What the Unroll.me mess teaches us about privacy post-GDPR
Public apologies are supposed to show a business has learned its lesson and is correcting its course. But that was not the case with blogs posted this week by both co-founders of Unroll.me, a free email unsubscription service owned by Slice Intelligence (itself a division of Rakuten). Instead of having the salutory effect most PRs would advise, their messages came across as, “hey, dummies, how did you think we did this without charging you?”
Once again, the prevailing Silicon Valley view that any data provided or created on a digital platform becomes entirely the property of that service’s owner was revealed. Whether or not this business gets through the current social and media storm, the whole platform economy looks in dire need of some lessons in privacy, consumer rights and, if they have any customers in the European Union, exactly what GDPR is going to mean for them.
When will privacy make it to the front page?
For platform businesses, it is axiomatic that using their service means handing over all data rights. Monetising personal information in a variety of ways, from selling targeted ads through to providing aggregated profiles, is the only revenue stream most of them have (and even then, nine out of ten are still making heavy losses).
British law used to adopt the principle of buyer beware. But GDPR changes this significantly. Not only do privacy notices have to be fair, they have to be visible and not buried in lengthy T&Cs which are couched in legalese. The ICO has also made it clear that data which users might not understand is being collected about them, which it categorises as observed, derived and inferred, also needs to be explained.
If a business intends to use legitimate interest, rather than consent, as the basis for data collection, it will be even more important to spell out the scope and depth of the purpose for which data is being used. When the founders of Unroll.me expressed themselves “heartbroken” that users of their service had not understood this, they showed just how detached their thinking was from that of the average consumer. Enforcement of GDPR will close that gap, potentially at significant cost to the platform operators.
What exactly is being aggregated?
GDPR strongly advocates data minimisation and the pseudonymisation of data where possible. According to the email unsubscription service, it sells “anonymous market research products” and removes personal information. It considers aggregated data to be non-personal information, although acknowledges that it might combine PII and non-PII.
A big question hangs over whether its clients are being supplied with data that has genuinely been aggregated and anonymised. One of its clients - a ride sharing platform that we will call Unter to protect its identity - is claimed to have bought Unroll.me data in order to examine the receipts which had been sent to users of a rival service (which we will call Elevator).
It is hard to believe that Unter was really only getting a segment-level profile or that, if that is how the data did arrive, it did not work hard to crack that anonymisation by looking for identifiers and links to its own customer data. There is no way of inspecting the data product on offer - certainly not for data subjects - at least until GDPR introduces new rights.
Brussels v Silicon Valley could quickly become the next Joshua v Klitschko unless these disruptors recognise that GDPR is not a trivial change in the law. Some of them have chosen simply to ignore any regualtions which they deem to be backward-looking or obstructive. That is when the depth of the regulators’ powers, most notably their newly-upweighted fines, could finally be shown off.