A Nonprofit Group Has Already Lodged GDPR Complaints About Google and Facebook

After months of preparation, companies shutting down and the endless deluge of “updates to our privacy policy” emails, the European Union’s General Data Protection Regulation (GDPR) finally went into effect today. The regulation requires companies to let people decide what information they give up and how. Google and Facebook are already facing complaints for violating GDPR from None of Your Business (NOYB), an Austrian nonprofit group. If found guilty of not complying with GDPR, companies face either a fine of 20 million euros or four percent of global revenues (depending on which is larger). “This is the top of the first inning but as we’ve long stated, GDPR is significant risk to how Google and Facebook harvest and monetize data across the web and apps," said Jason Kint, CEO of Digital Content Next, a trade association for publishers. "They act significantly outside of user expectations and through their financial dominance affect the way the entire industry has to act to try to compete with two companies who take effectively 85 percent of the growth in the industry.” The complaints were filed against Google, Facebook, Instagram and WhatsApp in different countries on behalf of users, which is allowed under Article 80 in GDPR. NOYB is arguing that these four companies are requiring users to undergo “forced consent” to continue using their services, with popups that make consumers agree to the company’s terms of use without offering an option to opt-out. Max Schrems, an Austrian lawyer who ended the Safe Harbour data transfer network between the E.U. and the U.S. and founded NOYB, said in a statement, “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.” “Facebook has even blocked accounts of users who have not given consent. In the end, users only had the choice to delete the account or hit the ‘agree’ button—that’s not a free choice; it more reminds of a North Korean election process,” Schrems continued. “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.” The press release states that if the complaints are successful, these popups will go away and that it will benefit smaller and local companies. It’s also a test against regulators to see if they will follow through on their fines against companies who violate GDPR. Google told Adweek in an email, "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.” In an emailed response to Adweek, Facebook's chief privacy officer, Erin Egan said, "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download and delete their information. Our work to improve people's privacy doesn't stop on May 25. For example, we're building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account and turn off our ability to store it associated with your account going forward.”