Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated terms of service and privacy policies.
You might assume that this privacy rush is connected to the ongoing Cambridge Analytica scandal, and Mark Zuckerberg's recent face-off with Congress. It's certainly true that Facebook itself has been taking some voluntary steps to revamp its systems in direct response to pressure from politicians in the U.S. and abroad. But most of the companies that are sending you email right now are doing so because of their own, independent privacy spring-cleaning. And that's almost entirely due to Europe's General Data Protection Regulation (GDPR), which comes into force on May 25th. Most companies that have users in Europe are scrambling to update their privacy policies and terms of service to avoid breaking this new EU law.
The GDPR strongly encourages clarity in "information addressed to the public" about privacy—making now an excellent time for companies to provide clearer and more detailed descriptions of what data they collect, and what use they put it to.
Then again, those updates might be a little overdue. Companies were always supposed to do this under European law—and, for that matter, Californian law too, which since 2003 has required any service that collects your private information to spell out in detail out their data use. But the additional penalties of the GDPR (with fines of up to 20 million euro, or 4% of global revenue) and increasing confidence of European data protection regulators have poked many international companies to finally pay closer attention to their legal obligations.
The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU's head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be "vigilant about attempts to game the system", adding that some of these new terms of service emails could be "travest[ies] of the spirit of the new regulation".
What To Look For
So what might you look for in these changes? What are the potential good points, and where might Buttarelli's travesties be hiding?
First, it depends on where you're living. Companies aren't under a legal obligation to implement the GDPR's provisions for all their users. You may even be able to see those new geographical distinctions in their changed terms. People in Europe (not just EU citizens) must be protected under the new law, but it's an open question whether Americans or those outside both regions will get the same treatment. You should be able to tell the details of those differences from the new policies. (Or not: Facebook, for instance, is only showing its new, detailed legal justifications for its data collection to users in Europe, and hiding that page from other users.)
Some of the changes may just involve refinements in terminology. What companies have to do to comply with the GDPR, for instance, greatly depends on whether they're "data controllers" or "data processors" – roughly speaking, whether they have the responsibility to manage your data, or whether they're just handling it on behalf of another party.
You may well see some frantic games of pass-the-parcel in the next few weeks as different services attempt to minimize or share their compliance burden. You can spot that in how they describe who is the "data controller" in their terms. For instance, Etsy, whose users are both buyers and sellers, has changed its language to emphasize that sellers are independent data controllers of your data. Google, meanwhile, has provoked a furious response from Europe's media publishers, after it declared itself the controller for the data from the ads and trackers that publishers put on their own websites, but expected that the publishers were the ones responsible for obtaining consent to share this data.
Some of the other changes have a more immediate, positive result, though. The GDPR is an embodiment of the data protection rights spelled out in the EU's Charter of Fundamental Human Rights, which states:
Everyone has the right to the protection of personal data concerning him or her... Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
When it comes to changes in these terms, most of the work will be spelling out those "specified purposes" in more detail, as well as explaining why the company thinks they can legitimately process it under the GDPR.
But there may also be changes in your ability to look at the data itself, and change it. For instance, Twitter users can now peer at the full pile of data that that company has picked up on them from their tweets and cross-referenced advertisers databases. You can also delete data that you don't want Twitter to keep using.
That right of access also means that you can take your information with you. Under the GDPR, companies have to provide "data portability"—which means that they should provide you with your data in a way that lets you easily move it to a competing service – at least if you are in Europe.
Again, some companies have already offered this ability. Google has offered "Google Takeout", Facebook its archive download feature, and Twitter its tweet archive. But their implementations have often been patchy and incomplete.
Now more companies will provide these data dumps. The pre-existing services have already markedly improved. For users in the EU, they should also offer a way to truly and permanently delete your account and all its data.
Still, these are the kind of user-empowering features that some companies would rather you didn't know too much about, so don't be surprised if the only news you hear about them comes from poring over these changes to long documents.
As Buttarelli says, such "legal cover" might well be against the spirit of the GDPR, but it's going to take a while for companies, regulators, and privacy groups to establish what the law's sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use ("by using our service, you agree to these terms") will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by "a statement or clear affirmative action." Even more significantly, if the data being collected by a company isn't necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.
That's what the EDPS is complaining about when he says that some of these terms of service updates could be "travesties". If they are, you might find some more emails updates in your inbox. And so could the companies sending them—from the EU's data protection regulators.