other platforms should they wish to do so. GDPR requires companies to make such data available, which also fulfills a user’s right to access their own personal data.
Most services have automated this process by enabling the generation and download of a single file with a user’s information. In particular, all the most popular communications and social media platforms have enabled the download through the click of one button. It is noteworthy that Facebook recently updated this feature, which has been available for some time now, and allows users to choose specific types of data as part of the generated file, and two possible formats.
However, some companies still require the customer to make direct contact with them. For example, Amazon requires an email to its customer service; Uber’s customers need to send one to the DPO. The coming months will show whether customers and regulators will be happy with this, since users of services like Uber and Amazon might want a more immediate way to understand how much data they hold about them, and decide whether such information should be ported to a competing platform.