EU data supervisor warns online providers about Ts & Cs

In a blogpost, European Data Protection Supervisor Giovanni Buttarelli said that “opaque” and “take it or leave” policies infringe consumers rights, restrict consumer choice, and may be anticompetitive, especially in those markets where the operators are a dominant provider.

Buttarelli also slammed terms and conditions—particularly concerning privacy policies—as being “either long, verbose and impenetrable legalese, or else vague and soothing PR exercises” that “nudge (or shove) people towards accepting excessive personal data processing or into rushing into purchase decisions.”

In its draft guidelines on processing data necessary for the performance of a contract released on 9 April, the European Data Protection Board (EDPB), the EU body that oversees the application of data protection rules across the 28-country bloc, said that people should not be compelled to accept personal data processing which they are not comfortable with when they sign up to a service.

The European Commission, as well as EU national data and competition regulators, have been increasingly critical of social media firms and tech companies—particularly with their cavalier attitudes toward personal data, lax compliance with data rules, and stringent terms of use that force consumers to accept all conditions or be barred from using their services.

Social media giants Facebook and Google have been regular targets. In January France’s data protection watchdog CNIL fined Google a record €50 million (U.S. $57 million) under the EU’s General Data Protection Regulation (GDPR) for failing to provide users with transparent and understandable information on its data use policies.

The CNIL found that Google violated users’ privacy in several ways, one being that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting. Instead, they were simply asked to agree to Google’s terms and privacy policy en masse—or not use any of the services at all.

In February Germany’s competition regulator told Facebook to “substantially restrict” how it collects and combines data about its users unless they give it explicit consent.

The Bundeskartellamt said that the social media giant had effectively abused its dominant position to gather users’ personal information via Facebook, its other apps (including Instagram and WhatsApp) and third parties by forcing consumers to give blanket approval to its terms and conditions without users really knowing the extent to which their data would be shared–or for what purpose.

The German decision comes in addition to rulings by the Court of First Instance of Brussels, Belgium, in February 2018, following a legal action the Belgian Data Protection Authority, and a decision of 29 November 2018 of the Italian Competition Authority, which address similar illegal behavior by Facebook (but on the grounds of EU data protection and EU consumer law, respectively).

More recently, on 9 April France’s Tribunal de Grande Instance of Paris fined Facebook €30,000 (U.S. $33,527) for violating people’s data protection, privacy and consumer rights by imposing illegal terms of service and selling personal information onto third parties. The court said that 430 clauses within Facebook’s contracts with users are void.

On the same day, the European Commission announced that, following action by the Commission and EU consumer protection authorities, Facebook would be updating its terms of services by the end of June to explain better how the company uses its users’ data to develop profiling activities and target advertisers.

According to the Commission, the company has undertaken to amend its policy on limitation of liability acknowledging responsibility in case of negligence, for instance where users’ data has been mishandled by third parties, as well as its power to unilaterally change terms and conditions by limiting it to cases where the changes are “reasonable.”

“This announcement indicates a step in the right direction,” says Buttarelli. But, he adds, “it also highlights the continued lack of genuine co-operation between data and consumer regulators and, where the company happens to be dominant in the market, between them and competition authorities. The common aim ought to be to ensure a coherent outcome in the interests of the individual, whether data subject or consumer.”

Indeed, Facebook’s battles with European regulators are likely to continue for some time. On 18 April BEUC, an EU-wide consumer organization, asked the European Commission to examine “the most efficient ways to ensure that Facebook stops exploiting consumers across all EU member states.” It is not just Facebook that BEUC has in its sights—social media and tech firms generally need to be held more accountable, it says.

In particular, BEUC “calls on the European Commission to explore—with relevant authorities—how to deal with a concrete commercial behavior that simultaneously breaches different areas of EU law.”

The objective, it says, “should be to develop a methodology for cross-sector scrutiny to tackle multi-disciplinary illegal practices in the most efficient way to protect Europeans,” while “the outcome of this process should be a consistent and coordinated strategy for EU enforcement to deal with similar cases where there is a conflation of data protection, competition and consumer protection issues.”