The European Union’s General Data Protection Regulation (the “GDPR”) that came into effect on 25 May 2018, is touted as the most widespread and robust change to data privacy and protection law in the world. Many entities around the world have been engaged for many months trying to put in place processes and mechanisms to ensure their compliance with the GDPR. Now that the regulation is effective, it will be interesting to evaluate whether on the basis of purposive interpretation, the letter and spirit of the GDPR has in fact been followed by those under its jurisdiction. In the course of this article, we will take a look at some of the most common changes and announcements made by companies around the world in order to be compliant with the GDPR and compare these changes with the corresponding GDPR principles/requirements that they have been made in response to.
Obtaining Explicit Consent
Providing Data Subjects with Options
The GDPR recognises that many companies need to use and rely on multiple third-party service providers in order to provide their own end-service to the customers. Further, in the course of using such third-party service providers, many companies start adding and offering fringe/additional features and services to their customers. However, a lot of these features are often not connected or related to the core service being provided by the company – for example, Facebook may provide its users with targeted advertising on its platform, which is not connected to the main function of social networking. Yet, as the number of features available grew, in an effort to generate greater revenues companies started to club and offer all features together to their customers. This effectively meant that customers had no options with respect to which features they felt were useful and which ones weren’t – they could either subscriber to and use all features or use none. Many data privacy experts around the world found the above situation to be unfair, as it may force users to either have their PII used for additional unnecessary purposes, or to pay for additional features that are not required by them. The GDPR sought to address this problem by stipulating that companies should stop bundling products and features together, instead specifying which features and services are necessary or critical to the core service. Any add-on features or services should explicitly be communicated to the users, and the users should have the option of deciding whether they want to subscribe to these or not, and whether their PII should be used for the same or not. Unfortunately, it seems like this is another requirement of the GDPR that has not been followed. Companies are either continuing to club features and services or are devising ways to skirt the stipulations by arguing that even certain add-on features are critical to the core service. One of the prime examples of this is Facebook, which continues to make the usage of PII for the purposes of displaying personalised advertisements, games, application suggestions etc., mandatory for all users. In effect, one cannot use Facebook’s social networking platform unless they agree to their PII being used for all of the above purposes as well. This matter has already been acted on by Max Schrems, a prominent Austrian data privacy campaigner. He has filed a case worth USD 3.9 billion before the European regulator, contending that Facebook continues to use coercive tactics to collect unnecessary PII regarding its users, which it then uses to conduct automated profiling (an activity which requires the specific, separate, explicit consent of data subjects under the GDPR).
In principle, it seems as though the GDPR contains some extremely strict and robust stipulations. Yet, as has been shown above, there are many interpretations of this regulation, and companies around the world are already starting to find ways to read and implement the law in different ways. While it remains to be seen if these practices are in fact in contravention of the GDPR or not, if these practices continue the GDPR could be rendered no more effective than existing data protection laws, potentially failing to protect data subjects in the way that was initially expected. Thus, the way the above cases are handled, specifically the lawsuit filed against Facebook, could set the tone for how seriously companies take the need to adhere to the GDPR’s requirements. In our opinion, it will be more beneficial for the European regulator to take a strict view of the stipulations under the GDPR and set a precedent that pushes other companies to ramp up their compliance activities as well.