If you’ve been very observant lately, you would probably notice an upsurge in the frequency of email notifications about updated terms of service and privacy policies from various internet companies. It seems these companies have suddenly realized that your privacy is tremendously important to them, and are rushing to put their terms of service and privacy policies in order; and subtly beseeching you take a look at them. In the last few weeks alone, I have personally received streams of messages from Google, LinkedIn, Twitter, Microsoft and many other online service providers.
The driving force behind these updates is EU’s new General Data Protection Regulations (GDPR), which comes into force on May 25th. Most companies that have users in Europe are scrambling to update their privacy policies and terms of service to avoid breaking the new law. Companies operating in Nigerian are not immune to the new law either. Nigerian companies whose services and operations extend to or affect EU citizens such as multinationals, companies that collect personally identifiable information, and whose services are accessible online by anyone in the EU are expected to comply with the law.
The reason for the recent wave of email notifications about privacy policy and terms of service update mostly stem from a section of the law that talks about user consent and taking steps to prevent companies from roping users into service agreements that are hidden within lengthy legalese that most people don’t bother to read, and will agree to anything to get past them. I have written about new tools that can help you visualize and make sense of intimidating privacy policies.
The EU regulators are certainly paying attention to these email notifications. The GDPR is essentially about accountability of data custodians, and giving users more control over what happens to their personal data. Often times, privacy policies have been subtly designed to provide legal cover for the companies. In a recent post, Giovanni Buttarelli, the EU Data Protection Supervisor stated thus: “We and other DPAs are therefore worried that even the biggest companies may not yet understand that with the GDPR these manipulative approaches must change. They must change, for instance, to satisfy Article 7(4) of the GDPR, which states that consent cannot be freely given if the provision of a service is made conditional on processing personal data not necessary for the performance of a contract.”
The EU GDPR should serve as a wake up call to Nigeria and African nations to rise up to the challenge of data privacy laws. According to a recent Quartz publication, only 23 out of 55 nations in Africa have passed or drafted data privacy laws, and only nine of them have data protection authorities. As we approach the May 25 GDPR deadline, we’re all going to be learning a lot more about how companies collects our data and what they do with it.
