Greetings from Brussels,

European Data Protection Supervisor Giovanni Buttarelli wrote an interesting column recently in The Washington Post tackling big tech and how it continues to violate individual privacy rights. According to Buttarelli, despite the entry into force of the GDPR and the many efforts by companies to build their compliance programs, he maintains that consumers are not altogether reaping the benefits of the intended legislation, but rather they are possibly being coerced to continue business as usual, particularly in what concerns digital services.

Buttarelli lays out the case that, with the new GDPR now the standard, and very much like its predecessor directive, all personal data processing must be "lawful and fair." Companies depending on the scenario at hand have several appropriate mechanisms with which to do this, ranging from consent to legitimate interest, all while respecting individual privacy.

Buttarelli also points to the limitations of data processing under a contract between a company and a given client. Clearly, when purchasing online, a certain amount of personal data is required to fulfill the terms of contract, such as credit card and delivery information. However, as Buttarelli states, a contract cannot be used for obtaining de facto and unadulterated consent; he is concerned that some companies may still be relying on a “take-it-or-leave-it” to justify sweeping data practices. Buttarelli cites that, under EU law, a contractual term may be unfair if it “causes a significant imbalance in the parties’ rights and obligations arising under the contract that are to the detriment of the consumer.” With the advent of the GDPR, the EU is strengthening its efforts to prevent such business practices where consumers are being led to accept contractual conditions in exchange for liberal monitoring of their personal data: Explicit consent as foreseen under the GDPR means that companies do need to obtain this.

As Buttarelli highlights, as companies ask for individual consent, consumers should recognize this is an indicator that a party wants to do something with your personal data, which you may not reasonably expect. Companies have a duty to be open, transparent and respectful of their consumer and user communities, no matter how self-evident the request for consent maybe. This is valid for social media entities, as well as mainstream businesses. The recent Facebook-Cambridge Analytica affair is a prime example of this, where a third-party company collected data when it would not have been reasonably expected.

The road ahead is a complex one, as EU member state regulators are faced with the task of monitoring the digital services that offer so much facility to our daily lives. And while those regulatory interactions may prove decisive in shaping more transparent organizational behavior for the future, it remains questionable how informed EU citizens are on digital practices and their rights to privacy under the GDPR. Invariably, while the GDPR is applicable in all EU member states, individual member states will need to play a greater role in educating and informing for the ideal environment to exist: This goes beyond the efforts of the national regulators.

As Buttarelli concludes, in a post-GDPR world, we will most probably need a more concerted effort and dialogue among governments and organizations, as well as developers, to embrace a far greater ethical dimension for the uses of digital technology to ensure that citizens have the effective protections and controls to safeguard their personal data from the outset.