The BEUC, a European umbrella organization of consumer groups, has commissioned automated research into the privacy policies of fourteen tech companies, including Google, Apple and Facebook. The conclusion is that these fall short in the light of the GDPR privacy law.
According to BEUC, which conducted the study in collaboration with the European University Institute, it looked at the privacy policies of Google, Facebook, Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, Airbnb, Booking.com, Skyscanner, Netflix, Steam and Fortnite creator Epic Games. The companies are selected based on the popularity of their services. The investigation took place in June with an AI bot called Claudette, who uses machine learning to benchmark companies’ privacy policies against a ‘gold standard’ and identify problematic passages. BEUC concludes that eleven percent of all sentences in the texts contain unclear language and that about one third provide insufficient information or are otherwise ‘potentially problematic’.
The organization writes that the General Data Protection Regulation, which has been in effect since the end of May, requires that privacy policies contain all necessary information and are written in understandable language. In addition, the processing of personal data mentioned in the policy must actually be lawful. BEUC President Monique Goyens says: “Just over a month after the GDPR comes into effect, many companies’ privacy policies may not meet the standard of the law. This is very worrying. It is crucial that enforcement authorities study this matter further.”
For example, Amazon’s privacy policy would be missing a lot of information. This is also the case with Google; there the analysis also points to ‘problematic processing’ of personal data. Amazon responds to the findings to The Guardian, stating that protecting user privacy “always has the highest priority” and that the company recently created a new privacy page where all settings can be found. In its response, Google states that it has adapted its privacy policy to the requirements of the GDPR and that it uses clear language. In addition, it would provide explanations in illustrations and videos and would give users control over their settings.
BEUC wants to inform the European Data Protection Board about the findings. Recently, a Norwegian consumer organization published a critical report on the privacy menus of Google, Facebook and Microsoft, stating that the companies use ‘dark patterns’ to entice people into less privacy-friendly settings.