A few years ago, the comedian John Oliver mocked the dense language that many tech companies employ in their user agreements (and the gullibility of users who just want to click past the boring stuff and get on with their music or games or news). He claimed, “If you want to do something evil, just put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement, and you’d just go agree, agree, agree – what? – agree, agree.” Oliver’s harsh words were clearly hyperbolic, but as technology has become a more important and pervasive part of our work and social lives, people may unwittingly agree to uses of their data that are more extensive or invasive than they intend. Users’ names, addresses, and credit card numbers may be collected and stored, and some of this information may even be shared.
More than six years ago, in January 2012, the European Union set out to protect consumers’ online privacy. Over the next four years, the EU hammered out details of the plan, resulting in an expansive General Data Protection Regulation that applies to all companies within the EU – and that offer any goods or services within the EU, or to any company that serves the citizens of the EU. This broad application means that any company that processes the personal data of European citizens is subject to regulation: an American company that markets its services to Europe or that collects and analyzes data on European citizens must comply with the GDPR. The regulation gives consumers significant control over their data, limiting how companies can use it and broadening consumers’ say over how and where their data can be used. Under the GDPR, consumers have a right to know how their data is being processed and what data a company holds. Consumers may also ask companies to correct their data or erase it if it is no longer being used. This right to ask companies to delete data stems from a particular privacy right that has been recognized in Europe (though not in the US) – the right to be forgotten. The GDPR also gives consumers control over their data in other ways: it requires companies to allow consumers to download their data and send it to other providers. This provision means that consumers can take their photos, writings, and information (and their business) elsewhere; their data is not lost or confined to one platform.
The EU set a compliance deadline of May 25, 2018 for the GDPR. Companies that failed to comply with the new privacy requirements by that date could incur heavy fines. As the deadline approached, companies that did business in the EU scrambled to update their privacy policies and treatment of data. These changes have benefited users across the globe, even in countries outside the EU. For instance, the popular blogging site, Tumblr, announced that all users, even those in the US, would be able to “view, manage, and download [their] data” in accordance with the GDPR.
Tumblr was not alone in changing its policies or alerting its users. GDPR has prompted a spate of notifications from a wide range of organizations, from Google and Spotify to smaller companies doing business online. While some consumers may greet the new notifications with the same indifference they direct toward conventional user agreements, the widespread adoption of new standards may herald a new era in privacy rights. This change suggests that data about the consumer belongs to the consumer (in the way that intellectual property is seen as belonging to its creator). This new regulation makes data more like physical property in some ways: it is more “portable’; it can be carried with a consumer from one platform to another. The possibility that a consumer’s data can be erased also suggests that Americans, too, might one day enjoy the right to be forgotten.
Kathleen Davies is a Staff Writer for GetLegal.com. She is a graduate of the University of Michigan Law School and has practiced law and taught legal writing and advocacy.