Today, Explained - We've updated our privacy policy
Episode Date: May 29, 2018You know those privacy policy emails flooding your inbox lately? Turns out those are thanks to the European Union’s crackdown on websites that collect your personal data. The Verge’s Russell Brand...om explains the regulation known as the GDPR and why Europe seems to care about your security more than America. ******************************************* Ireland passed a historic referendum over the weekend, voting to legalize abortion. You can hear about one of the strictest abortion bans in the world in our episode here: https://art19.com/shows/today-explained/episodes/e66e8aca-b398-46a8-8468-8ffb3f823184 Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Russell Brandom, senior reporter at The Verge.
I've been getting all of these emails.
Yeah, I've been getting them too.
Subject line's always the same, right?
We've updated our privacy policy.
I get them from websites I use, from websites I never use,
from websites I forgot existed.
And I always do the same thing. I just delete them without reading them. Am I use, from websites I never use, from websites I forgot existed.
And I always do the same thing.
I just delete them without reading them.
Am I making a terrible mistake?
No, I do that too.
I would say reading them would be a mistake because you'd be losing valuable seconds, you know, all of our time as living creatures is precious.
Great, because I'm going to make a terrible mistake now by reading you one of these emails. Oh, no.
All the listeners, too.
We're all stuck in it with you.
Okay.
Well, for the purpose of this, you know, episode where we explain what these mean, I feel like I should maybe just read one.
So I went through all of the ones I have, which is about like eight from like Kickstarter and Google, and I found the shortest one.
And it's from my former employer, actually, New York Public Radio.
Dear friend, New York Public Radio is committed to respecting user and member privacy rights.
We are writing to let you know that we are updating our privacy policy effective as of May 25th, 2018.
We're almost done for those of you who are dying.
The new policy does not change how your data will be collected or processed.
It has been revised largely to increase communication and transparency along lines suggested by new European Union legislation, the General Data Protection Regulation, GDPR.
Please take a moment to review the new policy here, and please feel free to contact us with
any questions.
What the heck is going on?
So there are new rules. The GDPR, General Data Protection Regulation, it took effect May 25th and everyone was sort of scrambling to get compliant, because if you're not compliant,
you can get fined a ton of money.
One of the provisions is when you have the privacy policy, the terms of service, where you tell people what you're doing with the data, you have to say it basically in a way
that humans can understand.
We all know that generally these things are impossible to read.
And so they specifically said, like, you have to be clear and actually tell people what's
going on. Yeah. And so everyone across the board is sort of scrambling. No one
really knows what a readable and clear and accessible privacy policy looks like, but
everyone's kind of giving it their best shot before the deadline. And that's why all the emails are
coming in at the last minute. Someone I was talking to said that it was like watching all the kids
like throw their homework in at the last possible minute before midnight under the professor's desk. That's
pretty much what we're seeing. So have there been some particularly egregious examples?
I mean, I got some that were past the deadline. You should really have the privacy policy up
by the time that you're legally required to be compliant. And there were some where it was like
3 a.m. coming in. I was like, man,
you guys, you're really cutting it close here. That really does feel like turning in your
homework like on the day of, right? Yeah. It's like lawyers are clocking a lot of overtime on
this. So the GDPR, the General Data Protection Regulation, all my emails say stuff about Europe.
It's a European Union regulation, but everyone in the world's getting these emails?
Yeah, pretty much.
On privacy policies, basically everyone's decided like, well, it's better if it's clearer
for everyone.
Like we should just change the whole thing and have it all be the same.
So just everyone gets an email basically.
So I guess we should just walk through what GDPR is.
Anytime companies are dealing with personal data at all, so like including their employees data or data that, you know, just the grocery store has on you.
People who are running websites and Google and Facebook that are doing all this, you know, intense ad targeting and, you and the mass of data that they have.
And a lot of that needs to be changed now because it has to be brought up to these new standards.
So what are the new standards?
They need to say why they're collecting the data
and they need to say what they're doing with it
and what they're using it for.
And they didn't have to do that before?
No, not really.
That's what's so wild about it.
I mean, the really remarkable thing about it is that it's sort of applying these rules And they didn't have to do that before. collected this data on the people who used my service, they click the little box saying it's
okay to collect our data, or at least we know you're collecting it, then what can I do with it?
What am I allowed to do with it? There haven't really been a lot of rules about that.
