45

Multiple times, for multiple publishers, I have received an automated email, sent through editorial manager software, asking me to referee a paper. When I click on the link in the mail, I am first prompted to agree with the publisher's "Privacy Policy".

This policy, among other things, grants the publisher the right to use my personal data for marketing purposes, and to sell my personal data to third parties for their marketing purposes.

I do not see why I should consent to any such thing, as a condition of agreeing to do review work for free.

Is there any way I can meaningfully push back against this, without antagonizing the scientists on the editorial board? My disagreement is with the publisher, not with them.

academic
  • 12,788
  • 3
  • 40
  • 51
  • 25
    You decline and write "I do not see why ...". I'm not sure what else there is to say. – Allure Aug 09 '23 at 10:45
  • 3
    @Allure If I do that, then I presume that the editor will see it and the publisher's staff will not. The editor is someone I highly respect, a very influential person in my field, and the publisher's marketing practices are not under his purview. I'd rather not address my complaint to him. – academic Aug 09 '23 at 11:37
  • 9
    If that is your concern, write to the journal's email with your complaint. Just be aware that it'll almost surely have no impact. If you actually want to make changes, convincing the editor is the most realistic first step. – Allure Aug 09 '23 at 11:57
  • 17
    I'm not an academic, but I'm a software engineer nad I have to comply with GDPR si I know a couple of things.

    Under the GDPR that's illegal, and if you are european you can raise your voice about the privacy issue with the legal entity that manage those things in your country, (or you can tell them that you will report them but not really do so), they will fix their provacy policy right away

     – Bloodday Aug 09 '23 at 20:26
  • 4
    it's up to the editor to chose which publisher they go through – njzk2 Aug 09 '23 at 21:00
  • Write a snail-mail letter to the publisher, with return receipt, registered mail. That sometimes raises a few eyebrows, makes a few hearts beat a bit faster, and makes people treat the contents with due attention. Include contact details, especially your mobile number in the letter. You may get a call back. – Kuba hasn't forgotten Monica Aug 11 '23 at 17:27
  • @Bloodday Unless the journal is based in the EU, I don't think this has much legal standing. GDPR does not cover your interactions with sites outside the EU. – Federico Poloni Aug 12 '23 at 12:27
  • @FedericoPoloni sadly, the GDPR can reach outside of EU, like other laws from other countries (US COPA for example). Here you have more info https://gdpr.eu/companies-outside-of-europe/ – Bloodday Aug 24 '23 at 15:20

4 Answers4

35

As suggested in comments, just refuse to review for the journal. If you want to tell them why, it might (or not) have an effect on their policies.

Those scientists on the board will have more clout than you do in effecting change in policies. But they may need to be made aware of the issue and that others consider it important. Just. Say. No.

Those editors have no reason to be insulted as the policies aren't theirs. Simple phrasing of a declining email can make this clear.

But gathering personal information for sale is sadly now ubiquitous. At least they are honest enough to tell you about their policy.

Also note that reviewers provide a valuable service to the publisher (as well as the scientific community). They should treat you better than to sell your personal information.

Buffy
  • 363,966
  • 84
  • 956
  • 1,406
  • 5
    Also, the editors are the ones who have to worry about finding reviewers. I'd guess they'll be more worried and thus willing to push towards a change than staff at the publisher service email. – cbeleites unhappy with SX Aug 11 '23 at 07:29
24

If you are in the European Union, the publisher is breaking the law (regardless of where they are based). Some organisations break the law as a calculated move, but most that do do so "accidentally": owing to the ignorance, incompetence or arrogance of employees, or to procedural failings. This kind of situation can often be resolved with an email.

In this email, you may optionally CC your GDPR supervisory authority, and/or the supervisory authority of the publisher's EU headquarters (if they have one). The Italian DPA maintains a list of DPAs. Many data protection authorities have policies you should follow before contacting the supervisory authority; for example, the UK's ICO requires 30 days' notice (and ongoing engagement) before escalating. Do keep these in mind.

