Updated privacy policies after Facebook scandal leave room for improvement

Facebook icon

TORONTO —  In the wake of revelations around the alleged misuse of the data of up to 50 million Facebook users, some of the world’s biggest technology companies are turning their attention toward convincing the public that their personal information is in safe hands, but their efforts are leaving plenty of room for improvement.

Since it was alleged last week that analytics firm Cambridge Analytica mishandled personal information from Facebook, social media and technology businesses including Microsoft, LinkedIn and Slack emailed users announcing updates to their privacy policies and reaffirming their commitment to data protection.

While Canadian experts applauded the transparency efforts, they said such missives typically fall short because they’re usually written in legalese or are so vague that they end up raising more questions than answers.

“Companies think of privacy as an afterthought. It needs to be at the forefront,” said Imran Ahmad, a partner at Miller Thomson who leads the firm’s cybersecurity practice.

“If you read a privacy statement and can’t understand it, are you really giving informed consent?”

Microsoft’s email to users was sparse on details, but said changes to its services agreement were being made with transparency in mind.

It linked to a frequently asked questions page on the changes, which featured another link to a list of 27 adjustments it is making to its service agreement. That list mentioned “we’ve added details on our policies relating to data processing,” but didn’t explicitly say what those details are.

Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, poked around the links and said she thought “wow, the ordinary consumer lost interest minutes ago.”

She said a better approach would be to offer a version of the agreement that was “red-lined” to show changes.

She also had criticism of the email sent out by professional networking platform LinkedIn, which said it has made it “even easier to understand the data we have about you, how you can correct it and how you can ask us to stop using it”. It also promised that new settings it was rolling out will offer “more control over ads you see and more transparency about the data shared with advertisers.”

A link it provided to a blog it said would contain “full details” took Scassa and the Canadian Press to another page that didn’t mention the changes and instead listed users who specialize in privacy, articles on the topic and jobs open in the field.

LinkedIn spokesperson Imani Greene said the company would look into whether there was a technical regional issue with a link that didn’t direct some users to details on its privacy policy changes. She stressed that the company announced the changes, which she said were prompted by new privacy laws the European Union and not the Facebook scandal, on Mar. 8 in a detailed blog.

Scassa said the emails from Microsoft, LinkedIn and communications platform Slack, whose email to users touted “improved clarity and transparency” by making terms “clearer and more understandable” and sharing more details on its data processing practices, could have been sent earlier than planned because of Facebook’s scandal.

However, she said it was likely these privacy upgrades were already underway in preparation for the European Union’s General Data Protection Regulation, which goes into effect in May and forces companies to offer EU users of such platforms more control over their data.

Notes from LinkedIn and Slack both referenced the obligations, which Ahmad believes will eventually become “the gold standard” for other continents.

He hopes that businesses will be more explicit in describing how third-party companies can use data collected by technology companies, offering bullet-point summaries in terms the average person can understand when policies are updated, and even explore the idea of creating an ombudsman to field concerns and mediate conflicts between platforms and users.

Regardless of what route some companies take, Scassa says it is paramount that they focus on managing their “custody of huge amounts of personal info that clearly can be used for really harmful and dangerous purposes” that “can lead to serious crimes and attempts to subvert democracy.”