Privacy policies from companies including Facebook, Google and Amazon don’t fully meet the requirements of GDPR, according to the pan-European consumer group BEUC.
An analysis of policies from 14 of the largest internet companies shows they use unclear language, claim “potentially problematic” rights, and provide insufficient information for users to judge what they are agreeing to.
“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law,” said Monique Goyens, BEUC’s director general. “This is very concerning. It is key that enforcement authorities take a close look at this.”
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, replaced the patchwork of national data protection laws across the EU with a unified system that greatly increased the fines regulators could issue, strengthened the requirements for consent to data processing, and created a new pan-European data regulator called the European Data Protection Board.
The regulation governs the processing and storage of EU citizens' data whether or not the company has operations in the EU. To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m, or 4% of annual global turnover. In the UK, the previous maximum fine was £500,000; the post-GDPR record currently stands at more than £180m, for a data breach reported by British Airways in 2018.
Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable. Fines can also be levied against companies that act on data without explicit and informed user consent, or who fail to ensure that consent can be withdrawn at any time.
GDPR also refined and enshrined in law the concept of the "right to be forgotten", renaming it as the "right to erasure", and gave EU citizens the right to data portability, allowing them to take data from one organisation and give it to another.
The group analysed the privacy policies on a sentence-by-sentence basis, flagging up lines that were vague or overreaching. When Google, for instance, tells users that “we collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like”, it is flagged as “unclear”, for not completely specifying what the information is used for.
Amazon warns users that “our business changes constantly and our Privacy Notice will change also”, a line that is noted as “problematic permissions”, because it could give the company the right to change privacy policies without securing further consent.
BEUC hopes train an AI model, in conjunction with the European University Institute in Florence, to automatically scan privacy policies and detect clauses that may fail to meet GDPR requirements.
Their analysis follows the filing of legal complaints against Facebook and Google on the day that GDPR came in to effect.
In the complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argued that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.
Max Schrems, the chair of Noyb, said at the time: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button. That’s not a free choice, it more reminds of a North Korean election process.”
A cookie is a small text file a website can drop on to a visitor's computer when it wants to remember something about them. The contents of a shopping trolley, perhaps, or whether or not they are logged in to the site at all.
But cookies can also be used in less user-friendly ways. An advertising network can drop a cookie on a visitor's computer, and then read that same cookie at every new website the visitor arrives at that displays that network's adverts. This process lets the network track users around the web, building up a profile of their browsing habits to better target them for adverts.
In a statement, Amazon said: “Protecting the privacy of our customers is always a top priority and has been built into our services for years.
“We have introduced a new Privacy Help page that shows customers how they can easily manage and access their information across our retail, entertainment services, and devices, as well as centralised privacy settings for Alexa that give customers control over their data.”
Google told the Guardian: “We have updated our Privacy Policy in line with the requirements of the GDPR, providing more detail on our practices and describing the information that we collect and use, and the controls that users have, in clear and plain language.
“We’ve also added new graphics and video explanations, structured the Policy so that users can explore it more easily, and embedded controls to allow users to access relevant privacy settings directly.”
Facebook has been contacted for comment.
