EU's New Privacy Rules Could Spell the End of Legalese - Or Create a Lot More Fine Print

[steven36]

Highlights

• Companies for months have been rewriting their privacy policies
• New rules could also create more longer, more confusing explanations
• Firms must obtain explicit consent from consumers for information

 

 

Silicon Valley companies for months have been rewriting their privacy policies to make them clearer in time for a Friday deadline - the day Europe ushers in sweeping new privacy laws that could affect users worldwide.

 

The new law could spell the end of legalese - of an era of signing away your rights with a single click, experts said. But it could also have the opposite effect, of creating more longer, more confusing explanations.

 

The European law, called the General Data Protection Regulation (GDPR), requires that companies use plain language to communicate how they process people's data. It also mandates that firms obtain explicit consent from consumers for every possible use of their information, and allow them to delete and request copies of all data companies have on them. Firms that break the rules face steep fines of up to four percent of global profits.

 

Because it is hard for technology companies to determine the citizenship of users who log into their services, most companies say they will roll out the changes beyond the law's immediate jurisdiction in Europe, extending new protections, or at least clearer explanations, to citizens of the US and elsewhere. Citizens outside Europe will not have the same legal recourse if they feel the companies' practices fall short.

 

Google, Facebook, Apple, and others have been rushing to ready new tools for people to download and delete their data - along with revamped privacy policies and interfaces that purport to be more digestible. On Thursday, Facebook said it plans to insert alerts in the newsfeeds of more than 2 billion users in the coming weeks, giving them a series of choices, including whether they want Facebook to use face recognition on their photos and whether the company can use information collected about them from advertisers.

 

In some ways, the effort around the new European rules boils down to a single question: Will they bring about the end of legalese?

 

Privacy advocates have long complained about mind-numbingly long privacy policies stuffed with inscrutable fine print and jargon. Google's new contract with its users is 20 pages long, for instance. The result is that people feel they are blindly signing away their rights to protect their information from being used by companies in undesirable ways, privacy advocates say.

 

"The companies are realising that it is not enough to get people to just click through," said Dr. Lorrie Cranor, director of the Cylab Usable Privacy and Security Laboratory at Carnegie Mellon University and the US Federal Trade Commission's former chief technologist. "That they need to communicate so that people are not surprised when they find out what they consented to."

 

That has become more apparent in the last two months since revelations that a Trump-connected consultancy, Cambridge Analytica, made off with the Facebook profiles of up to 87 million Americans. Cranor said that consumer outrage over Cambridge was directly related to concerns that companies were engaging in opaque practices behind the scenes, and that consumers had unknowingly allowed it to happen by signing away their rights.

 

Irrespective of simpler explanations, the impact and success of GDPR will hinge upon whether companies will try and force users to consent to their tracking or targeting as condition for access to their services, said Alessandro Acquisti, a Carnegie Mellon computer science professor and privacy researcher. "This will tell us a lot regarding whether the recent flurry of privacy policy modifications demonstrates a sincere change in the privacy stance of those companies, or is more about paying lip service to the new regulation. The early signs are not auspicious."

 

Tech companies may be making some changes, but the European law - an 88-page document that some say is as confusing as a privacy policy - will take many years to sort out.

 

For example, under GDPR, if a mapping app asks for permission to collect a person's location in order to provide them with navigation, the app cannot then sell that information to advertisers, or do anything with it besides using it to provide navigation services - without what the law refers to as "affirmative" consent. Companies must also enable people to delete whatever data companies have on them.

 

The requirement of companies to disclose more about their data practices than ever before could result in more lengthy explanations, said Bart Lazar, a privacy lawyer with the Chicago firm Seyfarth Shaw.

On Wednesday, Apple announced a new privacy portal where people can now download copies of the profile the company keeps on them. It includes activity from the app store and Apple Music, iCloud, and visits to Apple retail stores. Spotify is also giving users a data-downloading tool and a streamlined privacy policy.

 

Earlier this month, Google announced a rewrite of its privacy policy and a slew of updates designed to provide simpler explanations about what data the company collects. Google isn't changing the way it handles data, but is trying to make its explanations more clear, such as providing user-friendly reminders of the extensive controls Google already offers.

 

"We've improved the navigation and organisation of the policy to make it easier to find what you're looking for; explained our practices in more detail and with clearer language; and added more detail about the options you have to manage, export, and delete data from our services," William Malcolm, Google's European legal chief, wrote in a blog post. The changes will affect all users of Google's services.

 

Some companies aren't yet ready for GDPR. The read-it-later app Instapaper informed all European users on Wednesday that its service would be temporarily unavailable while it makes changes to ensure it is compliant with the new law.

 

In addition to the new alerts Facebook announced on Thursday, the company said in March that it would streamline its privacy policies - currently in 20 different places on the company's website - onto a single page. For the first time, Facebook will allow users to delete some of the data that the company collects about them - for example, the different Facebook links and pages a person clicks on - through a new "Clear History" tool.

 

But Facebook will not give people the option to block the company from harvesting most of the information it already collects. Acquisti said that wasn't a good sign.

 

Facebook has also taken additional steps to protect itself from legal liability for infractions of GDPR. Until now, Facebook users outside of the US and Canada - the vast majority of its global user base - sign a terms of service that is controlled by the company's Irish subsidiary. Last month the company confirmed to Reuters that it is changing those terms so that most Facebook users will no longer fall under European legal control.

