Unchecked Ambiguity and the Globalization of User Privacy Controls Under the GDPR

Abstract

Recently enforced in 2018, the European Union’s General Data Protection Regulation (GDPR) builds on past EU privacy directives and establishes a new era of data privacy emphasizing increased transparency, accountability, and user control in regards to the processing of personal data. A first section of analysis focuses on Article 6 of the GDPR, which defines the basis under which data controllers can lawfully process personal data. Analysis centers on Article 6(f), pertaining to a controller’s “legitimate interest” as the justification for processing. Unresolved ambiguity over the limitations of this term has led to the perception that “legitimate interests” allows controllers to process at-will and with less regulatory oversight. This research project monitors the citing of Article 6(f) among 2,275,137 privacy policies pre-GDPR and 1,937,894 privacy policies post-GDPR, presenting a rise in usage from 104,143 policies (4.58%) pre-GDPR to 185,014 (9.55%) post-GDPR enforcement. Using inductive coding to analyze the text of 828 privacy policies citing legitimate interests supports the argument that this pervasive rise in Article 6(f) negatively impacts the privacy goals of transparency and consumer control. The ambiguity in phrasing, self-discretion to adhere to certain enumerated rights, and lack of regulatory guidance on conducting a balancing assessment in the interests of a data subject illuminate the adverse effects of Article 6(f). With concerns over legitimate interests as an avenue for side-stepping consent, this method of inductive coding establishes tangible concerns over a lack of controller transparency and broad interpretations of the term. The second section of analysis investigates the globalization of the regulation and the ability for controllers to fulfill specific articles of the GDPR relating to user controls. A second dataset evaluates 43 of the most popular U.S. Alexa ranked websites on their ability to fulfill Articles 17 (Right to Erasure) and 20 (Right to Data Portability) when approached from two different IP addresses (U.S. and EU). Using a VPN to appear as a subject from the U.S. or EU, data was collected through signing up for the top web services and subsequently requesting they adhere to articles 17 and 20 by returning a copy of the accounts data and then deleting the account and all personal information. This presents novel evidence on the extension of the GDPR to non-EU subjects, with 25 (58%) offering both portability and erasure and 31 (72%) offering at least one of these rights to U.S. subjects. These findings serve as compelling evidence that EU privacy regulations are influencing the privacy standards of U.S. consumers. Furthermore, this dataset fills a research gap in understanding the current status of controllers’ ability to fulfill both these requests for required EU subjects, revealing that they comply 72% of the time. A third dataset is introduced, with 22 controllers being queried appearing from the Russian Federation to determine if preference is given to U.S. subjects when extending GDPR policies beyond the EU. There was no difference in results between U.S. and Russian requests. A final section addresses future policy needs and the effects of the GDPR on U.S. agencies. In the scenario that the European Data Protection Board fails to move quickly to release a framework for Article 6(f) that restrains controllers, regulatory oversight will shift onto the Court of Justice of the European Union (CJEU) to deliver guidance through court opinion. As controllers extend GDPR privacy policies to U.S. subjects, the Federal Trade Commission will be able to regulate controllers to the standards of the GDPR, without the need for a comprehensive federal privacy legislation.