New European Union regulations could mark a “sea change” for users trying to navigate reams of pages of terms and conditions every time they download an app or sign up to a web service, says a Canadian privacy expert.
It will affect companies in Canada and the U.S. that do business in Europe and is expected to raise the bar on privacy and security worldwide, says Ann Cavoukian, former privacy commissioner for Ontario.
The average person would need to take the equivalent of a month off work each year just to properly read and understand all the terms and conditions policies they encounter, Cavoukian told CTV’s Your Morning Tuesday. They are often written in dense, complicated legalese that is time-consuming to read and difficult to understand.
Researchers reviewed the top 75 websites and found the median length of their privacy policies was 2,514 words. They are not written for the user’s benefit, but rather to protect the company from liability, says Cavoukian, who is now executive director of the Privacy and Big Data Institute at Ryerson University in Toronto.
The result is, most people skip over them, scrolling through until they get to the “agree” button. That may seem harmless, but it allows companies to collect and share an enormous amount of personal information and data of all kinds about each user.
Facebook’s privacy policy, for instance, grants the social media giant a worldwide, transferable, royalty-free licence to use any intellectual property a user posts, including photos and videos, for any commercial purpose. Facebook users can adjust their settings to “dramatically” reduce who has access to their information, but most people don’t.
But new rules passed by the European Union called the General Data Protection Regulation puts the onus directly on companies and organizations that hold personal data to be fully responsible for protecting it. One of the major changes will be setting full privacy as the default position, says Cavoukian.
“Privacy as the default means you automatically include privacy within your policy. You don’t wait for the individual, the data subject, to say, ‘I want privacy, I want to restrict the use of this information.’ You say, ‘Don’t worry about it. That is embedded as a default setting automatically. We will only use your information unless we come back to you to ask for your additional consent.’”
The GDPR will take effect on May 25, 2018, a date already being referred to as the “D-Day for security.”
Cavoukian says the new rules retool the discussion around data privacy. The GDPR is a total overhaul of existing data protection rules drafted in 1995, clearly a long time before the pervasiveness of the internet, smartphones or social media and before ordinary people worried about hackers and identity theft and remembering passwords of at least eight letters, numbers and symbols.
“This may be a complete sea change."
