GDPR means big changes.
Anyone who has at least one account with a social media network, online business, charity, or other organisation has been made aware of the new privacy and data protection regulations now in effect across Europe. Emails have flooded inboxes for months ahead of May 25th’s changes, informing recipients of updated policies.
Companies now have to provide clear details on how users’ data will be gathered and utilised before consent can be given. It’s in businesses’ interests to follow the new rules to the letter, to avoid massive fines.
However, four of the world’s biggest brands – Facebook, Instagram, WhatsApp, and Google (primarily its Android OS) – have already come under fire since the GDPR came into force. Billions of dollars are at stake if they are found to have breached new regulations.
This raises compelling questions about the way in which social media companies are adapting to the new rules, and whether they can be trusted.
Breaching GDPR Rules
Privacy group Noyb (None of Your Business, fronted by seasoned activist Max Schrems) has claimed that these four companies are breaching GDPR’s regulations. They are helping four users to file their complaints to data protection agencies across Europe.
The group claims that these brands are essentially forcing customers to either agree to have their data collected and shared to aid targeted advertising, or delete their accounts.
Noyb believes this places the four giants’ behaviour outside of the GDPR guidelines, and that using data for advertising or selling it to third parties demands customers’ consent, regardless of whether the service is available or not.
GDPR stipulates that apps and websites can use the data they absolutely need to function without consent, but everything else demands users’ permission.
Schrems indicated that Facebook has blocked users out of their accounts if they fail to give consent for their data to be used however the social network deems necessary. In such a case, anyone who does not give Facebook permission to keep gathering their data to serve advertisers’ own ends would essentially have to stop using the service.
Max Schrems’ complaints aim to fine Facebook and Google a combined €7.6bn (€3.9bn and €3.7bn respectively) for breaching users’ rights. Facebook owns both Instagram and WhatsApp, while Google operates Android apps for all three.
New Features for New Rules
Both Facebook and Google have denied any wrongdoing. The latter claims that they have built “privacy and security into our products from the very earliest stages”, and are “committed to complying with the EU GDPR”.
Facebook, on the other hand, stated that they “have prepared for the past 18 months” to meet the GDPR’s criteria. They claim they “have made our policies clearer, our privacy settings easier to find and introduced better tools” enabling users to manage their information more efficiently.
They are working on Clear History, which will allow Facebook’s users to view which websites and apps share information on your activities with them. Clear History will also enable users to erase data from their accounts and prevent Facebook storing it in the future.
All of this sounds well and good, but will it make much of a difference? Noyb are hoping the lawsuits will cause Facebook and its subsidiaries to determine whether or not advertising-related data is required for the social network’s core services.
If not, additional consent would be required, ultimately allowing people to use Facebook without granting permission for their data to be used for targeted advertising.
Max Schrems has taken action against companies regarding data protection before. In 2015, his two-year case against the transfer of data from the EU to America was successful, leading to a ruling that this ‘safe harbour’ agreement was no longer valid.
In the run up to GDPR’s launch, Facebook did take steps to get users involved in their upcoming policy changes. In April, they gave members of their network seven days in which to provide feedback on their terms and data policy, after outlining some of the revisions involved.
In early May, Google published a post titled ‘Our preparations for Europe’s new data protection law’. This covered the steps they had taken for the GDPR, exploring such features as ‘improved user controls’ and ‘parental consent and improved tools for children online’.
While the companies are clear about what data is gathered and why, Noyb is committed to highlighting that Facebook’s forceful ‘take it or leave it’ approach is giving users little choice if they wish to keep their accounts active. If the lawsuits continue to press ahead and the giants are found to be in breach of GDPR regulations, Facebook and Google could face hefty fines. It would lay the foundation for similar cases in the future.
Schrem has argued that companies cannot force people to consent, and that this is “actually forbidden under GDPR in most cases”.
The way in which social media brands handle data privacy and security from now on will continue to evolve. Noyb’s cases against Facebook and Google could change the processes required for them to handle users’ data, denying them the ability to basically threaten closure of accounts if customers refuse targeted advertising.
Other social media brands have changed their policies to comply with GDPR. Snapchat is reducing the amount of data it collects from users under the age of sixteen, as well as requiring members to opt-in or -out of Discover and Lifestyle Categories sections. Granting or withdrawing consent is now easier.
Twitter, meanwhile, is updating its privacy policies and terms for GDPR compliance, but hasn’t released a huge amount of information on the changes so far.
GDPR means greater privacy and data security for users within the EU, but these four lawsuits could make a huge difference to the way in which they operate. Even if no fines are enforced, Facebook and Google may well cost themselves customers if they fail to make changes.
Social media is going nowhere, of course. Facebook continues to grow, attracting more than two billion monthly active users. Changes should be made to comply with GDPR and gain users’ trust, but for many people, the way in which their data is used may simply not be enough to chase them to rival networks.
Noyb’s actions and GDPR may help more people to become more aware of what social media companies do with their personal information, and inspire them to demand greater protection of their data. That could be a victory in itself.