Privacy policies are still too horrible to read in full

A year on from Europe’s flagship update to the pan-EU data protection framework the Commission has warned that too many privacy policies are still too hard to read and has urged tech companies to declutter and clarify their T&Cs. (So full marks to Twitter for the timing of this announcement.)

Announcing the results of a survey of the attitudes of 27,000 Europeans vis-a-vis data protection, the Commission said a large majority (73%) of EU citizens have heard of at least one of the six tested rights guaranteed by the General Data Protection Regulation (GDPR), which came into force at the end of May last year. But only a minority (30%) are aware of all their rights under the framework.

The Commission said it will launch a campaign to boost awareness of privacy rights and encourage EU citizens to optimise their privacy settings — “so that they only share the data they are willing to share”.

In instances of consent-based data processing, the GDPR guaranteed rights include the right to access personal data and get a copy of it without charge; the right to request rectification of incomplete or inaccurate personal data; the right to have data deleted; the right to restrict processing; and the right to data portability.

The highest levels of awareness recorded by the survey was for the right to access their own data (65%); the right to correct the data if they are wrong (61%); the right to object to receiving direct marketing (59%) and the right to have their own data deleted (57%).


Commenting in a statement, Andrus Ansip, VP for the Digital Single Market, said: “European citizens have become more aware of their digital rights and this is encouraging news. However, only three in ten Europeans have heard of all their new data rights. For companies, their customers’ trust is hard currency and this trust starts with the customers’ understanding of, and confidence in, privacy settings. Being aware is a precondition to being able to exercise your rights. Both sides can only win from clearer and simpler application of data protection rules.”

“Helping Europeans regain control over their personal data is one of our biggest priorities,” added Věra Jourová, commissioner for justice, consumers and gender equality, in another supporting statement. “But, of the 60% Europeans who read their privacy statements, only 13% read them fully. This is because the statements are too long or too difficult to understand. I once again urge all online companies to provide privacy statements that are concise, transparent and easily understandable by all users. I also encourage all Europeans to use their data protection rights and to optimise their privacy settings.”

Speaking at a Commission event to mark the one-year anniversary of the GDPR, Jourova couched the regulation as “growing fast” and “doing well” but said it needs continued nurturing to deliver on its promise — warning against fragmentation, or so-called ‘gold-plating’, by national agencies adding additional conditions or taking an expansive interpretation of the rules.

She also said “strong and coherent” enforcement is essential — but claimed fears that national watchdogs will become “sanctioning machines have not materialised”.

Though she made a point of emphasizing that: “National data protection authorities are the key for success.”

And it’s fair to day that enforcement remains a rare sight one year on from the regulation being applied — certainly in complaints attached to tech giants (Google is an exception) — which has fuelled a narrative in some media outlets that tries to brand the entire update a failure. But it was never likely data watchdogs would rush to judgement on a sharply increased workload at the same time as they were bedding into a new way of working for cross-border complaints, under GDPR’s one-stop-shop mechanism.

Regulators have also been conscious that data handlers are finding their feet under the new framework, and have allowed time for their compliance. But from here on in it’s fair to say there will be growing expectation from EU citizens for enforcement to uphold their rights.

The EU data protection agency with the biggest bunch of strategic keys where GDPR is concerned is the Irish Data Protection Commission — which has seen complaints filed since the regulation came into force more than double, thanks to the country being a (low tax) favorite for tech giants to base their European HQs.

The Irish DPC has around 18 open investigations into tech giants at this stage — including, most recently, a formal probe of Google’s adtech, which is in response to a number of complaints filed across Europe about how real-time bidding systems handle personal data.

Adtech veteran Quantcast‘s processing and aggregating of personal data is also being formally probed.

Other open investigations on the Irish DPC’s plate include a large number of investigations into various aspects of multiple Facebook owned businesses, as well as a smaller number of probes into Apple, LinkedIn and Twitter’s data handling. So it is certainly one to watch.

In comments at today’s event to mark the one-year anniversary of the GDPR, Ireland’s data protection commissioner indicated that some of these investigations will result in judgements this summer.

“We prioritise fair and high quality judgements. We keep our focus on the job. We have a big quantity of large scale investigations on the way and some of them will be finalised this summer,” said Helen Dixon.

Also speaking at the event, Qwant’s founder Eric Leandri said GDPR has been a boon to his pro-privacy search engine business — suggesting it has increased its growth rate to 30% per week.

“People who understand what data privacy means are inclined to protect their privacy,” he added.