• The Listener
  • North & South
  • Noted
  • RNZ

What's with all those data privacy emails? The GDPR explained

The GDPR kicked in last week in the European Union. The new laws aim to protect the data privacy of people living within the EU - but has also made the big tech players change their policies internationally. Photo / Getty Images

They’ve come thick and fast in the last couple of weeks, a wave of emails so numerous you’d be forgiven for wanting to flag them as spam.

But they aren’t spam and even if you don’t read them, they bring good news.

Most of them outline changes to company privacy policies that give you more insight into and control over the data you generate as your digital life takes you all over the web.

The trigger for the deluge of privacy updates was the introduction last Friday in the European Union of the General Data Protection Regulation (GDPR), new laws that better protect the data privacy of people living in the European Union.

The right to know

These new data subject rights include provisions like the right to know exactly what data a company has collected on you, the right to download your data from a service provider in a format that can be uploaded to an alternative provider, and the ability to request deletion of your data if you no longer consent to it being held.

Macro alias: ModuleRenderer

Any company that discovers a major data breach in its systems will have to inform users within 72 hours, unless there’s a good reason not to. So trying to hide an embarrassing hacking attack that exposes your personal details or revealing its impact months or years later, will now carry serious financial repercussions for companies - in the EU at least.

The laws are being taken very seriously because they are backed up with hefty fines for non-compliance - up to 20 million euros or four per cent of a company’s global revenue. At that scale, they are aiming squarely at the companies handling vast amounts of data - Facebook, Google and Microsoft among them.

I’ve had privacy policy update emails from all three referencing the GDPR, even though I’m not an EU citizen. That’s because rather than trying to manage different privacy protection standards for users in and outside of the EU, the big players are opting to apply the changes internationally.

Reducing their liability

That’s undeniably a big win for us, but the tech companies know that the law isn’t enforceable outside of the EU and some have changed the structure of their businesses to make sure they minimise their exposure to legal action.

Facebook, for instance, was until April officially headquartered in Ireland, mainly for tax purposes. But last month it shifted jurisdiction for its users outside of the EU to the United States - some 1.5 billion users including us here in New Zealand. Microsoft did something similar for LinkedIn, the social network for professionals that it owns.

Still, thanks to the Europeans, many of those privacy changes applying to them will apply to us, even if there isn’t the same legal recourse if there’s a data breach or a company doesn’t respond when you ask it for details of what data it holds on you. There are enough Europeans able to take legal action under the GDPR to keep the big players honest.

I read them so you don’t have to

The emails have come from an eclectic mix of companies whose services I use - Facebook, Google, Uber, Udemy, National Geographic, Nest, the Medium blog platform, drone-maker DJI and domain host Crazy Domain among them. They have mainly been ‘repermission’ emails - we’ve already opted in to have them use our data, now they are telling us how they are going to do it differently in future.

They don’t require you to do anything, you aren’t going to be cut off from their services until you approve the updated policies. But they do encourage you to read the new policies and terms of service, something I recommend you do if you have the time. If nothing else, it may acquaint you for the first time with the types of data being gathered about you and what it is being used for. But it could also spur you to revoke consent to things you weren’t aware you’d authorised. Of course, that may result in you not having as useful an experience with their services.

The only New Zealand entity on my list is KEA, the Kiwi Expat Association, which will have data on thousands of EU-based members so is subject to the GDPR. In its privacy update, KEA says that it is following the “Legitimate Interests” provision of EU Privacy law, which basically gives it protection if it meets certain criteria, such as using data in a way people would reasonably expect, making sure that data processing has minimal impact on a member’s privacy and making sure that uses of the data is linked to the purpose of the organisation.

“With the selection of Legitimate Interests, Kea acknowledges its duty to ensure that the personal data of its members is protected against unauthorised disclosure, and breaches of integrity or availability,” notes KEA.

Data overload

The big criticism of the GDPR is the amount of compliance work it will add to businesses. In KEA’s case, it might have good internal policies, but what about the hosting company that stores its members' data or the database company KEA uses? Those companies have to be compliant as well.

Ultimately that could mean more cost which companies may choose to pass on to customers. Well, if that’s the cost of greater security and protection of the most valuable commodity of the digital age, our personal data, then so be it. But for the likes of Google and Facebook, the free ad-supported model underpinning their business has proven to be vastly profitable, I don’t see them altering the equation any time soon.

How enforceable these regulations are is yet to be seen and there’ll no doubt be court battles in the coming months and years as the law is tested.

By and large, the GDPR has triggered the biggest data privacy refresh in years and that is a good thing. This new legislation is intertwined with the growth in use of algorithms to make sense of our data in the private sector and the government space, so the Europeans have helpfully drawn a line in the sand that the whole world is taking notice of, and not before time.

Take for instance the changes from music streaming service provider Spotify. This is a company that can tell a lot about me from the type of music and podcasts I listen to, when and where I listen and the networks I’m connected to on the website.

I delved into their updated privacy policy and this is what I found. 

  • An updated Privacy Policy to reflect the fundamental rights under the GDPR including this: “the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.” That basically means for instance, that you can opt out of automatic scanning by Spotify to make sure you aren’t misusing its network. They’d have to check your account manually instead.
  • A much clearer overview of what data Spotify collects and how it uses it - with liberal use of the “Legitimate interests” protection. This area is really worthy, particularly the “voluntary mobile data” section, which outlines all the insights you can opt into giving Spotify. That’s something we all too quickly skip through on our phones.
  • A note from Spotify that it will soon introduce some new things - a new “Privacy Center” to give you easy access to your privacy settings and an overview of how your data is being used and a contact page for Spotify’s data protection officer, who will be the person you’ll be able to approach with queries about your data privacy.

Those things will roll out in the next few weeks according to Spotify. You’ll see similar efforts at greater transparency and more granular control of your data from many other companies, many of whom are clearly deciding to embrace the change rather than hide from it. That is to be commended.

The proof will be in how well the companies operate their systems on an ongoing basis and how they introduce new services that require our data to be used in different ways.

Too often in the past, those changes involved emailing us a dense, legalistic document. GDPR requires more understandable documentation and they won’t be able to get away with one big tick box or “agree” button for a range of different uses.

Facebook has already drawn criticism for the way it has laid out the changes, they know hundreds of millions of their users will just swipe through them anyway. But the momentum is clearly towards greater transparency, which is the first step along the path towards rebalancing the power equation between Big Tech and its consumers.

More about the GDPR from New Zealand’s Privacy Commissioner.

The update privacy policies from Facebook, Google, Microsoft, LinkedIn.