GDPR attacks: First Google, Facebook, now activists go after Apple, Amazon, LinkedIn

Just days after the new law comes into force, privacy activists add more tech giants to their list of GDPR targets.
Written by David Meyer, Contributor

Video -- GDPR deadline: Organizations are struggling to comply.

After privacy activist Max Schrems and his None Of Your Business organization hit Google and Facebook with General Data Protection Regulation (GDPR) complaints on Friday -- mere minutes after the long-awaited privacy regime came into effect across the EU -- the companies have now been targeted by another broadside.

This time it's French digital rights group La Quadrature du Net that's on the rampage, and it hasn't just gone after Google and Facebook. It's pursuing Apple, Amazon, and LinkedIn as well.

On Monday, it filed seven complaints with French privacy regulator CNIL against the five companies. Google got separate complaints over Gmail, YouTube, and Search.

La Quad's offensive has been a long time coming. Six weeks ago, it started inviting people to join its collective complaints, and over that time it got more than 12,000 people to sign up. According to operations coordinator Myriam Michel, each complaint has around 9,000 to 10,000 names attached to it.

One of the GDPR's many novelties is that it allows non-profit organizations to complain about companies' violations on behalf of those who might be affected. This action adds weight to the complaints, and makes it more likely that they are well formulated.

See: IT pro's guide to GDPR readiness (free PDF)

La Quad's complaints are similar to those from Schrems' NOYB group, in that they focus on the issue of "forced consent".

The GDPR requires companies to only process personal data on a specific legal basis, and many companies have chosen consent as their option.

However, in some cases they don't let people use their services at all unless they consent to having their data exploited in ways that are not strictly necessary for delivering the core service. This all-or-nothing approach undermines the concept of consent, according to the new law.

And La Quad is not just stopping at these seven complaints. It has been gathering support for a total of 12, with those not lodged on Monday including complaints about Android, WhatsApp, Instagram, Skype and Outlook.

"We met [CNIL] last week and they told us if we target all 12 services it will be complicated and take a long time for the CNIL to work on the files," Michel told ZDNet.

"So we decided to target only seven services, to have answers more quickly from the CNIL. We will target the other services, but later."

CNIL will most likely coordinate with its counterparts in the various countries where these companies have their European headquarters. That's Luxembourg for Amazon and Ireland for Facebook, Google, Apple and Microsoft, which owns LinkedIn these days.

If the complaints are successful, the companies would have to pay fines of up to €20m ($ m) or four percent of global annual revenue, whichever is higher.

In a Monday statement, La Quad also linked to the texts of its complaints, which it is encouraging others to freely copy as the basis for their own complaints against the big tech firms.

Google and Facebook have already responded to the NOYB complaints by insisting that they have made a lot of effort to comply with the GDPR.

A LinkedIn spokesperson told ZDNet that it always aims to give its members control over the data it collects and how it is used and shared.

"We have approached GDPR as an opportunity to reinforce our commitment to data privacy for all members globally," the spokesperson said.

Amazon and Apple had not responded to requests for comment about the French actions at the time of writing.

Previous and related coverage

Google, Facebook hit with serious GDPR complaints: Others will be soon

Facebook nemesis Max Schrems is behind the first challenges to US giants under new European data privacy law.

What is GDPR? Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses - and how to prepare for it.

GDPR compliance: For many companies, it might be time to panic

Report shows a majority of organizations aren't ready for the new data protection rules.

GDPR compliant? Here's a handy five-step preparation checklist

Ensuring compliance with GDPR means all departments that collect and handle personal data must comply with GDPR. Here's how to ensure the marketing department is ready for GDPR.

GDPR: A boon for privacy or choking regulation? Businesses weigh in

IBM says that while many firms view GDPR as a catalyst for new business models, few will be ready in time.

Editorial standards