With the entry into force of the famous European regulation 2016/679, the so-called GDPR (which stands for “General Data Protection Regulation) it will become difficult for socials and online platforms to force users to deliver their personal data in exchange of “free” services. While this new principle was somehow already enshrined in the regulation, yesterday the Article 29 Working Group, that is to say the committee grouping together the European data protection authorities, has made clear the rule, without possibility of different interpretation or nuances.
The statement is contained, amongst other things, in the “Guidelines on consent” adopted yesterday April 16, 2018. European regulators have reiterated that the consent, to be valid, must be released by individuals freely, that is to say individuala are offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. A bit the opposite of what happens today. Fact is, until now people have been used to consent to the processing of their personal data without considering all implications, and sometimes without even realizing that a consent was given. This is the case with most apps, surveys and Facebook games, but things will have now to change.
Will such habits change with the GDPR and the new consent Guidelines? Probably yes, because operators will do their best to demonstrate that users have effectively given a proper consent. Fact is, should a national authority, on the basis of an ex-post judgment on a specific case, consider that – with certain modalities – the consent has been released in an invalid way, they may impose very heavy penalties, up to 4% of the turnover of the concerned company. Therefore, it is likely that the terms of consent will become, with the GDPR, a technological choice inherent to the business model of the operator, rather than a piece of paper elaborated by the legal department, as had happened since now. This is what we call “privacy by design”.
But what will happen in practice? The Guidelines of 16 April contain numerous examples which show how the practical application of the GDPR will change the concept of consent. Indeed, the most important example is that concerning the “do ut des” between services and privacy, that is to say the practice – very frequent – by which users exchange (more or less consciously) data with platforms and apps in order to benefit from “free” service. It has been rightly said that “if the service is free, then you are the product” and this is, frankly, the way big online platforms work, from Facebook to Google, as well as many start-ups.
Here a clear example:
a mobile app for photo editing (could be whatever in this category: creating flags, writing “Je Suis Charlie” on your fourfold picture or showing which animal of the savannah looks more like me) asks its users to have their GPS localization activated for the use of its services. The app also tells its users it will use the collected data for behavioral advertising purposes. Neither geo-localization or online behavioral advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given.
Therefore, if users do not have a way out, i.e. the ability to use the app/service even without giving consent to the use of their data, the consent will be considered invalid and will trigger penalties.
As mentioned above, such interpretation of “free” consent was already present in the principles laid down by GDPR, however some operators were hoping the Art. 29 Working Group to provide a more relaxed interpretation. This has not happen and now most online platforms and app developers will now have to think about new business models.
For sure, it will be necessary to aim at new trusting relationship between platforms and users. The latter have accumulated, in recent months, hate and paranoia against certain platforms and applications in a way that goes far beyond concrete responsibilities of online operators. To tell the truth, everyone is pleased to have free social platforms for entertainment, marketing and contacts opportunities, but to continue to do so we have to recover the the trust which went lost in many scandals, starting with Cambridge Analytica. Users could still agree to supply the digital economy with his own data, but now they will want to do it under different conditions. This is the challenge for online platforms, big and small. The proven ability to protect value of personal data will likely mark the difference between winners and losers.
The GDPR regulation constitutes, given its global applicability a huge novelty, destined to shape the global economy, before the European one. Its global reach is comparable to the American laws on banking and finance, the Bretton Woods agreements, and the practices developed by Florentine bankers in the Renaissance. This is an impressive affirmation of European sovereignty at the international level which which perhaps not everyone has yet realized.