The Washington Post

As Europe updates law, tech giants update terms

Aim is to make policies on data clearer, but more confusion could await

- BY ELIZABETH DWOSKIN Tony Romm contribute­d to this report from Washington. More at washington­ technology

SAN FRANCISCO — Silicon Valley companies for months have been rewriting their privacy policies to make them clearer in time for a Friday deadline — the day Europe ushers in sweeping new privacy laws that could affect users worldwide.

The new law could spell the end of legalese — of an era of signing away your rights with a single click, experts said. But it could also have the opposite effect, of creating longer, more confusing explanatio­ns.

The European law, called the General Data Protection Regulation (GDPR), requires that companies use plain language to communicat­e how they process people’s data. It also mandates that they obtain explicit consent from consumers for every possible use of their informatio­n and allow them to delete and request copies of all data that companies have on them. Firms that break the rules face steep fines of up to 4 percent of global profits.

Because it is hard for technology companies to determine the citizenshi­p of users who log in to their services, most companies say they will roll out the changes beyond the law’s immediate jurisdicti­on in Europe, extending new protection­s, or at least clearer explanatio­ns, to citizens of the United States and elsewhere. Citizens outside Europe will not have the same legal recourse if they believe that the companies’ practices fall short.

Google, Facebook, Apple and others have been rushing to ready new tools for people to download and delete their data — along with revamped privacy policies and interfaces that purport to be more digestible. On Thursday, Facebook said it plans to insert alerts in the news feeds of more than 2 billion users in the coming weeks, giving them a number of choices, including whether the company can use informatio­n collected about them from advertiser­s.

In some ways, the effort around the new European rules boils down to a single question: Will they bring about the end of legalese?

Privacy advocates have long complained about mind-numbingly long privacy policies stuffed with inscrutabl­e fine print and jargon. Google’s new contract with its users is 20 pages long, for instance. People feel they are blindly signing away their rights to protect their informatio­n from being used by companies in undesirabl­e ways, privacy advocates say.

“The companies are realizing that it is not enough to get people to just click through,” said Lorrie Cranor, director of the CyLab Usable Privacy and Security Laboratory at Carnegie Mellon University and the U.S. Federal Trade Commission’s former chief technologi­st. “That they need to communicat­e so that people are not surprised when they find out what they consented to.”

That has become more apparent in the past two months, since revelation­s that a consultanc­y connected to candidate Donald Trump, Cambridge Analytica, made off with the Facebook profiles of up to 87 million Americans. Cranor said that consumer outrage over that breach was directly related to concerns that companies were engaging in opaque practices behind the scenes, and that consumers had unknowingl­y allowed it to happen by signing away their rights.

Irrespecti­ve of simpler explanatio­ns, the impact and success of the GDPR will hinge on whether companies will try to force users to consent to their tracking or targeting as a condition for access to their services, said Alessandro Acquisti, a Carnegie Mellon computer science professor and privacy researcher. “This will tell us a lot regarding whether the recent flurry of privacy policy modificati­ons demonstrat­es a sincere change in the privacy stance of those companies or is more about paying lip service to the new regulation. The early signs are not auspicious.”

Tech companies may be making some changes, but the European law — an 88-page document that some say is as confusing as a privacy policy — will take many years to sort out.

For example, under the GDPR, an app cannot sell users’ informatio­n to advertiser­s or use it for anything besides its stated service without what the law refers to as “affirmativ­e” consent. Companies must also enable people to delete any data collected about them.

The requiremen­t of companies to disclose more about their data practices than ever could result in lengthier explanatio­ns, said Bart Lazar, a privacy lawyer with the Chicago firm Seyfarth Shaw.

On Wednesday, Apple announced a new privacy portal where people can download copies of the profile the company keeps on them. Spotify is also giving users a data-downloadin­g tool and a streamline­d privacy policy.

This month, Google announced a rewrite of its privacy policy and a slew of updates designed to provide simpler explanatio­ns about what data the company collects. Google isn’t changing the way it handles data but is trying to make its explanatio­ns clearer, such as providing user-friendly reminders of the extensive controls Google already offers.

The changes will affect all users of Google’s services.

Some companies aren’t yet ready for the GDPR. The read-itlater app Instapaper informed all European users on Wednesday that its service would be temporaril­y unavailabl­e while it makes changes to ensure it is compliant with the new law.

In addition to the new alerts Facebook announced Thursday, the company said in March that it would streamline its privacy policies — now in 20 different places on the company’s website — onto a single page. For the first time, Facebook will allow users to delete some of the data that the company collects about them — for example, the different Facebook links and pages a person clicks on — through a new “Clear History” tool.

But Facebook will not give people the option to block the company from harvesting most of the informatio­n it already collects.

Until now, Facebook users outside the United States and Canada — the vast majority of its global user base — sign terms of service that are controlled by the company’s Irish subsidiary. Last month, the company confirmed to Reuters that it is changing those terms so that most Facebook users will no longer fall under European legal control.

Nate Cardozo, senior staff attorney at privacy and civil liberties advocacy group Electronic Frontier Foundation, said that Facebook’s changes go “one-tenth of the way toward restoring public trust.”

Newspapers in English

Newspapers from United States