These documents are often written in dense legalese, a technical language that can be confusing for the general public. In fact, this became such a problem that the European Union implemented the General Data Protection Regulation act, specifying that all new privacy policies need to be written using plain, accessible language. However, this only applies to EU territories.
To help us explore the pitfalls and legal loopholes that may be hidden in data consent forms, we’re talking to Diego Naranjo. Naranjo has worked for the organization European Digital Rights, or EDRi, since 2016 and became head of policy in 2019. EDRi works to protect the digital rights of citizens across the EU.
Diego Naranjo: The most common problem is that they are too long and/or in legalese and most people do not have time to read them. Even if you went through the hard work of reading them, they are written in such vague terms that you would not really know what you are signing for.
D. Naranjo: The most recent example is the one of Facebook and their privacy policies regarding the use of facial recognition in their platform.
Editor’s note: The Facebook facial recognition fiasco refers to a supposedly opt-in-only facial recognition service that links users to their faces. Facebook claimed to only store your biometric data with consent. The first wave of users were informed that their biometric data had been taken, but there was no consent confirmation. Facebook then automatically opted-in the second wave of users.
D. Naranjo: As it happens with laws, words in conditional form — “we may”, “we could” — should raise suspicions if the conditions following those expressions are not clear and could be subject to arbitrary abuse. Furthermore, references to unnamed “third parties” that may use personal data you exchange with that platform should raise questions.
D. Naranjo: Privacy policies are a way to explain to users how their data is being used. What is really binding are data protection laws, and if the privacy policies (or in general data protection practices) are not in line with the applicable law then they are invalid.
D. Naranjo: I have not agreed to any “No Fire Policy” when I bought my ironing machine or to a “Non Explosion Policy” when I bought my vacuum cleaner. By default, these products need to respect a number of fire-safety and consumer safety regulations. In the same way, I believe that the best protection is to have privacy by design and by default in all hardware and software that is put on the market rather than expecting people to suddenly become data protection officers when they buy their smart fridge.
D. Naranjo: Regarding terms of services: In most cases people do not have an option. It is a take it or leave it situation and we are forced to accept whatever they tell us if we want to use the service. Regarding privacy policies, that is a bit different. It is a good practice to check what companies are going to do with your data, whether it is Facebook or your local e-commerce shop. If you believe the privacy policies may be not in line with applicable data protection laws, check with a lawyer or present a complaint before your data protection authority so they can deal with it for you.
While privacy policies may indeed be in place to protect your rights, it’s not a stretch to believe that some giant corporations may not take those contracts as seriously as others. Rather than relying on the good faith of faceless entities, why not take a proactive approach and get a VPN.
You can keep your privacy protected on the go, since NordVPN is compatible with all operating systems and most devices. One NordVPN subscription will cover 6 of your devices, potentially securing your entire household.
With NordVPN, you can protect your data from both hackers and the major corporations trying to monetize it.
Enjoy a premium encryption experience and strengthen your online privacy.