Businessman pointing to his business partner where to sign an agreement showing the terms, conditions and considerations under GDPR
Terms, Conditions and Considerations Under the GDPR by Jennifer Baker, EU Policy Correspondent

Terms, Conditions and Considerations Under the GDPR

In recent months European regulators have found fault with tech giants Facebook and Google’s terms and conditions, causing DPOs at smaller companies to be understandably worried.

With hundreds of policy templates to choose from one of the difficulties is writing a privacy policy that is not so long that no one can read it, nor so short that it doesn’t cover the bases, but striking the right balance between the unreadable and the unworkable is essential.

The main challenge for DPOs is to ensure terms and conditions and privacy notices do not become mixed up explained Nymity Strategic Research Director, Paul Breitbarth. “Under the GDPR, they really need to be separate documents. Still too often, terms and conditions contain information about an organization’s data processing practices, which read more like liability waivers intended for lawyers. A privacy notice on the contrary needs to be concise and in clear and plain language, that the average person should be able to understand. So no legal speak (or worse: Eurospeak), no lengthy sentences with tons of exceptions, but just describing to the point what it is you intend to do with data,” he said.

In the Facebook case, the European Commission announced on April 9 that it had ordered the company to change its terms of service to explain clearly how the company makes money by selling user data. The new terms of service must state what data Facebook sells to third parties, including data brokers or ad exchanges, how it will respond to misuse of data by third parties, and under what conditions it can unilaterally change its terms.

The arrangement struck by the Commission, should see the social media giant explaining to users that it does not charge them for its services “in return for users’ agreement to share their data and to be exposed to commercial advertisements. Facebook’s terms will now clearly explain that their business model relies on selling targeted advertising services to traders by using the data from the profiles of its users,” said Justice Commissioner Vera Jourova.

Breitbarth had some innovative ideas on how Facebook or others might update privacy policies: “Nowhere in the GDPR it is said your privacy notice needs to be written. Why not go out of the box and use images, or even video, to explain how you are processing personal data? And if you do want to stick to text, you can always consider the layered notice, with high level information for the majority of persons who don’t want to read a notice anyway, and more details available one click away for the annoying privacy pro (likely myself) that really wants to understand what you are doing.”

Deputy-Director General of BEUC, the European Consumer organisation, Ursula Pachl, said that while “clearer terms and conditions are welcome, they do not solve the problems inherent to Facebook’s business model, which is built on the extensive exploitation and monetisation of people’s privacy, its market dominance in Europe and concerns about the company’s compliance with the GDPR. More transparency is not enough, fundamental changes in Facebook’s practices are needed.”

Meanwhile, following a complaint by one of BEUC’s member organisations, Consumer Federation Bundesverband (vzbv), the German Federal Competition Office (Kammergericht) found that many clauses of Google Terms and Conditions infringe GDPR. On March 21 it ordered Google to refrain from the use of a total of 25 clauses in the Privacy Policy and the Terms of Use.

Although the privacy policy and conditions of use  date from 2012, vzbv showed that they are still partially used today. In the challenged privacy policy, Google granted itself, among other things, very extensive rights to the collection and use of customer data. In part, Google retained the right to link personal information from different services or, in certain cases, from third parties.

The Kammergericht said that the terms and conditions “give the consumer the (incorrect) impression that they must tolerate the practice described in the privacy policy whether they want to or not”. It also criticized, among other things, that the privacy policy was designed to give the impression that the described data processing was allowed without the consent of the customers, which was actually not the case.

This gets to the heart of many problematic terms of service. Despite GDPR, they are often written in complicated, legalistic language designed to obfuscate the fact that for many online services, personal data will be shared with third parties and used for targeted advertising – something the Norwegian Consumer Council calls ‘deception by design’. These “take it or leave it” practices undermine data protection by “nudging” users towards accepting excessive personal data processing.

European Data Protection Supervisor, Giovanni Buttarelli pointed out: “Terms of service are generally designed to safeguard a service provider against legal challenges. These terms are not a contract established jointly by two more or less equal parties. Rather, they are laid down by the service provider and not open to negotiation. In the EU there are rules protecting the consumer against unfair terms, under Article 102 of the Treaty on the Functioning of the EU, prohibiting a dominant company in a market from imposing unfair trading conditions.”

He further described most privacy policies nowadays, as “either long, verbose and impenetrable legalese, or else vague and soothing PR exercises. Either approach places the burden on the individual to understand complex data practices and act rationally in her own best interests,” he continued.

According to Buttarelli transparency has become a double-edged sword: “provide too much information and the average person cannot be reasonably expected to read it; oversimplify and she will have little idea of what is really going on.”

Finn Myrstad, director of digital policy at Norwegian Consumer Council, who conducted the definitive research in to terms and conditions on mobile apps three years ago, said that despite GDPR he hasn’t seen a difference between mobile and web-based platforms.

“As far as we have seen, there is not much difference between the terms of apps and of web-based platforms, and often the terms overlap. One difference is that on web-based platforms, it is often difficult to know if the terms and privacy policy are meant to cover the actual platforms, or just the use of cookies and trackers on the website itself,” he explained.

Myrstad said that although the organisation has not looked extensively into how the text of the terms have changed in the past year, since the arrival of GDPR, “making changes to already complex legal documents is not a solution for the user, who will not read the text anyway.”

“We have observed that major service-providers such as Google and Facebook presented their GDPR updates for users in unskippable pop-up prompts. However, these pop-ups were designed to make users consent to a lot of data collection, which we believe contravenes the principles of informed consent and privacy by default. If companies can manipulate consumers to give consent to data collection that goes beyond what is necessary to deliver the service, this undermines user control, which is one of the central tenets of the GDPR,” continued Myrstad, echoing Buttarelli.

His advice to companies is actually to “present the most potentially invasive data collection practices upfront to the user, avoid using manipulative wording and design, and most importantly, respect the principles of purpose limitation and data minimisation.”

“Just because you put a blanket provision in your terms ala “we collect and use your personal data for marketing and analytics purposes”, does not mean that you are being compliant. In short, only collect the personal data that is necessary to deliver the service to the user, and if you want to go further by for example using personal data for advertising or analytics, you need to inform the user and rely on an opt-in affirmative choice,” he said.

According to Myrstad, “nudging” consumers often works. But when those users find out about it, they are often shocked. The Norwegian Consumer Council presented users with the extensive location tracking Google does through their “Location History” service. Most of them had not realised they had given permission to this collection said Mystad and as a result felt fooled or betrayed by Google.

So, regardless of regulatory enforcement, companies should also consider the damage to reputation if consumers subsequently discover they have been misled.