The First Tangible Effects of the GDPR

 img
 img

About those emails you are receiving...

Over the past two weeks, you’ve probably received numerous privacy policy updates from online companies. For example, last week LinkedIn sent its users an e-mail informing them of changes to its Terms of Service and Privacy Policy, explaining, “[w]e now meet the high standard for data privacy introduced by the new European data protection law known as the General Data Protection Regulation (GDPR), which goes into effect later in May.”

Tech companies are moving to comply with the new EU privacy law that comes into effect on May 25, and the updates you are receiving are evidence of that. Previously, we analyzed some key elements of the GDPR. Here, we focus on GDPR-induced changes in terms of services and privacy policies and their consequences for users on this side of the Atlantic.

New rights for Americans...but only if companies want them.

The GDPR requires virtually any company handling Europeans’ personal data, regardless of its location, to offer EU residents more control over the collection and use of their data. However, for a variety of reasons -- scale, cost, public relations, conviction -- some companies, such as LinkedIn, have decided to offer at least some of those rights to non-European consumers too.

In other words, while companies currently do not have any obligation to offer American consumers the rights required by the GDPR for European consumers, some companies are voluntarily choosing to do so in the process of complying with EU law.

These are some of the changes we could expect to see as a by-product of the GDPR in some companies’ terms of service or privacy policies applying to U.S. consumers:

  • Explicit and Granular Consent Requests: Companies will be more specific and clear at the time of requesting user permission to collect personal data, and provide greater detail about intended uses of user data.
  • A Right to Delete Data: Users can ask a company to erase some or all of the personal data the company holds.
  • A Right to Change or Correct Data: Users can expect to see new tools that allow them to modify some of their personal data, and the ability to request a company change, update, or amend the data in certain cases, particularly if it’s inaccurate.
  • A RIght to Object or Limit a Use of Data: Some companies will offer users the option to stop certain data processing.
  • A Right to Data Portability: Some companies will likely offer users their personal data in machine-readable formats.

In all fairness, some of those rights were offered by some companies such as LinkedIn before the GDPR. But thanks to GDPR-induced changes that some companies have voluntarily chosen to offer beyond Europe, there will be more granularity and explicitness in those practices.

Changes in terms of service and privacy policies are consequential in terms of the guarantee of consumer rights. For example, Section 5 of the Federal Trade Commission Act provides that "unfair or deceptive acts or practices in or affecting commerce...are...declared unlawful.” As a result of the GDPR-compliant commitments companies are extending to the U.S. market, the FTC could hold companies accountable for these new promises made in their terms of service and privacy policies. If the FTC chooses to do so, and as we will advocate for, companies will have to live up to the promises they are making to consumers.

The GDPR is already changing the personal data landscape in the EU and the U.S.

The GDPR does not go into effect until May 25, 2018, but it is already having material effects in the practices and promises of tech companies in Europe and elsewhere. These changes will continue, and may be somewhat fluid for the foreseeable future.

It is still too early to know the extent of the changes the GDPR will trigger. In Europe, companies and regulators will assuredly test the limits of the GDPR, and probably require the courts to clarify interpretations of the law. This process will take years. Just last week, the European Council published a very long document correcting translation errors of the GDPR in 24 languages. Additionally, the e-Privacy Regulation, expected sometime in 2018 or 2019, might change the meaning of the GDPR for internet platforms.

In the U.S., a completely new slate of FTC commissioners was recently sworn in. The new FTC will need to show that it takes privacy protection and consumer rights enforcement seriously by enforcing the new commitments made by companies. Lastly, Congress should legislate to offer consumers comprehensive privacy protection so that user privacy in the U.S. isn’t merely a convenient GDPR by-product.

The Latest