After months of anticipation and preparation, on Friday, the GDPR went into effect and privacy advocates, eager to put the law to the test, wasted no time challenging the practices of the internet’s two biggest names.
Hours after the GDPR became the law of the land, a non-profit organization called None Of Your Business (NOYB) lodged complaints against Google and Facebook, including Facebook subsidiaries Instagram and WhatsApp, with four different European authorities.
The complaints allege that these two tech giants have violated the GDPR’s prohibitions against forced constent by using popups prompting users to give consent if they want to continue using their services. NOYB claims that Facebook has already blocked the accounts of users who have refused to provide consent.
In a statement, NOYB explains, “The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.”
According to Max Schrems, the Austrian lawyer behind NOYB, “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”
Schrems is a well-known privacy advocate who has the distinction of having taken on Facebook in court and won.
Noting that companies do not need to gather consent for “anything strictly necessary for a service”, Schrems called consent popups a plague and suggested that “if companies realize that annoying pop-ups usually don’t lead to valid consent, we should also be free from this digital plague soon. GDPR is very pragmatic on this point: Whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
NOYB claims that Google and Facebook could face fines of up to €7bn for their alleged violations of the GDPR. That’s big money and will surely mean that a big fight is inevitable.
But the stakes aren’t just high because of the amount of money involved. They’re high because the NOYB actions are promptly putting the GDPR to the test. “Will GDPR show teeth?” the NOYB statement asks.
Obviously, the GDPR is a complex piece of legislation and has many provisions. If the enforcement authorities decide that Facebook and Google haven’t violated the GDPR in this instance, it doesn’t mean that there won’t be other alleged violations, some of which could lead to significant penalties.
But NOYB’s test of the GDPR seems to be a particularly meaningful one because the issue of forced consent speaks directly to the spirit of the GDPR. If the authorities effectively decide that users can be strong-armed into providing consent under the threat of being unable to continue using popular services, it would call into question whether the primary aim of the GDPR – empowering users to control their data – can ever be achieved.
Of course, there’s an important counter-argument to NOYB’s position: if companies like Google and Facebook are told that they have to provide service to users who don’t consent to the use of their data for advertising purposes, there’s a real question as to whether or not their services will remain economically viable.
From this perspective, it might not be an exaggeration to suggest that what’s at stake here is nothing less than the future of the digital economy.