Facebook and others feign compliance with GDPR

Remember the European Union’s General Data Protection Regulation (GDPR) that came into effect in May?

Facebook and other big tech firms claimed to have made changes to their privacy policies and the way they work, in order to comply. However, a new study by the BEUC, a pan-European consumer group says otherwise.

Using an artificial intelligence (AI) engine it calls Claudette, the group analyzed the policies of 14 of the largest internet companies, namely, Facebook (and Instagram), Google, Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games.

In total, all the policies amounted to 3,659 sentences (80,398 words). Of these, 401 sentences (11 percent) were marked as containing unclear language, and 1,240 (33.9 percent) contained “potentially problematic” clauses or clauses providing “insufficient” information.

Here’s an example of the results that Claudette came up with after its analysis:

Facebook Privacy Policy (last updated on 19 April 2018) 

“We store data until it is no longer necessary to provide our services and Facebook Products, or until your account is deleted – whichever comes first. This is a case-by-case determination that depends on things like the nature of the data, why it is collected and processed, and relevant legal or operational retention needs.”

Rationale

The above clause fails to be fully informative since it does not allow the data subject to assess, at least on the basis of his or her situation, what the retention period will be for specific data/purposes, only mentioning as a general criterion to determine this period the necessity of data for providing services and products.

Claudette uncovered many problem areas, which researchers have grouped together to help summarize the findings. These are the top issues the ‘updated’ privacy policies suffer from:

• Not providing all the information which is required under the GDPR’s transparency obligations. For example companies do not always inform users properly regarding the third parties with whom they share or get data from.
• Processing of personal data not happening according to GDPR requirements. For instance, a clause stating that the user agrees to the company’s privacy policy by simply using its website.
• Policies are formulated using vague and unclear language, which makes it very hard for consumers to understand the actual content of the policy and how their data is used in practice.

“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law. This is very concerning. It is key that enforcement authorities take a close look at this,” BEUC’s Director General Monique Goyens.

The researchers have developed this innovative technology (AI) to support consumer groups and public authorities to ensure better enforcement of and compliance with important consumer rights.

This can also be very helpful for consumers themselves. Privacy policies are typically voluminous and complex.

In a world where consumers are increasingly surrounded by connected products and use digital services for everything they do, assessing such policies is essential to protect people’s privacy and autonomy.

In conclusion, the BEUC said that much improvement needs to be made. Companies should take GDPR’s requirements seriously, especially given the possibility of fines.

Businesses need to start taking a more user-centric approach towards the regulation’s provisions instead of treating them simply as a box to be checked.

Moreover, if this study is treated as an inspiration to others, civil society might be soon be equipped with AI tools for the automated analysis of privacy policies.

When this is the case, they will leave no stone untouched, no policy unread, no infringement unnoticed. So, Facebook, the other 13 tech giants, and every other business that collects data from the EU must pay attention.