Facebook and Google are violating the new General Data Protection Regulation, says net activist Max Schrems. He is calling for fines in the billions.
Austrian Max Schrems is confident that this time, too, he can force the big Internet corporations to provide more data protection Photo: dpa
The European General Data Protection Regulation (GDPR) has been in effect since Friday after a two-year transition period. Only a few hours after the rules, which are supposed to give Internet users more sovereignty over their data, came into force, the association Noyb, founded by lawyer and net activist Max Schrems, filed its first complaints against Google and Facebook as well as its services Instagram and WhatsApp. The would violate the GDPR with "forced consents," according to the association’s assessment.
Noyb turned to four supervisory authorities: in France, Belgium, Vienna and Hamburg. "Facebook even blocked accounts of users who did not give consent. Users ended up having a choice: delete the account or press the button. That is simply extortion," Schrems said.
The GDPR prohibits such coercion of consent and also provides for a so-called tying ban. Accordingly, a provider may not make the use of the service dependent on whether a user gives consent to the use of data. Schrems explains, "It’s simple: for everything that is strictly necessary for a service, you don’t need a consent box. For everything else, the user must be able to freely say yes or no."
The Viennese lawyer has already been successful several times with lawsuits. In 2015, for example, the European Court of Justice overturned the EU’s Safe Harbor agreement on data transfer to the United States.
The new chair of the European Data Protection Board, Andrea Jelinek, confirmed the complaint against Facebook. "We are currently looking into the case," said Jelinek, who is also head of the Austrian data protection authority.
Companies that violate the GDPR face heavy financial penalties in the future – up to 4 percent of their annual global turnover is possible. Accordingly, Nyob puts the penalty range of its complaints at over 7 billion euros. Schrems does not believe that sanctions of this magnitude will be imposed immediately, "but the corporations have intentionally violated the GDPR here, so we also expect a corresponding penalty."