The General Data Protection Regulation or GDPR (regulation n°2018/679) came into force on May 25th, 2018. It introduces several important changes such as accountability, new rights for individuals (ex: right to data portability), the appointment of a  Data Protection Officer (DPO) or the carrying out of a Data Protection Impact Assessment (DPIA).

These changes not only impact the European Union (EU) but also the United States seeing as the GDPR applies to controllers and processors which are not established in the EU “where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union” (article 3 of the GDPR). It therefore has a very broad territorial scope.

Following May 25th, 2018, several companies established in the United States became unavailable and users have been posting about the problems they have encountered on the “GDPR wall of shame”. A highpoint has been reached when Mr. Schrems filed an action against Google and Facebook for non-compliance with the GDPR namely regarding consent.

In the mists of these events, Mathias Avocats has read and analysed the privacy policies of Instagram and Microsoft. The firm has drawn an overview of certain deviations with the GDPR.

A lack of transparency

Transparency is one of the six fundamental principles set out in Article 5 of the GDPR. It implies that the information or communication to data subjects, such as privacy policies, must be concise, transparent, intelligible, easily accessible and use clear and plain language (Article 12 of the GDPR). The central consideration of the transparency principle is that the data subject should be able to determine in advance what the scope and consequences of the processing entails and that they should not be taken by surprise at a later point about the ways in which their personal data has been used (WP29, Guidelines on transparency, adopted on 29 November 2017).

Both Microsoft and Instagram’s privacy policies are long and often require the user to click on several links leading to different pages to gather all the information needed. This all the more troublesome concerning Instagram which was acquired by Facebook in September 2012. Both companies agreed that Instagram would be an independent service. However, most of the links in Instagram’s privacy policy lead to a Facebook page or require the user to sign in to his or her account and modify the parameters. Once signed in, it is not an easy task to find the required parameter.

Although the language used is clear, certain parts of the privacy policies seem unclear.  What does “and for other legitimate purposes” imply? And are all third-parties indicated? What data are collected by and/or through them? Is the data necessary to provide the service? How is the data kept up to date or erased?

Complex lawful bases

For processing activities to be lawful, they must have one of the six lawful bases set out in Article 6 of the GPDR.

Microsoft does not seem clearly state the legal basis for the processing activities it undertakes. It would appear that the lawful ground is the user’s consent. Under the GDPR, consent must be “freely given, specific, informed and unambiguous” (Article 4 of the GDPR). The Microsoft privacy policy states that if the user refuses to give said data, he or she may not be able to use the product or service. It is unlikely that consent can be considered as freely given in this situation (WP 29, Guidelines on consent, last revised and adopted on 10 April 2018). No indications are given as how consent can be revoked. The company also states other legal grounds which seems to make it unclear which lawful ground applies to each processing activity.

As for Instagram, all the lawful grounds set out in the GDPR are stated. They seem to be used as “catch-all” categories which is not the intent of the GDPR. If the user wishes to have more information, a link is provided. It once again leads to a Facebook page which often requires the user to consult the conditions of use or another page for further information. To withdraw consent, the user must modify his or her parameters. The method used is not as easy as clinking on an “I agree” button and the user must jump through hoops.

What about the rights of data subjects?

The GDPR greatly enhances the right of data subjects. They must be informed of the essential elements of the processing activity (Articles 13 and 14 of the GDPR) and the information must comply with the transparency principle described above. The information to be provided will vary depending on whether the data are directly collected from the data subject or indirectly collected.

Both Instagram and Microsoft do not list and explain all of the rights data subjects’ hold and do not give all the required information, both for direct and indirect collection of personal data. Furthermore, Microsoft does not explain whom or how to contact the company when a data subject wishes to exercise his or her rights.

Is the personal data transferred?

Microsoft states that it complies with the Privacy Shield but does not give any further explanation. What does this imply for users? What data are collected and transferred? Where are the data stored? Does the Privacy Shield apply to all transfers that may exist between Microsoft and a third party outside of the European Economic Area?

As for Instagram, it states that it uses standard contractual clauses, approved by the European Commission, or relies on an adequacy decision. However, the users do not know on what adequacy decision Instagram relies on and whether the contractual clauses it uses have been approved by the European Commission under the GDPR.

What steps can companies established in the United States take?

Companies established in the United States must seek counsel, specialised in data protection and more particularly the GDPR. They should also implement specific procedures (ex: rights of data subjects, notifications of a data breach…). Several steps must be taken to comply with the GDPR.

If a controller or processor infringes a provision of the GDPR, an administrative fine of up to 10 000 000 € or 20 000 000 €, or in the case of an undertaking, up to 2 %or 4% of the total worldwide annual turnover of the preceding financial year can be issued.

Mathias Avocats remains at your disposal for any further questions you may have. The firm can also help you write up privacy policies and other documents or procedures compliant with the GDPR.