 

Nate Cardozo, senior staff attorney at privacy and civil liberties advocacy group Electronic Frontier Foundation, said that Facebook's changes go "one tenth of the way toward restoring public trust."

 

Source

 

[Matrix]

If a privacy policy changes and no one reads it, does it really matter?

Your inboxes might be flooded with privacy policy emails. Have you read any of them?

 

"We're updating our Privacy Policy." "Updates to Our Privacy Policy." "Announcing updates to our privacy policy." "Your data privacy: Please take action!"

The list of updated privacy policies in my inbox goes on and on -- and if you've signed up for any online service in the last decade, these emails are most likely in your inbox, too. 

It's no coincidence, this sudden surge of activity by tech companies. The flood of privacy policy updates is actually coming because of a new European Union law kicking into effect. The General Data Protection Regulation aims to change how tech companies collect and use data from millions of people every day.

The data privacy law, which passed in 2016, allowed two years for companies to whip themselves into shape. Even with all that time to make their adjustments and notify users, the majority of these emails came in the run-up to Friday, the GDPR's deadline.

The crux of the new privacy policies follows the same idea: GDPR now requires companies to explicitly ask to collect your data and allow you to delete any information they collect on you.

So, with this rush of new legalese storming everyone's inboxes, we need to ask an important question: Is anyone actually reading this?

And even though the GDPR now requires privacy policies to be written in "clear and plain language," as it turns out, they've gotten even more complicated.

The Wall Street Journal discovered that privacy policies for Google, Facebook, Twitter, Instagram and LinkedIn all actually became lengthier in their GDPR-compliant updates. Experts told The Washington Post these changes would likely make privacy policies more complicated, despite the EU's regulations.

A reason these updated policies are much longer than their predecessors could be that companies have been rushing to meet the deadline, said Adrienne Ehrhardt, a partner at the law firm Michael Best, which is focused on privacy and cybersecurity.

"So, understandably, the approach may be to put in all the required information, and being transparent may equate to overinforming, which leads to very long privacy notices," she said.

It's been a rough few months for online privacy. Maybe you saw how Facebook CEO Mark Zuckerberg had to endure 10 hours of grilling by members of Congress last month, or caught his awkward moments in the EU Parliament earlier this week. That was all because of the Cambridge Analytica scandal that came to light in March: In a nutshell, the personal data of 87 million Facebook users got shared when it shouldn't have.

Zuckerberg took a stab, at least, at telling EU lawmakers how Facebook would comply with the GDPR.

Facebook isn't alone, of course. A privacy advocacy group in the UK sued Google for $4.3 billion over collecting browser data without people's consent -- the data harvesting happened from 2011 to 2012, but the lawsuit just went to trial on May 21.

But back to you and those privacy notices.

A 2008 study found that it would take average Americans 244 hours a year to read through privacy policies for all the services they use. It's likely that would take even longer with the GDPR's lengthier changes, especially with the influx of new tech in the last 10 years. The Pew Research Center found in 2014 that half of Americans don't even know what a privacy policy is.

"Let's be honest, few Americans can decipher or understand what this contract means," Sen. Kamala Harris, a Democrat from California, said during a May 16 Senate hearing with Cambridge Analytica's whistleblower Christopher Wylie.

With that in mind, experts are skeptical that anyone is really taking the time to dig through all these updates.

"I don't expect many consumers will read a single privacy policy update, let alone the dozens that are showing up in our inboxes over the last couple of weeks," Brian Vecci, a technical evangelist at data protection firm Varonis, said. "But it's a good reminder that every email they get is another company that has at least some of their personal data."

If you do skip these updated privacy policies though, you'd be unaware of all the new data protections that GDPR gives. Here's a quick cheat sheet. You're now able to:

• Ask a website to delete data that it holds on you
• Download all the data that a company has stored on you
• Find out how that company is using your data

Any firm that doesn't comply could face fines of up to 4 percent of its global profits.

Just because no one is reading though a privacy policy, doesn't mean there isn't any real change, experts say. Even if only a small handful of people are reading it, they would be able to highlight all the issues that come with it, said Jeffrey Sanchez, the security and privacy managing director at consulting firm Protiviti.

"We have seen examples of people using social media to highlight companies with inappropriate privacy policies," he said.

Erik Charlton, CEO of smart light switch company Noon Home, was on the founding team at Nest and helped write the smart device maker's original privacy policy. He believes that the unread privacy updates still hold weight. Even if consumers aren't reading them line by line, he said, the new regulations will give them a better chance to control their data.

"I think the biggest value is a sense of confidence that they'll have a recourse should they need it," Charlton said.

While he has faith that these updated policies are protecting people, he's skeptical people are looking through the fine print.

"There have been a slew of new user agreements in the past few days, and I'm curious who's reading all of these updates."

source

 

 

[steven36]

All i got was blocked from some websites  using a vpn with a ip from the EU.

 

The latest site i found blocking the eu is using Wordfence to block

 

 

You can read more about them using this plugin here

Blocking EU traffic

https://old.reddit.com/r/gdpr/comments/8lb17k/blocking_eu_traffic/