Just hours after GDPR came into force, both Facebook and Google are already facing investigations over their compliance after the man who brought down the Safe Harbour transatlantic data transfer deal has lodged the first official complaints about non-compliance.
Four complaints against the main Facebook site, as well as subsidiaries Instagram and WhatsApp and Google’s Android operating system claim that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.
They have been brought by privacy group NOYB – European Centre for Digital Rights – a non-profit organisation founded by Austrian lawyer and privacy activist Max Schrems.
Schrems said: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button – that’s not a free choice, it more reminds of a North Korean election process.”
The complaints, filed on behalf of unnamed users of the sites, were sent to Facebook’s Irish headquarters and Google’s offices in Mountain View, California. It is not known whether the Irish Data Protection Commissioner, which governs both companies, has been notified.
In a statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU general data protection regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”
Facebook chief privacy officer Erin Egan told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.”
The investigation will have to determine whether the processing of data for targeted advertising is necessary for the fulfilment of a contract to provide services such as social networking or instant messaging. If not, then that processing requires separate consent, which the user must be able to decline.
Schrems is a man on a mission; back in 2015, he took legal action against the Safe Harbour agreement in the European Court of Justice, successfully arguing that the Edward Snowden disclosures had shown there was no effective data protection regime in the US.
This led to the launch of its successor, Privacy Shield, although this is the subject of yet another case which claims it, too, is illegal.
Schrems is also a constant thorn in Facebook’s side. Back in 2014, he filed a class action-style lawsuit against the social media giant. After more twists and turns than a cheap garden hose, the case is currently pending before the Austrian Supreme Court.
GDPR zero hour: Now the hard work begins say experts
Facebook displays ‘contempt’ with Zuckerberg no-show
MPs ‘as clear as mud’ about how to comply with GDPR
‘Inadequate’ Data Protection Bill is ‘already out of date’
EU agrees Privacy Shield but UK must still toe line
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’
Privacy Shield is nothing short of preposterous
UK consumer data ‘is still at risk’ despite US deal
EU confirms 11th-hour deal over US data transfers
New ruling halts US data transfer