To: Publisher's Legal Department <legal@example.biz>
CC: Editors <j.moriarty@example.ac.be>; Own Country Supervisory Authority <contact@example.eu>; Publisher Country Supervisory Authority <kontakt@example.de>
Subject: Refereeing without additional data processing

Dear Publisher's Legal Department,

I have been invited to review a paper for Name of Journal. Before I can accept this invitation, your website requires me (per the Privacy Policy) to consent to "quotation from privacy policy". As per Articles 6 and 7 of the GDPR, this is far from being valid consent for the data processing: you are not permitted to use the data you've collected on EU residents for this purpose, and I'd appreciate if you didn't.

I would like to accept this invitation to referee for Name of Journal, but I object and do not consent to the use of my personal data for these additional purposes. Per GDPR §7.3 and §7.4, please allow me to accept the invitation to referee.

Yours faithfully,

wizzwizz4
  • 353
  • 5
  • 7
  • 2
    "As per Articles 6 and 7 of the GDPR, this is far from being valid consent for the data processing": What do you mean? If you give consent, they are permitted to do what you gave consent for. The GDPR requires them to ask for consent, and §7.4 requires that to be very clear, but once the consent has been given, they can do anything they want as long as it is covered by that consent. – terdon Aug 10 '23 at 12:53
  • 17
    @terdon But what is described by the question is not consent. (It's not actual consent, or we wouldn't have questions like this in the first place – but it's also not legal consent per GDPR, because GDPR is a half-decent law.) Consent for extra data processing, like selling it to third parties, has to be completely independent of being able to do stuff, or it doesn't count as freely-given (§7.2). That means no clickwrap "agreement" can provide valid GDPR consent. – wizzwizz4 Aug 10 '23 at 12:57
  • 2
    Do you have any compelling evidence that this works? It may give you a clear and easy path for reprisal when it's violated, but it may not stop them from selling or sharing your data. – Scott Seidman Aug 10 '23 at 12:59
  • 12
    @ScottSeidman I've got at least three companies to change their policies by just informing decision-makers of the situation and the law – including Stack Exchange (though Mad Scientist, and the employees who actually fixed stuff, deserve at least as much credit). I've not been invited to referee ever, so I can't say it works in this particular case. – wizzwizz4 Aug 10 '23 at 13:07
  • I'm all for privacy, but I don't see why this consent would not be valid. The publishers offers OP a contract, where OP hands over their data. Once they've agreed, they have the additional possibility to work for free for the publisher/journal. It's a bad deal, but I don't see how not being able to work without payment can be argued to coerce OP. Also I don't see how §7.2 GDPR (https://gdpr-info.eu/art-7-gdpr/) is applicable or violated here - the matter of reviewing is kept clearly separate from the matter of consent to selling their data according to OP. – cbeleites unhappy with SX Aug 11 '23 at 07:46
  • 1
    @cbeleitesunhappywithSX The argument you've made has very little to do with the GDPR. Consider articles 5.1(b), 6.1(a) v.s. 6.1(b), and 7.4, in the context of Recitals 42.5 and 43.2. That there's a contract (if this even counts as a contract) is immaterial. (Note: I have not been taught how to interpret GDPR by anyone: while I'm pretty certain this practice is illegal, my reasoning could well be wrong.) – wizzwizz4 Aug 11 '23 at 19:48
  • 1
    @cbeleitesunhappywithSX the point is that the user must be able to choose whether to accept or not the marketing part. This fits very clearly what §7.4 says (btw, I would quote it in the email): you are being requested to consent to the processing of personal data that is not necessary. That they use your personal data for X years, to keep track of who acted as a referee of paper Y makes sense and could be obligatory. That they can also use their data for marketing and sell it to third parties MUST be optional (supposing they do that at all!). – Ángel Aug 12 '23 at 00:30
  • I would probably have asked just the editors and their DPO first how to join without agreeing to that part which is against GDPR, without including the supervisory authorities (DPA) in the first email. OTOH, while the DPA are probably going to ignore the email, seeing them in the email might make the company more interested in complying with the law. – Ángel Aug 12 '23 at 00:35
