Europe’s sweeping new data privacy regime came into effect this morning, and privacy activists are not wasting time in flexing their muscles. One organization has already made official data protection complaints about Google, Facebook, WhatsApp and Instagram, while another is going after the shadowy data brokers that trade people’s information behind the scenes.
The complaints about Google, Facebook and Facebook’s subsidiaries come from a group called None Of Your Business (NOYB)—a non-profit founded by the very successful serial Facebook litigant Max Schrems. Schrems, the Austrian lawyer who annihilated the U.S.-EU Safe Harbor data-sharing agreement a few years ago, formed the crowdfunded NOYB in order to take on big tech firms that break the EU’s new General Data Protection Regulation (GDPR.)
The new law only lets companies process people’s data if they have a valid legal basis for doing so. Several justifications are acceptable, and consent is one of the most frequently-chosen options. However, users have to be able to freely give their consent—the law says people can’t be forced into consenting to their data being processed, in order to use a service.
According to Schrems and his NOYB group, Google and Facebook are railroading users in this way.
“Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button–that’s not a free choice; it more reminds of a North Korean election process,” said Schrems in a statement. “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”
So NOYB has lodged complaints with a variety of European privacy regulators, “to enable European coordination.” One complaint, covering the consent requirements of Google’s Android, has been filed in France. The main Facebook complaint has been filed in Austria, while those for Instagram and WhatsApp are in the inboxes of the Belgian and Hamburg regulators respectively.
In case you’re wondering how a company is supposed to deliver a service without users giving their consent to their personal data being processed, here’s the deal: If the data really has to be processed in order to deliver the company’s services, then that’s a valid legal justification in itself. For example, an email service doesn’t need to get consent in order to send and deliver people’s emails. Consent is only needed when the company is trying to do other things with that data, such as using it to make money from advertisers.
Schrems and his non-profit argue that, if their complaints are successful, the victory should put an end to all those annoying consent popups that many companies think the GDPR demands.
“If companies realize that annoying pop-ups usually don’t lead to valid consent, we should also be free from this digital plague soon,” he said. “GDPR is very pragmatic on this point: Whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th,” said Facebook privacy chief Erin Egan in a statement.
“We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation,” said a Google spokesperson.
Meanwhile, a separate group in the U.K.—Privacy International—has launched an investigation into the companies that do behind-the-scenes trading of personal data.
The organization has sent letters to firms like Acxiom, Criteo and Quantcast, asking them how they handle personal data. The GDPR is pretty firm on this stuff—people are supposed to know when a company has their data, and companies are not supposed to be using that data to build profiles of people if that’s not the case.
“We welcome GDPR taking effect,” said Privacy International legal officer Ailidh Callander. “It’s been a long time coming, and GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers. GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation.”
The GDPR threatens companies with massive fines for breaking its many terms—up to €20 million ($23.4 million) or 4% of global revenues, whichever is bigger. While these are big, scary figures, though, it is deeply unlikely that fines will be that high in any but the most egregious cases.
This article was updated to include Facebook and Google’s statements.