Privacy advocates wasted no time filing a number of complaints against a handful of technology companies for violations of the EU’s General Data Protection regulation, which came into force May 25.
Headed by privacy activist Max Schrems, a newly formed non-profit group named None Of Your Business (NYOB) filed four complaints on the first day GDPR came into effect. The complaints—against Google (Android), Facebook, WhatsApp, and Instagram—concern “forced consent.”
GDPR allows companies to process individuals’ data if they have a valid legal basis for doing so, with consent being one of the most frequently chosen options. Under the GDPR, individuals cannot be forced into consenting to their data being processed to use a service, and yet “forced consent” is the road technology giants like Google and Facebook have taken.
“Facebook has even blocked accounts of users who have not given consent,” Schrems said in a statement. “In the end, users only had the choice to delete the account or hit the ‘agree’ button. That’s not a free choice.”
Based on the GDPR’s maximum penalty of 4 percent of a company’s annual revenue, the NYOB estimates potential fines for the four companies could reach more than €7 billion (U.S. $8.1 billion), though just how those rules will be interpreted and enforced is still very much unclear.
Similar complaints were filed with four authorities, where the users reside, “to enable European coordination,” a statement from NYOB read. Specifically, the complaint against Facebook was filed in Austria, while those against Instagram and WhatsApp were filed with Belgian and Hamburg regulators, respectively.
According to NOYB, the Irish Data Protection Commissioner also will “probably get involved in the cases too, as the headquarter of the relevant companies is in Ireland in three cases.”
Following Schrems’ complaint, French digital rights group La Quadrature du Net announced that it has filed similar complaints against not just Facebook and Google (with separate complaints concerning Gmail, YouTube, and Search), but also Apple, Amazon, and LinkedIn. On May 28, the group filed seven complaints with French privacy regulator CNIL against the five companies.
La Quad said it launched its campaign six weeks ago, gathering more than 12,000 collective complaints. In comparison, the CNIL received 8,360 individual complaints in all of 2017, La Quad said.
Both La Quad and Schrems indicated that more privacy complaints are forthcoming. With privacy groups only just warming up, privacy officers, data protection officers, legal and compliance teams have a long, tedious road of GDPR compliance work ahead of them.