  • @Angel: when I wrote my comment, teh proposed email text argued that due to §7 (2) the consent was not valid since not freely given. The paragraphs given now were not cited back then. And yes, of course OP is asked to consent to the processing of personal data that is not necessary. According to GDPR valid consent is the one possibility the publisher has to legally process data that is not covered by the necessities/grounds in GDPR Art. 6 1. (b) - (f). So the remaining question is if that consent is valid. The main criterion for that is whether the consent is considered voluntarily given... – cbeleites unhappy with SX Aug 12 '23 at 13:24
  • §7.4 and the recitals argue that consent may be not freely given (in other words, the data subject is coerced into consent), if the consent is required for the "performance of a contract, including the provision of a service". I understand this to refer to "pay with your data"-type contracts. But in contrast to that (very common) situation, OP doesn't want to get a service here. Very much the opposite, the publisher wants OP to provide a service to them, for free. I.e., what OP would get "for" selling their data is a disadvantage rather than an advantage. AFAIK (but IANAL), agreeing... – cbeleites unhappy with SX Aug 12 '23 at 13:35
  • ...although the result is a known disadvantage (time consuming professional chore) would rather indicate that the consent is really volountary. But I guess this may be a question better asked on law.sx. – cbeleites unhappy with SX Aug 12 '23 at 13:37
  • @cbeleitesunhappywithSX I don't see that version in the history, but it isn't really important. I think we are trying to guess the rationale for processing (and selling) of their data for marketing. The site should be stating clearly the reasons they are using (which could be legal or not). I highly doubt that the excuse that selling your data to third parties is part of the contract to review the manuscript would fly (see e.g. the recent case where facebook ended up backtracking). If they argue that it is based on consent, then we get into §7 that there is no choice not to consent. – Ángel Aug 12 '23 at 13:47
  • @cbeleitesunhappywithSX As for the service being provided by the reviewer, I think that the publisher is providing a service: the platform where the the review is performed / the paper is provided. Although even if they were providing nothing, I think §7.4 would still apply there. – Ángel Aug 12 '23 at 13:52
  • @ScottSeidman , wizzwizz4: Just as a side note, in any GDPR-based plan, don't rely on enforcement action. AIUI, the body responsible for enforcing GDPR here in the UK is so understaffed that there's a waiting list of years to get a case investigated. – Daniel Hatton Oct 25 '23 at 10:36
16

Approach that worked for me when I encountered the same situation in 2019:

  • I e-mailed the relevant associate editor setting out the problem and asking if they knew of a workaround.
  • The AE passed the query on to the on-staff handler for that journal at the publishing house.
  • The handler suggested the AE e-mail the manuscript to me and I return my review by e-mail, thus bypassing the web interface and never having to agree to its Ts&Cs. Therefore, that's what we did.

I'd imagine this is a very common problem, because lots of publishing houses outsource their online handling of reviews to the same organisation that authored the offending Ts&Cs.

Daniel Hatton
  • 8,519
  • 2
  • 19
  • 38
6

My simple solution: Do not give the publisher any of your personal information.

The only personal information the journal needs to get a peer review from you is your name and professional email address. This information is likely already on your employer's website and in journal articles you have published.

If you hate browser cookies, you can ask the editor to email the article and then email them back the review.

I do not see any benefits to your privacy from sending complaints or from refusing to review.

Most of the annoying marketing relating to journal publishing uses names and email addresses which are collected by web crawlers. The annoying marketers do not buy your information from publishers.

Anonymous Physicist
  • 98,828
  • 24
  • 203
  • 351