All these emails may feel like a nuisance, but actually, it’s the result of something very positive: a new law that significantly expands data protections for people across the European Union, giving them greater control over their personal data and setting heavy fines for companies that violate the new terms. The law goes into effect on Friday, which is why companies have been sending out these updated terms recently.
Northeastern professor Woodrow Hartzog, whose new book, Privacy’s Blueprint, published last month, calls the law a “watershed moment,” saying it’s built on the notion that privacy is a fundamental right. He said that while the law applies directly to Europeans, companies that have customers all over the world—like Facebook, Google, Twitter and many of your favorite apps—are updating their terms for everyone, including Americans.
Here, Hartzog explains what the law, the full name of which is the General Data Protection Regulation—GDPR for short—means for Americans, as well as the potential implications for those who fail to read all those lengthy terms of service policies.
What does the new European law, and the recent flood of terms of service emails, mean for the average person in America?
I think the GDPR means two things for Americans. One, it represents a benchmark that people looking for more robust protections can look to—and measure its success. For Americans looking for an example of robust privacy regulations, this is a good one.
Second, as a practical matter, with these companies taking steps to comply with the GDPR, Americans will probably end up receiving the practical benefit of some spillover protections meant for Europeans. For example, Microsoft has just promised to extend the GDPR’s data subject rights, including “include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else,” to its customers worldwide. This is a pretty significant announcement that’s going to put pressure on other companies to follow suit. Data subject rights are some of the most interesting and powerful aspects of the GDPR. It will be very interesting to see if this announcement creates a ripple effect. For example, platforms might create tools to help give people more control and more effectively give informed consent to companies for certain data practices. I would anticipate that these tools will be rolled out worldwide, not just in Europe. Though we will have to wait and see. You’ll likely see more tools along the lines of Google and Microsoft’s Dashboard and Facebook’s modified privacy settings for this purpose.
Will the United States ever go as far as Europe on this?
There’s been a lot of talk about the United States adopting the U.S. version of the GDPR. I don’t see that happening for several reasons. One is that the First Amendment looms very large within the United States, and what subjects are allowed to request of companies would be more limited because of free speech concerns. I’m skeptical that a full-on robust GDPR proposal in United States would make it all the way through to law in even remotely the same shape. I think it would be watered down given political realities in the United States. I wonder if there’s a different, more piecemeal strategy that can strike at really important places in more precise ways and embolden the frameworks that exist.
What is the legal foundation of these terms of service agreements?
So if we shouldn’t be expected to read these long agreements, but courts say they can be enforced if you click ‘yes’, where does that leave us? What would you advise people do?
There’s not a lot American users can do differently under the GDPR to really protect themselves. We will need better laws in the U.S. to really be in a better position. If you’re in Europe, with the GDPR comes a lot of data subject rights—some of which existed beforehand. For example, under the GDPR, data subjects are granted the right to access the data that companies have on them as well as the right to rectify and erase that data under certain circumstances. This is a much more enabling notion for people who have personal information processed by these large companies. But data subject rights haven’t really extended over the Atlantic yet. They aren’t really recognized on this level yet in U.S. law. Some access and correction rights are built into the Fair Credit Reporting Act and other laws, but by and large Americans don’t have nearly the same data rights as Europeans. That’s an area U.S. lawmakers can draw from if they are serious about improving data protection.