We need to talk about terms and conditions

Giovanni Buttarelli

Terms of service are generally designed to safeguard a service provider against legal challenges. These terms are not like a memorandum of understanding, trade agreement or a contract established jointly by two more or less equal parties. Rather, they are laid down by the service provider and not open to negotiation. In the EU there are rules protecting the consumer against unfair terms, under Article 102 of the Treaty on the Functioning of the EU, prohibiting a dominant company in a market from imposing unfair trading conditions.

As a subset of terms of service, ‘privacy policies’ first arose when personal data started to become, around two decades ago, a central feature of business models. Early versions of websites - such as this from the then popular Altavista search engine of 1999 - focused on the privacy not only of visitors to the search engine itself but also that of the website owners appearing in the search results. Altavista stressed that it knew nothing about the user, and explained the role of cookies and how to opt out. Privacy policies since have evolved from such largely factual statements to become, nowadays, either long, verbose and impenetrable legalese, or else vague and soothing PR exercises. Either approach places the burden on the individual to understand complex data practices and act rationally in her own best interests.

Earlier this month, the Commission announced that, following action by the Commission and EU consumer protection authorities, Facebook would be updating by the end of June its terms of services to explain better how the company uses its users' data.  Consumer authorities had considered the company’s terms to be misleading and failing to refer clearly to the use of its subscribers’ data to sell targeted advertising services to traders. The company has undertaken, according to the Commission, to amend its policy on limitation of liability acknowledging responsibility in case of negligence, for instance where users’ data has been mishandled by third parties.

This announcement indicates a step in the right direction.  But, as has been observed, the announcement also highlights the continued lack of genuine cooperation between data and consumer regulators and, where the company happens to be dominant in the market, between them and competition authorities. The common aim ought to be to ensure a coherent outcome in the interests of the individual, whether data subject or consumer.

Transparency is a cornerstone of data protection as well as consumer law, inextricably linked to lawfulness and fairness. Transparency however has also become a double-edged sword: provide too much information and the average person cannot be reasonably expected to read it; oversimplify and she will have little idea of what is really going on. That is why the GDPR strains to specify what it means to be transparent: namely that information provided should be in clear and plain language, easy to access and to understand. As set out by the EDPB in its recent draft guidelines on processing data necessary for the performance of a contract, people should not be compelled, in signing up to a service, to accept personal data processing which they are not comfortable with; and having sufficient information is a prerequisite to such an entitlement. Transparency is also integral to privacy by design and by default. It is meant to preclude ‘dark patterns’ or ‘deception by design’. These practices appear to undermine both data protection and consumer protection - because they nudge (or shove) people towards accepting excessive personal data processing or into rushing into purchase decisions.

We have been facilitating dialogue and information sharing between consumer, data protection and competition authorities through the Digital Clearinghouse, which meets several times a year. The forum has indeed discussed ‘take it or leave’, impossible to read ‘privacy policies’, opaque and unchallengeable practices and multiple obscure third-party agreements for data sharing. It is now time for regulators to begin working together across disciplines to tackle real cases like that of Facebook’s terms of service. The German Federal Competition Office has been leading in this regard with its recent decision on exploitation of consumers by means of unfair terms and conditions. At the same time, we are investigating the compliance with Regulation 2018/1725 (the GDPR for EU institutions) of contracts entered into by public bodies in the EU with Microsoft.   

Transparency and clear and truthful terms of service are only the surface of a deeper issue of accountability for data practices - taking responsibility for the risks which accompany decisions to collect and use personal information for private gain. As the EDPB stated in September 2018 on the question of future proposed mergers in the digital sector, data protection authorities are ready to take up the challenge of closer collaboration.