Schrems strikes again, filing GDPR complaints against Facebook and Google

Just days into GDPR, tech giants already face legal tussle over consent

Facebook keyboard

Privacy campaigner Max Schrems has filed complaints against Google, Facebook, Instagram and WhatsApp, alleging that they are forcing users to consent to data collection in order to use their services.

It marks the first real test for regulators since the introduction of the GDPR, which states that consent to data collection must be freely given, and cannot be a prerequisite of using a service.

The four tech giants are pushing "forced consent" on users via pop-up boxes that require users to agree to data collection in order to access the sites and apps, according to Schrems' newly-founded data privacy rights organisation, noyb.eu (the European Center for Digital Rights, or None of Your Business).

The non-profit filed the claims in four countries on 25 May, the day GDPR applied to all organisations using EU residents' data.

Filing its complaint against Google Android in France, against Facebook in Austria and against the social network's two subsidiaries, Instagram and WhatsApp, in Belgium and Hamburg respectively, noyb.eu hopes to enable "European coordination" between countries' data protection authorities over the complaints.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The Irish data protection commissioner is also likely to get involved, the organisation believes, because Facebook, Instagram and WhatsApp are all headquartered in Dublin.

Schrems, who serves as chair of noyb.eu, said: "Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.

"Facebook has even blocked accounts of users who have not given consent. In the end, users only had the choice to delete the account or hit the 'agree' button that's not a free choice, it more reminds [us] of a North Korean election process."

IT Pro has contacted Google and Facebook about the complaints.

A Google spokesperson said: "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU."

Advertisement - Article continues below

Schrems' and noyb.eu's argument is that GDPR only allows organisations to process data that is strictly necessary for the service; everything else they wish to collect to sell onto third parties or to target users with advertising - requires active opt-in consent from users.

If noyb.eu's complaints are upheld, it believes it can bring an end to the "digital plague" of "annoying pop-ups" that companies rely on to get users' consent, and put smaller businesses, which cannot withhold services until users consent to their terms and conditions, on a more level playing field with the tech giants.

Schrems' last legal case against Facebook led to the scrapping of the Safe Harbour agreement, which underpinned data transfers from the EU to the US but was found to be inadequate at protecting European citizens' rights.

His latest privacy complaints are likely to make waves too they are the first real test of GDPR and its enforcement.

Organisations that fail to comply with the data protection regulation face fines of up to 4% of their annual turnover or 20 million, whichever is higher, leaving these tech giants with huge penalties if they are found to have failed to comply.

Advertisement
Advertisement - Article continues below

"We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR," said Schrems.

Advertisement - Article continues below

Noyb.eu is planning more complaints under GDPR, too, focusing on illegal use of users' data for advertising, which it has dubbed "fictitious consent".

Image: Shutterstock

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/social-media-marketing/30400/what-is-facebook-advertising-and-facebook-ads
social media marketing

What is Facebook advertising and Facebook ads?

23 Jul 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019
Visit/server-storage/33263/myspace-s-migration-mishap-should-be-a-warning-to-others
Server & storage

MySpace’s migration mishap should be a warning to others

19 Mar 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/security/data-breaches/354611/misconfigured-security-command-exposes-250-million-microsoft-customer
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020