And so now you have to be very clear saying, okay, well, this is our ad targeting partner,
and we were giving it to this person for ad targeting purposes. And that means they're allowed to do X, Y, and Z with it,
and they can't do anything else with it. And this other person is an analytics partner,
and they are doing X, Y, and Z with it, so they're allowed to do this stuff,
and really sort of map out who gets what in the event of a breach, who's responsible for what.
And so there's all of this complex sort of legal liability that's suddenly
applied to this world that before now had really just been a free-for-all.
So that sounds totally reasonable.
And if anything, overdue.
You would think.
What else does the GDPR do?
So there's also a lot of stuff about you having access to your data just because like Facebook or Google or another company is holding it.
You can request it, you can request
it, you can correct it or say, don't use that. Those products are kind of already rolling out.
I mean, Facebook had a version that came out a few months ago. That has been another thing that's
happening in the background, kind of the privacy policies were really the last thing under the wire.
It sounds sort of like all of this is about consent and transparency, making sure that
users consent to everything that Google or Facebook or, you know, Zappos.com is going
to do with its ish.
There's more to it than just consent, because even consent only gets you so far in terms
of collecting data and sharing it.
Okay.
There's also this idea that it can only really be used in certain ways.
And even if you click all the boxes, you have certain rights, again, as an EU citizen.
So it's not like Americans can really successfully bring suit about this.
Yeah.
That still protect you even if you've given all the consent they asked for.
Is there another element of this?
Like what if you just...
There's so many elements.
So there's also, when a data breach happens,
you have a much shorter deadline
as to when you have to sort of tell everyone.
There are a ton of lawyers who think about
nothing but tiny portions of the GDPR.
So I don't want to give the sense
that I've covered everything,
but those are sort of the greatest hits.
What if you're sitting there,
you're looking this over,
for the first time in your life, you're paying attention to data
policies and you're just like, I just want to opt out of all of this. Does that option now exist?
Well, I mean, do you have a cabin in the woods that you can go to? There's no real opt out here.
You can't say I want to use Gmail, but don't ask me what my birthday is or don't ask me sort of
what my interests are. It's really an all or nothing pill.
And the choice that you're giving people is no choice at all.
This is you're being coerced into sharing your data because you want to participate
in the digital world.
And these are sort of necessary services.
There are definitely people who are saying a service like Facebook, which like it does
have to know your birthday.
If it's going to tell people what your birthday is, it does have to sort of know various things
about your interests
if it's going to serve you with relevant content.
But then there's no real line between that data
and the data that's used for advertising.
Like it's all just sort of information
that's used to serve you content.
And this is by design.
Okay, if we really need to separate those things,
then what does Facebook even look like?
Did this all happen because of Facebook?
Was this a Cambridge Analytica?
This has been on the books for two years. Okay. If anything, it's more pointed at Google,
certainly pointed at Facebook too. But I think one of the things we saw is when Facebook did
get in really hot water over Cambridge Analytica, I mean, one of the things Mark Zuckerberg said
specifically to Congress, he says, look, we want you to feel like you own your data.
The first line of our terms of service say that you control and own the information and content
that you put on Facebook. We have a download your information tool where you can go,
get a file of all the content there, and then do whatever you want with it.
And the people are in the back of the room saying, hey, wait, that's the GDPR thing.
You're doing it because Europe required you legally to do that. And you got it in a couple
months early. This isn't just because you wanted people to feel good. Did anyone on the committee
call him out for that? I mean, unfortunately, Congress is not terribly well versed in like
European privacy law. So I think there were maybe some grumblings from staffers afterwards. But
I mean, they had plenty to be unhappy about already.
And I do think it's fortuitous in some ways because it's coming out at this moment when maybe in America for the first time, people are really starting to be aware of the power
that this kind of data sharing can have and ways in which we may want to rein it in, in
a way that, you know, folks have been worried about this in Europe
for as long as there's been a Google.
Coming up, the billion-dollar question.
Why does the European Union seem to care more about your data security
than your own government?
This is Today Explained.
So Russell, this just went into effect on Friday. What's happened since? Any news? Yeah, so we have these extremely big lawsuits filed by this Austrian privacy activist, Max Schrems, basically saying that the most popular services on the internet, you know, Android, Facebook, Instagram, WhatsApp, are not GDPR compliant because they say, give us this data in order to give you this service.
And if you don't give us the data, then you can't use WhatsApp and that's it. You know,
take it or leave it. Okay. And he says that that's sort of against the principles of the GDPR.
