Google, Facebook hit with serious GDPR complaints: Others will be soon

Facebook nemesis Max Schrems is behind the first challenges to US giants under new European data privacy law.
Written by David Meyer, Contributor

Video -- GDPR deadline: Organizations are struggling to comply.

With the introduction of the European Union's blockbuster new privacy regime, the General Data Protection Regulation (GDPR), it took no time at all for privacy activists to lodge serious complaints about the behavior of Google and Facebook -- and they're promising more within the coming weeks.

The complaints come from a crowdfunded group called None Of Your Business (NOYB), headed up by none other than Facebook nemesis Max Schrems, the Austrian lawyer who has sued the social network on multiple occasions, usually successfully.

It was Schrems whose complaint over Facebook's privacy infractions sunk the Safe Harbor regime, a legal mechanism that allowed US firms to import Europeans' personal data.

Schrems set up NOYB with the aim of lodging well-researched complaints against tech giants that break the GDPR's many terms. The law allows non-profits to do this, on behalf of Europeans whose rights may have been infringed.

See: IT pro's guide to GDPR readiness (free PDF)

NOYB's first salvo, launched as the GDPR came into effect on Friday morning, concerns the widespread practice of insisting that users consent to whatever a service wants to do with their data before they can use that service. The GDPR says this doesn't count as real consent.

So Schrems's organization has made a series of four complaints with four different European privacy regulators, to make sure there is a coordinated investigation.

The first, over Android's "forced consent", was filed in France. Facebook is being complained about in Austria and its subsidiaries, WhatsApp and Instagram, are being targeted in north-German city Hamburg, and Belgium respectively.

The GDPR allows a variety of legal justifications for processing people's personal data, and consent is just one of them.

If a company really does needs to process that data to offer its service, for example, for social networking or photo-sharing, then that 'legitimate interest' is a valid legal basis for the processing.

However, many companies want to do other things with people's data, which aren't strictly necessary for providing those services. That's where consent comes in. But the law restricts how consent can be used.

"Consent does work if it's a really specific question you're asking, like 'Do you want to have personalized advertising or not?'," Schrems told ZDNet. "It does not work with a long list of everything you want to do with data."

According to Schrems, the aim of these day-one complaints is to say, "'Guys, you do have the legal power to use all the data that's necessary for your service anyway. Limit consent to what's really interesting, which is the stuff that's not really necessary for a service' -- the add-ons the companies want to make money on."

In other words, users shouldn't be forced to consent to their data being used for targeted advertising, just to be able to use a phone or communicate with people over social networks and messaging services.

But that ad money is, after all, how these companies fund their free services. What does Schrems want them to do? "That's the way that they offer these services right now, but that's no argument [for the model]," he said. "Drugs are sold on the street and that's the way those services work, but that's not legal."

"One thing that drives me nuts is the argument that you need microtargeting for advertisements," Schrems explained.

"The majority of advertising is not microtargeted. You can do all that stuff without actually touching any personal data [and] if you do target, you don't have to get the data off hundreds of services all over the internet just to get a one percent [greater] likelihood that you'll click on an ad."

According to the Austrian lawyer, NOYB will bring more cases in the coming weeks. "There are different issues we're still looking into. We will now consider what's next, but there's a very lengthy list of possible options," he said.

Facebook and Google issued similar statements on Friday morning, both insisting that they have spent a lot of time preparing for the GDPR and have accordingly updated their products and policies over the last 18 months.

Google said it was "committed to complying" with the new law. Facebook chief privacy officer Erin Egan said her company's "work to improve people's privacy doesn't stop on May 25".

See: What is GDPR? Everything you need to know about the new general data protection regulations

Schrems began his obsession with Silicon Valley's take on European privacy laws when studying at Santa Clara University in California for a semester, some seven years ago. Guest speakers from big tech firms such as Facebook left him with the impression that they had no respect for the EU legal system.

So what does he think the companies are trying to get at now, by not complying with the letter of the GDPR law?

"They have prepared for it in spirit, I think," said Schrems. "I'm not sure myself. Either it's total denial or it's a deliberate attempt to reinterpret the GDPR.

He said all the companies' involved have very similar privacy policies.

"It almost seems like a coordinated effort to redefine the GDPR, in the sense of, 'If we just do this for the next year or two, then everyone will accept this is just the way to do it'," he added.

"That's the reason why it was important for us to bring something on the first day, to say, 'Guys, this is not what the GDPR says'. The other option is that it may be cultural issues."

Previous and related coverage

Facebook's new court defeat: This time it 'may have free speech implications'

Far-right leader's win over Facebook in a German comment case could have international ramifications.

GDPR compliance: For many companies, it might be time to panic

Report shows a majority of organizations aren't ready for the new data protection rules.

What is GDPR? Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses - and how to prepare for it.

GDPR compliant? Here's a handy five-step preparation checklist

Ensuring compliance with GDPR means all departments that collect and handle personal data must comply with GDPR. Here's how to ensure the marketing department is ready for GDPR.

Court tells Facebook: Stop deleting 'offensive' comment

Facebook's move to block a user and cut a comment from that account has been challenged by a German court.

Editorial standards