Small businesses have won a powerful ally in their battle against the worst excesses of GDPR, with the man whose legal battle brought down the Safe Harbour transatlantic data transfer deal in no doubt that tech industry giants’ demands for more risk-based “flexibility” in interpretation of the law has increased the burden for SMEs.
The Federation of Small Businesses has already called for a “light touch” from the Information Commissioner’s Office towards implementation of GDPR for SMEs, after claiming that many were still struggling to get in shape for the new regulation.
Now Austrian lawyer and privacy activist Max Schrems appears to have backed the FSB’s demands in a wide-ranging interview with The Irish Times ahead of a speech at the “Ireland’s Edge: A Coded Culture” event at Trinity College later this week.
His organisation, NOYB – European Centre for Digital Rights, filed the first official complaints about GDPR non-compliance against Facebook, as well as subsidiaries Instagram and WhatsApp, and Google’s Android operating system just hours after GDPR came into force.
The privacy rights group claims that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.
But sympathising with SMEs, he told the newspaper: “There’s huge uncertainty for small businesses because some areas aren’t clear on what companies must do. And potential fines, at €20m for smaller companies, are too high – €100,000 would have been more sensible, I think the general objective of the law makes a lot of sense, but there’s still an issue about how, in practice, the data protection authorities are going to deal with it.”
When it comes to the likes of Facebook and Google, Schrems believes it is important to differentiate between data needed to offer the basic functions of a service from the additional data companies would like to obtain to target users with tailored ads.
“Users have the right to say no”, he said. “And it’s not like there’s going to be no advertising.” Users would still see ads, just not ads aimed at a specific user based on closely tracking and analysing their online activities.
Schrems maintains that Facebook could offer four or five options for services, and doing so would make the service smoother for users as well as Facebook. Opting in at a basic level could eliminate the need for recurring pop-up notifications and opt-in requests, he said.
He also claimed that many US companies are wrongly bringing US “notice and consent” methods to their websites and services – endless notifications, pop-ups, buttons ad clicks. But worse, many US companies large and small still do not comply with GDPR and have not changed their data-gathering approach at all. The default for a site should be for third-party data-gathering to be turned off.
“Most of the companies still have everything on,” Schrems insists, adding that the first NOYB legal cases, based on obvious areas of non-compliance, are just the start. He warned: “We’re going to look into more complex issues in coming months.”
Let battle commence: first GDPR complaints are filed
One month until GDPR D-Day: SMEs demand leniency
Denham confirms GDPR hotline gets 500 calls a day
ICO unveils GDPR radio ads to target micro-businesses
Small firms bombard GDPR hotline as panic spreads