A privacy NGO led by Austrian lawyer Max Schrems is among the first to file complaints under the GDPR against Google, Instagram, WhatsApp and Facebook.
As the compliance deadline was reached for the EU General Data Protection Regulation (GDPR), lawyers began filing cases on behalf of clients as usually happens with the introduction of any new rights.
Among the first were complaints filed by NOYB, the European Center for Digital Rights, championed by privacy activist Max Schrems, whose legal challenge of Facebook led to the scrapping of the Safe Harbour Agreement.
After a successful crowdfunding campaign, NOYB was set up as a new type of non-government organisation aimed at helping European citizens to claim their rights under the GDPR by providing the necessary resources.
NOYB filed four complaints over “forced consent against Google, Instagram, WhatsApp and Facebook, arguing that they forced users to agree to new privacy policies, which the organisation says is a “clear violation” of the GDPR and could result in fines up to €7bn in total.
The claims relate specifically to the way the companies went about getting consent from users to use their data.
NOYB said the GDPR is supposed to give users a free choice about whether they agree to data usage or not, but the organisation said the opposite feeling was caused by the proliferation of “consent boxes” that popped up online or in applications, often combined with a threat, that the service could no longer be used if the user did not consent.
“Facebook has even blocked accounts of users who have not given consent,” said Schrems, Chairman of the NOYB board. “In the end, users only had the choice to delete the account or hit the ‘agree’ button – that’s not a free choice, it more reminds of a North Korean election process.”
NOYB said it filed similar complaints with four authorities to enable European coordination. A complaint against Facebook was filed with the Austrian data protection authority (DPA), a complaint against WhatsApp in Hamburg and a complaint over Instagram in Belgium. Another complaint over Android with the CNIL in France, who has previously fined Google.
In addition to the four authorities where users reside, NOYB said the Irish Data Protection Commissioner will probably get involved in the cases too, as the European headquarters of the relevant companies is in Ireland in three cases.
NOYB points out that the GDPR prohibits forced consent and any form of bundling a service with the requirement to consent under Article 7. Consequently, NOYB said access to services can no longer depend on whether a user gives consent to the use of data.
On this issue, a very clear guideline of the European data protection authorities has already been published in November 2017, said NOYB.
“Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases,” said Schrems.
An end of “forced consent” does not mean that companies can no longer use customer data, said NOYB, because the GDPR explicitly allows any data processing that is strictly necessary for the service, but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.
“It’s simple: anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” said Schrems.
The end of pop-ups
NOYB said that if the complaints are successful, the practical result will be the end of obtrusive pop-ups which are used to claim a user’s consent.
“If companies realise that annoying pop-ups usually don’t lead to valid consent, we should also be free from this digital plague soon,” said Schrems. “GDPR is very pragmatic on this point: Whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
The fight against forced consent is also important for small and local companies, which usually cannot force their customers to agree to policies, according to NOYB.
“The fight against forced consent ensures that the corporations cannot force users to consent. This is especially important so that monopolies have no advantage over small businesses,” said Schrems.
NOYB said these first complaints will be a crucial test of the law: with a penalty of 4% of global revenue, Google or Facebook would have to pay more than a billion Euros for violating the law.
“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” he said.
Enhanced privacy rights
According to Schrems, NYOB is key to fulfilling the GDPR’s promise of enhanced privacy rights, especially as the regulation allows collective enforcement by NGOs on behalf of individuals under article 80. “The non-profit NOYB is meant to reasonably enforce the new law, so that the benefits actually reach the users,” said Schrems.
The complaints about “forced consent” are the first action of NOYB, which is already planning further complaints about the illegal use of user data for advertising purposes or “fictitious consent”, such as when companies recognise “consent“ to other types of data processing by solely using their webpage.
NOYB is funded by more than 2,800 individual supporting members and sponsors. To finance the fight against data breaches in the long term, the association is looking for more supporting members.
So far, the budget for 2018 is only 69% funded. “In 1995 the EU already passed data protection laws, but they were simply ignored by the big players. We want to make sure this does not happen again with GDPR,” said Schrems.
Google said in a statement: “We build privacy and security into our products from the very earliest stages and are committed to complying with the GDPR. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”
Facebook’s chief privacy officer, Erin Egan, told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.
“Our work to improve people’s privacy doesn’t stop on 25 May. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
By Warwick Ashford – Computer Weekly – May 2018