Facebook and Google targeted as first GDPR complaints filed

Users have been forced into agreeing new terms of service, says EU consumer rights body

Facebook and Google have become the targets of the first official complaints of GDPR noncompliance, filed on the day the privacy law takes effect across the EU.

Across four complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.

Max Schrems, the chair of Noyb, said: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button – that’s not a free choice, it more reminds of a North Korean election process.”

If upheld, the complaints could result in more than £3bn in fines for each company – the maximum possible under the new law being the higher of €20m (£17.5m) or 4% of an organisation’s annual revenue.

The complaints, filed on behalf of unnamed users of the sites, were sent to Facebook’s Irish headquarters and Google’s home in Mountain View, California.

In a statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU general data protection regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”

Facebook’s chief privacy officer, Erin Egan, told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on 25 May. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

A Noyb spokesman said: “We are confident that these first complaints will trigger an immediate response by the EU data protection supervisory mechanism and that the relevant supervisory authorities will carry out a robust and in-depth investigation into the particular circumstances of the complaints.

“What we are expecting is a strong, clear and determined decision, which will not hesitate, in case of an infringement, to hold companies accountable and subject them to the strict fines the new legislation foresees, as well as provide further guidance on the practical implementation of the GDPR requirements, set an example for other companies seeking to, directly or indirectly, negate data subjects’ consent, and will ultimately uphold users’ fundamental right to the protection of their personal data.”

The issue at stake is whether the processing of data for targeted advertising can be argued to be necessary for the fulfilment of a contract to provide services such as social networking or instant messaging, Noyb argued. If not, then that processing requires separate consent, which the user must be able to decline.

“In our view, these companies sought to tie consent to such (unnecessary) processing purposes and operations in their terms and then asked data subjects to ‘take it or leave it’,” the spokesman said. “Considering the powerful position these companies have and the consequent pressure the data subject is put under, to agree to irrelevant processing/advertising purposes, we believe that any such consent obtained should be considered invalid.”

Schrems has a history of holding Silicon Valley to account. In October 2015, the Austrian privacy campaigner won a two-year legal fight to rule that data transfer to the US was not allowed under a pre-existing “safe harbour” agreement, since American laws provided inadequate protection for EU citizens’ data, particularly with regards to state surveillance.


Alex Hern

The GuardianTramp

Related Content

Article image
WhatsApp, Facebook and Google face tough new privacy rules under EC proposal
European ePrivacy directive revision looks to protect communication confidentiality, block nonconsensual tracking and lessen cookie warnings

Samuel Gibbs and agencies

10, Jan, 2017 @3:54 PM

Article image
EU data watchdog raises concerns over Facebook integration
Irish commission that regulates site requests urgent briefing on platforms merger

Alex Hern

28, Jan, 2019 @5:40 PM

Article image
Can I move my data to the EU before Google shifts it to the US?
Post-Brexit, Sean wants to keep his data protected by the EU’s GDPR rather than laxer US privacy laws

Jack Schofield

27, Feb, 2020 @9:15 AM

Article image
EU agrees draft text of pan-European data privacy rules
New rules will strengthen European citizens’ privacy protections, while a controversial proposal to raise ‘age of digital consent’ to 16 was devolved to member states

Samuel Gibbs and agencies

16, Dec, 2015 @11:30 AM

Article image
EU: data-harvesting tech firms are 'sweatshops of connected world'
Data protection supervisor lambasts companies’ deluge of ‘take it or leave it’ privacy emails ahead of GDPR

Samuel Gibbs

02, May, 2018 @10:04 AM

Article image
Facebook to start asking permission for facial recognition in GDPR push
Users will be asked to review information about targeted advertising but some say opting out is deliberately difficult

Alex Hern

18, Apr, 2018 @11:12 AM

Article image
WhatsApp raises minimum age to 16 for Europeans ahead of GDPR
Facebook-owned messaging service will demand users confirm they are old enough to use app after raising age limit from 13

Samuel Gibbs

25, Apr, 2018 @9:02 AM

Article image
How Europe's 'breakthrough' privacy law takes on Facebook and Google
Europe’s General Data Protection Regulation is forcing big changes at tech’s biggest firms – even if the US isn’t likely to follow suit

Olivia Solon

19, Apr, 2018 @7:01 AM

Article image
TechScape: Warnings of a ‘splinternet’ were greatly exaggerated – until now
In this week’s newsletter: Facebook has been hit with a €1.2bn fine by EU regulators, and the cracks in the fault lines of data regulations are showing. Could that be a good thing?

Alex Hern

23, May, 2023 @11:00 AM

Article image
Privacy policies of tech giants 'still not GDPR-compliant'
Consumer group says policies of Facebook, Amazon and Google are vague and unclear

Alex Hern

04, Jul, 2018 @11:01 PM