The new and extensive data privacy regime in Europe came into effect this morning, and privacy activists do not waste time flexing their muscles. One organization has already filed official complaints about data protection on Google, Facebook, WhatsApp and Instagram, while another is chasing obscure data intermediaries who exchange information behind the scenes.
Complaints about Google, the affiliates of Facebook and Facebook come from a group called None Of Your Business (NOYB), a non-profit organization founded by the successful serial Facebook litigant Max Schrems. Schrems, the Austrian lawyer who annihilated the data exchange agreement between the United States and the EU a few years ago, formed the NOYB crowdfighting to confront large technology firms that violate the new General Data Protection Regulation (GDPR) of the EU.
The new law only allows companies to process people's data if they have a valid legal basis to do so. Several justifications are acceptable, and consent is one of the most frequently chosen options. However, users must be able to give their consent freely: the law says that people can not be forced to accept the processing of their data in order to use a service.
According to Schrems and his NOYB group, Google and Facebook are fermenting users in this way.
"Facebook has even blocked the accounts of users who have not given their consent.In the end, users only had the option to delete the account or press the button & # 39 ;; accept that is not an free choice, more reminiscent of a North Korean electoral process, "Schrems said in a statement. "Many users still do not know that this annoying way of forcing people to consent is forbidden in most cases by GDPR."
Thus NOYB has filed complaints with a variety of European privacy regulators, "to allow European coordination". complaint, which covers Google's Android consent requirements, has been filed in France. The main complaint of Facebook has been presented in Austria, while those of Instagram and WhatsApp are in the inboxes of the regulators of Belgium and Hamburg, respectively.
In case you wonder how a company is supposed to provide a service without the users giving their consent to process their personal data, this is the deal: if the data really have to be processed to deliver the services of the company, that is a valid legal justification in itself. For example, an email service does not need to obtain the consent to send and deliver emails from people. Consent is only necessary when the company tries to do other things with that data, such as using it to earn money from advertisers.
Schrems and his non-profit organization argue that, if their complaints are successful, the victory should put an end to all those annoying consent popups that many companies believe the GDPR demands.
"If companies realize that annoying pop-ups generally do not lead to valid consent, we should also be free of this digital plague soon," he said. . "GDPR is very pragmatic on this point: what is really necessary for an application is legal without consent, the rest needs a" yes "or" no "option" free ".
Google and Facebook did not respond to requests for comments at the time of writing.
Meanwhile, a separate group in the UK-Privacy International-has launched an investigation into companies that make personal data trading behind the scenes.
The organization has sent letters to firms such as Acxiom, Criteo and Quantcast, asking them how they handle personal data. The GDPR is quite strong in this regard: people are supposed to know when a company has their data, and it is assumed that companies should not use that data to create profiles of people if that is not the case.
"We welcome GDPR effect," said Privacy International's legal advisor, Ailidh Callander. "It has taken a long time to arrive, and GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing stricter obligations on businesses, strengthening the rights of individuals and increase enforcement powers GDPR is a key tool to empower people, civil society and journalists to fight against data exploitation. "
The GDPR threatens companies with massive fines for breaching their various terms: up to € 20 million ($ 23.4 million) or 4% of global revenues, whichever is greater. While these are large and frightening figures, it is very unlikely that fines will be so high in less serious cases.