The European data protection supervisor has hit out at social media and tech firms over the recent constant stream of privacy policy emails in the run up to GDPR, calling them them the “sweatshops of the connected world”.
With the tough new General Data Protection Regulations coming into force on 25 May, companies around the world are being forced to notify their users to accept new privacy policies and data processing terms to continue to use the services.
But Giovanni Buttarelli, the European data protection supervisor (EDPS), lambasted the often-hostile approach of the recent deluge of notifications.
“If this encounter seems a take-it-or-leave it proposition – with perhaps a hint of menace – then it is a travesty of at least the spirit of the new regulation, which aims to restore a sense of trust and control over what happens to our online lives,” said Buttarelli. “Consent cannot be freely given if the provision of a service is made conditional on processing personal data not necessary for the performance of a contract.”
“The most recent [Facebook] scandal has served to expose a broken and unbalanced ecosystem reliant on unscrupulous personal data collection and micro-targeting for whatever purposes promise to generate clicks and revenues.
“The digital information ecosystem farms people for their attention, ideas and data in exchange for so called ‘free’ services. Unlike their analogue equivalents, these sweatshops of the connected world extract more than one’s labour, and while clocking into the online factory is effortless it is often impossible to clock off.”
Q&AWhat is GDPR?
Show
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, replaced the patchwork of national data protection laws across the EU with a unified system that greatly increased the fines regulators could issue, strengthened the requirements for consent to data processing, and created a new pan-European data regulator called the European Data Protection Board.
The regulation governs the processing and storage of EU citizens' data whether or not the company has operations in the EU. To ensure companies comply, GDPR also gives data regulators the power to fine up to €20m, or 4% of annual global turnover. In the UK, the previous maximum fine was £500,000; the post-GDPR record currently stands at more than £180m, for a data breach reported by British Airways in 2018.
Data breaches must be reported within 72 hours to a data regulator, and affected individuals must be notified unless the data stolen is unreadable. Fines can also be levied against companies that act on data without explicit and informed user consent, or who fail to ensure that consent can be withdrawn at any time.
GDPR also refined and enshrined in law the concept of the "right to be forgotten", renaming it as the "right to erasure", and gave EU citizens the right to data portability, allowing them to take data from one organisation and give it to another.
While data protection and privacy has become a hot-button issue in part thanks to the Cambridge Analytica files, Buttarelli is concerned that it is simply being used as part of the “PR toolkit” of firms. He said that there is “a growing gulf between hyperbole and reality, where controllers learn to talk a good game while continuing with the same old harmful habits”.
A new social media subgroup of data protection regulators will be convened in mid-May to tackle what Buttarelli called the “manipulative approaches” that must change with GDPR.
“Brilliant lawyers will always be able to fashion ingenious arguments to justify almost any practice. But with personal data processing we need to move to a different model,” said Buttarelli. “The old approach is broken and unsustainable – that will be, in my view, the abiding lesson of the Facebook/ Cambridge Analytica case.”