I should add one of the other things about the GDPR that tends to get people's attention is if you are found to not be in compliance, companies above a certain threshold of size
are liable for fines of up to 4% of their global revenue, which is billions of dollars.
And there had been sort of laws that were kind of like this that had slightly lower fines.
But this is a really scary amount of money, even for Facebook and Google,
which are basically printing money.
Yeah.
So the rubber is kind of meeting the road.
That's kind of the big question is, okay, how do we enforce this law?
What does this look like?
How are the courts and the various enforcement mechanisms looking at this, which will ultimately
answer the question for people of, okay, how do I need to write my privacy policy?
How do I need to write my data sharing agreement with ad targeting partners in order to comply with this so that I don't get some
horrific fine? And it's just been like four or five days thus far. Oh, yeah. Has anyone been
hit with a lawsuit yet? Google and Facebook, those are the big ones. I mean, I think it's a little
tricky because if you're waiting to do it, you want to wait to see a little bit more about how that one works out.
Okay.
They're definitely starting with the big fish.
And I think that's in part because a lot of the political will behind the GDPR in Europe has been as a way of reining in big U.S. tech companies like Google and Facebook.
That's the first big test.
And then water flows downstream from there.
But yeah, we'll see.
And sorry, we're talking like some insane sums of money here, right?
Like how much were Google and Facebook sued for?
7.6 billion euro.
You know, that number definitely gets your attention.
It got my attention.
It's an enormous amount of money.
I guess the 7.6 billion euro question I have then is like,
why does Europe take this more seriously
than the United States?
It is a good question.
And they're really leading on here.
I mean, and there have been a couple of sort of moves
in the US Congress of what's the US version of the GDPR.
These are US companies.
Even when Mark Zuckerberg was going for Congress
and people were being a little rough on the guy,
they were saying, oh, well, this is this wonderful American success story.
Like you were in your dorm room and you coded this website and now it's this billion dollar company and you're insanely powerful. Like what a country. You know, in Europe, you look at that
same thing and you see maybe this kind of invading force, right? They see it as a threat to European
values of democracy in a lot of ways, which is, again, something we're
coming around to post Cambridge Analytica. But Europe has been thinking about this for a long
time, too. And is part of that like fascism and communism and Big Brother being items Europe has
experienced in just a much different way? Absolutely. You know, a lot of the privacy
campaigners in the U.S. will say, well, Google is a surveillance company. It's not an advertising company. It's a surveillance company. And the same thing about Facebook, right? A lot of these tech companies are surveillance companies because they was collecting information on East Germans like Angela Merkel.
This had very real and concrete consequences for you.
The fact that this information was out there and it was being collected in a central place.
There's a sort of visceral understanding of the dangers of data collection in Europe.
There's an aspect of American culture where we just love a company that makes lots of money.
We figure they must be doing something right.
And as part of the American resistance to really taking this seriously,
does it have something to do with the fact that like Google and Facebook still seem like they have their hearts in the right places to a lot of people?
And we need to wait for a scandal much more incriminating than Cambridge Analytica to really feel like, oh, this is super dangerous.
I'm not just going to blindly check off the box when I sign up for a new app or something. It is tricky.
We've done a little bit of polling, and I think there's other polling you can look at. People
still seem to look at tech companies fairly positively in like a nonpartisan light. It's
handy to have Google Maps, right? Yeah. It's nice. Part of it is also that there
isn't an obvious political coalition. So far, it's mostly been Democrats, but there's also a
lot of Democrats who don't particularly have a problem with this. It just doesn't really fit
into a lot of the standard partisan narratives that we have in the U.S. And I mean, Congress
is broken, so it's hard for anything to get through.
And there are concrete laws you can pass to the extent that you believe that data collection is a problem and you want privacy to be protected. Who's going to be the person who bets their
political capital on it? The math is a little bit more complicated.
Russell Brandom writes about technology for The Verge. Last week on the show, we did an episode about a big referendum in Ireland.
The country for the first time was voting on whether or not to overturn its constitutional ban on abortions.
It's one of the most restrictive abortion bans in the world.
The referendum was Friday and a lot of people thought it'd be close, but it wasn't.
It was a landslide. Ireland overwhelmingly voted to legalize abortion,
and now Northern Ireland is considering changing its laws. You can hear a whole lot about the
referendum and what it means for Ireland in our episode from May 21st, if you didn't hear it then.
The link to that show is in the description for today's episode.
I'm Sean Ramos-Firm. This is Today Explained.