Many companies have issued new privacy terms to consumers ahead of the new General Data Protection Regulation (GDPR) taking effect on 25 May. However, European data protection supervisor Giovanni Buttarelli said some of the policies he has seen present a "take-it-or-leave-it proposition" that may not comply with the new laws.
"Too often privacy policies have seemed to be designed to provide legal cover for the companies themselves in the case of harm to a customer: non-negotiable, incredibly long, complicated, full of legal jargon which nobody reads ...", said Buttarelli. "Furthermore, the policies have tended to give an illusion of user control – while in reality you cannot see or control what the company does with information about you."
"Companies whose business model depends on tracking are now asking their customers to say whether they agree to, for example, the use of sensitive data and data from outside sources. Just like with the notorious cookie pop-ups, people fell pushed towards clicking 'I accept' because the only apparent alternative on offer seems complicated, time-consuming and risks excluding them from digital society," he said.
"We and other DPAs (data protection authorities) are therefore worried that even the biggest companies may not yet understand that with the GDPR these manipulative approaches must change. They must change, for instance, to satisfy Article 7(4) of the GDPR, which states that consent cannot be freely given if the provision of a service is made conditional on processing personal data not necessary for the performance of a contract," he said.
Buttarelli said that privacy was a "fundamental right" that applies "to all" and not just "those who can afford to pay".
Buttarelli said his office is due to issue a new opinion on 'privacy by design', a central component of the GDPR, next week. The opinion will outline the opportunities for businesses to obtain a "competitive advantage" from engaging in "responsible data processing", he said.