New GDPR regulations have heralded a new era in data privacy for citizens across the European Union. For several US tech giants, however, the first day of this new era was marked with a series of potentially damaging lawsuits and claims of coercion.
Complaints were filed against Facebook and its subsidiary companies Instagram and WhatsApp within hours of the new regulations taking effect and claim that users were being coerced into agreeing to share their personal data for targeted advertising. Additionally, Google has also been accused of forcing users to consent to data collections.
These three complaints could see Facebook fined up to €3.9 billion through data regulators in Austria, Belgium and Germany. A similar complaint worth €3.7 billion was filed through French data regulators against Google over its new privacy policies on the Android operating system.
The complaints against Facebook and Google are being spearheaded by Max Schrems, who leads privacy group noyb.eu. The Austrian privacy activist says that people are not being given a “free choice” as part of these new guidelines set in place by both companies.
The complaints suggest that the companies in question are in breach of GDPR because they are following a “take it or leave it approach” to gaining users consent.
In the run up to GDPR users across Europe have likely encountered notifications from companies requiring them to agree to new terms and conditions. This is a common practice – how many times have you been asked to tick a box in order to access services? – however there is a stark difference between voluntarily agreeing to terms and conditions and being forced to agree.
That is exactly what Facebook and Instagram users – as a prime example – have been experiencing. Messages claiming that one must agree to new T&Cs (or risk being cut off from services) are, Schrems claims, breaking the law.
Speaking to the Financial Times, Schrems said both firms were knowingly acting negligently and not taking user privacy rights seriously, saying: “They totally know that it’s going to be a violation”
He also claimed the US-based tech giants “don’t even try to hide it.”
Contesting the Claims
Both Facebook and Google have denied acting unlawfully through their new privacy policies, and claim all necessary steps have been taken to ensure compliance with the new regulations.
Facebook said in a statement: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.
“Our work to improve people’s privacy doesn’t stop on May 25th.”
Facebook cannot risk more controversy over the use of personal data. In recent months the social media giant has come under intense pressure and scrutiny on both sides of the Atlantic. The Cambridge Analytica scandal has undoubtedly damaged its reputation and raised major concerns among users of the popular social network.
For Google, there is also the risk of embarrassment here. For the past several months, the firm has openly detailed the preparatory work it has been doing ahead of GDPR implementation – for a major lawsuit to be filed within hours of the deadline suggests the firms investment has been in vain.
The First Test for GDPR?
Noyb.eu highlights that the complaints filed last week will be a “crucial test of the law” during its infancy. On its website, the privacy rights group says “we do not expect that DPAs (data protection authorities) will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation”.
Companies that are found to have broken the regulation terms could be subject to enormous fines of up to €20 million or 4% of global revenue. For Google and Facebook, 4% of global revenue amounts to billions of dollars.