Just hours after the General Data Protection Regulation (GDPR) entered into force on the 25th of May, the first complaints under the EU’s new privacy law were filed against Facebook and Google, along with two of Facebook’s subsidiaries, Instagram and WhatsApp.
The complaints concern the issue of so-called "forced consent". The complaints allege that the tech companies concerned fall short of the GDPR requirement for consent to be "freely given" and not made conditional upon, or bundled with, consent for the provision of a service by:
- asking users to either consent to their terms of service or delete their account, and blocking them from using their account until they provide consent (in the case of Facebook, Instagram and WhatsApp); and
- asking owners of new smartphones to consent to processing of their personal data using the Android operating system and, if consent is not given, barring those users from using the device (in the case of Google).
The complaints (which are not lawsuits as some have mistakenly reported) were submitted to the local Data Protection Authorities (DPAs) in Austria, Hamburg, Belgium and France by Max Schrems’ non-profit organization NOYB (short for "none of your business") on behalf of users. Mr. Schrems is an Austrian lawyer who successfully challenged a few years ago the Safe Harbor mechanism for the transfer of personal data between the EU and the US, which has now been replaced by the EU-US Privacy Shield, and then went on to also challenge the use of the European Commission’s Standard Contractual Clauses by Facebook.
Both Facebook and Google have disputed these complaints in public statements, arguing that the existing measures they have in place are adequate to meet the GDPR requirements.
The filing of these complaints is the first major action that is known to have been taken under the GDPR and an interesting development in many respects:
- This is the first time that a non-profit organization represents data subjects in the exercise of their rights under Art. 80 GDPR. The NOYB complaints will test the entitlement of the organization to bring complaints on behalf of individuals under the GDPR. If successful, it will most probably pave the way for other non-profit associations to do the same.
- This is also the first time that under Art. 77 GDPR the complaints are not filed in the EU Member State where the companies have their headquarters, but rather in the data subjects’ country of residence: the complaints against Facebook, WhatsApp, Instagram and Google were brought before the local Data Protection Authorities in Austria, Hamburg, Belgium and France, respectively.
- The handling of the complaints by the relevant DPAs will also serve as an initial stress test of how the One Stop Shop Mechanism will apply in practice. Considering that Facebook and its subsidiaries are based in Ireland, the Austrian DPA (Österreichische Datenschutzbehörde), the Belgian DPA (Autorité de protection des données) and the Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) may forward the cases to the Irish Data Protection Commission, as provided for in the GDPR, if appropriate. The ability for different DPAs to cooperate on challenges that affect data controllers with cross-border processing activities has been touted as a benefit of the GDPR, so it will be interesting to see how the lead authority will coordinate actions and what the involvement of the "concerned DPAs" will be.
- The outcome of the complaints may also have a significant impact as far as enforcement of the GDPR is concerned. If the complaints are upheld, DPAs may require Facebook and Google to change certain aspects of how they operate and potentially impose fines of up to 4% of their total worldwide annual turnover. If the maximum potential fines were imposed, this would reportedly mean a potential liability exposure of around EUR 3.7 billion for Google, and EUR 1.3 billion each for Facebook, Instagram and WhatsApp – a figure which has grabbed a lot of headlines, although it must be stressed that there is nothing at present to indicate that DPAs will impose fines or that, if they do, that any fines imposed will be anywhere near these maximal, "worst case" amounts. Nevertheless, any sanctions imposed by the DPAs here will serve as an early indication as to how the DPAs intend to flex their enforcement muscles post-GDPR. Given that Austria, Hamburg, Belgium and France all have a reputation for being sophisticated in terms of data protection enforcement, it will be interesting to see how they conduct their investigation and what sanctions, if any, they impose.