We know you’re not reading all those G.D.P.R.-related privacy policy emails. Maybe you should.

Professor Woodrow Hartzog holds joint appointments in Northeastern’s School of Law and the College of Computer and Information Science. Photo by Matthew Modoono/Northeastern University
In recent weeks you’ve probably received a bunch of emails from companies with updated terms of service policies—which you, like us, probably haven’t read if past studies are any indication.

All these emails may feel like a nuisance, but actually, it’s the result of something very positive: a new law that significantly expands data protections for people across the European Union, giving them greater control over their personal data and setting heavy fines for companies that violate the new terms. The law goes into effect on Friday, which is why companies have been sending out these updated terms recently.

Northeastern professor Woodrow Hartzog, whose new book, Privacy’s Blueprint, published last month, calls the law a “watershed moment,” saying it’s built on the notion that privacy is a fundamental right. He said that while the law applies directly to Europeans, companies that have customers all over the world—like Facebook, Google, Twitter and many of your favorite apps—are updating their terms for everyone, including Americans.

Here, Hartzog explains what the law, the full name of which is the General Data Protection Regulation—GDPR for short—means for Americans, as well as the potential implications for those who fail to read all those lengthy terms of service policies.

What does the new European law, and the recent flood of terms of service emails, mean for the average person in America?

I think the GDPR means two things for Americans. One, it represents a benchmark that people looking for more robust protections can look to—and measure its success. For Americans looking for an example of robust privacy regulations, this is a good one.

Second, as a practical matter, with these companies taking steps to comply with the GDPR, Americans will probably end up receiving the practical benefit of some spillover protections meant for Europeans. For example, Microsoft has just promised to extend the GDPR’s data subject rights, including “include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else,” to its customers worldwide. This is a pretty significant announcement that’s going to put pressure on other companies to follow suit. Data subject rights are some of the most interesting and powerful aspects of the GDPR. It will be very interesting to see if this announcement creates a ripple effect. For example, platforms might create tools to help give people more control and more effectively give informed consent to companies for certain data practices. I would anticipate that these tools will be rolled out worldwide, not just in Europe. Though we will have to wait and see. You’ll likely see more tools along the lines of Google and Microsoft’s Dashboard and Facebook’s modified privacy settings for this purpose.

Will the United States ever go as far as Europe on this?

There’s been a lot of talk about the United States adopting the U.S. version of the GDPR. I don’t see that happening for several reasons. One is that the First Amendment looms very large within the United States, and what subjects are allowed to request of companies would be more limited because of free speech concerns. I’m skeptical that a full-on robust GDPR proposal in United States would make it all the way through to law in even remotely the same shape. I think it would be watered down given political realities in the United States. I wonder if there’s a different, more piecemeal strategy that can strike at really important places in more precise ways and embolden the frameworks that exist.

What is the legal foundation of these terms of service agreements?

For better or for worse, lawmakers in both Europe and the United States have decided that the main model for effectuating people’s privacy rights is control and informed consent. The idea is that if companies fully tell you about their data practices, and you click ‘I agree,’ then your privacy is being respected because you exercised control over that data by agreeing or not agreeing to it. In a lot of ways this is expressed in these terms of use. Courts in the United States have been pretty consistent, that if you click the box that says you’ve read the terms of services and agree to them, whether you read them or not doesn’t matter, they’re going to enforce them anyway. It seems ill fitting, given we have to make this decision so many times per day, and we have no bargaining power whatsoever. So these terms are usually enforced as contracts, but they do a terrible job of actually informing people of a company’s data practices. People don’t have the time or resources to read them or fully process the risks they are meant to describe, I suspect that people’s lack of understanding of the fine print will continue now and forever more—and rightfully so. People shouldn’t be expected to read thousands of lines of a boilerplate agreement every time they interact with a new online service. Nor should they be saddled making decisions based upon over-simplified pop-up warnings. Informed consent models just aren’t a good fit for complexity and neediness of modern online services.

So if we shouldn’t be expected to read these long agreements, but courts say they can be enforced if you click ‘yes’, where does that leave us? What would you advise people do?

There’s not a lot American users can do differently under the GDPR to really protect themselves. We will need better laws in the U.S. to really be in a better position. If you’re in Europe, with the GDPR comes a lot of data subject rights—some of which existed beforehand. For example, under the GDPR, data subjects are granted the right to access the data that companies have on them as well as the right to rectify and erase that data under certain circumstances. This is a much more enabling notion for people who have personal information processed by these large companies. But data subject rights haven’t really extended over the Atlantic yet. They aren’t really recognized on this level yet in U.S. law. Some access and correction rights are built into the Fair Credit Reporting Act and other laws, but by and large Americans don’t have nearly the same data rights as Europeans. That’s an area U.S. lawmakers can draw from if they are serious about improving data protection.