The data protection group NOYB (None of your business) has filed the first complaints under the EU’s General Data Protection Regulation, which took effect on 25 May. The group backed by privacy activist Max Schrems filed cases with national data protection regulators against Google (Android) in France, Instagram in Belgium, WhatsApp in Germany and Facebook in Austria over so-called ‘forced consent’, where users are required to allow access to their personal data in order to use the services.
According to NOYB, the GDPR prohibits “bundling” a service with the requirement to consent to the use of data. The European data protection authorities already published a “very clear guideline” on this in November 2017, the group said. While this does not mean companies cannot use any customer data, it means they must limit data processing to data strictly necessary for the service. If the data is to be used for advertising or to sell on to third parties, the companies must obtain the users’ free opt-in consent.
NOYB said the complaints are aimed at ensuring the GDPR “is implemented in a sane way”, without “fishing for consent”. If enforced, the regulation should also benefit smaller companies, which usually cannot force their customers to agree to global policies like the other “big online monopolies”, the group said.
Under the increased penalties allowed under the GDPR, Google could face fines up to EUR 3.7 billion and the three other companies EUR 1.7 billion each, NOYB estimates, based on the maximum 4 percent of relevant revenues. While it does not expect the data protection regulators to exercise their full powers, “we would expect a reasonable penalty, given the obvious violation”, the group said.
NOYB said it’s taking advantage of collective action rules under the GDPR to file the complaints on behalf of four individuals. The GDPR allows individual users to be represented by a non-profit association in order to file legal claims. Schrems’ previous case against Facebook had run foul of the lack of collective actions rules at the EU level, meaning he could not add other Facebook users to his lawsuit against the social network for privacy violations.
The non-profit said it also planning other legal action, including complaints about the illegal use of user data for advertising purposes or “fictitious consent”. – Telecom Paper