Max Schrems is back: Facebook, Google hit with GDPR complaint
'Forced consent' is no consent, state legal challenges
Max Schrems, the thorn in Facebook’s side, has returned to launch the first challenges under the EU’s new data protection laws.
The complaints, filed on the day Europe's General Data Protection Regulation (GDPR) comes into force, take aim at what he describes as Google and Facebook’s “forced consent”.
Under the GDPR, when users are asked to consent, they should be given a free choice – and it should not be a condition of using a service.
But Schrems’ complaints argue that the consent boxes popping up on the screens of users of Google, Facebook and their affiliates does not meet this standard.
They dangle the 4 per cent of annual turnover fines as a maximum possible penalty – €3.7bn, €1.3bn, €1.3bn, and €1.3bn, respectively – though regulators have stressed they won’t be handing out the top level fines willy-nilly.
The complaints have been launched by Schrems’ nonprofit NOYB, which was set up specifically to take advantage of the new provisions under GDPR.
They argue that the services will block users who don’t accept to the terms, with Schrems saying that isn’t free choice.
However, the activist noted that the aim wasn't to stop companies processing any data – “anything strictly necessary for a service does not need consent boxes”. He added: “For everything else users must have a real choice to say 'yes' or 'no'.”
The complaints have been filed in authorities in different countries – all of which have reputation for strong privacy laws – Google in France, Facebook in Austria, Instagram in Belgium and WhatsApp in Hamburg, Germany – but are broadly similar.
This aims to allow coordination across the bloc. The ability for different data protection authorities to cooperate on challenges that affect data controllers that operate in more than one member-state has been touted as a benefit of GDPR, for example. Schrems’ challenges will see how well this works in practice.
Schrems notes that since Facebook and its companies are all headquartered in Ireland, it’s likely the Irish Data Protection Commissioner (with whom he already has beef) will get involved, too.
In a statement, NOYB said that further complaints planned by the Center for Digital Rights included for “illegal use of user data for advertising purposes” or “fictitious consent” – emphasising that these are just the first of many challenges against the big tech firms under the banner of GDPR. ®
Sponsored: Becoming a Pragmatic Security Leader