It didn’t take long for the lawsuits to start flying over allegations of non-compliance with the European Union’s new set of data governance rules.
Austrian data privacy advocacy group None of Your Business (NOYB) filed suits against Facebook, Google, and Facebook subsidiaries WhatsApp and Instagram alleging that the tech firms violated the EU’s General Data Protection Regulation (GDPR). The suits, which were filed just minutes after the law took effect at midnight on May 25, claim the tech giants violated the law by forcing users to turn over private data in order to use their services.
Such “forced consent,” claims NOYB, is a violation of the new regulations. “The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent,” said NOYB in a statement announcing the suits. “Consequently, access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.”
Time for a GDPR Compliance Audit?
For internal auditors, the suits—regardless of their validity—may be a wake-up call to put GDPR compliance on the audit plan. Penalties for non-compliance can be quite severe. A fine up to €20 million ($23.5 million) or up to 4 percent of the annual worldwide revenues of the preceding financial year can be levied for violating certain provisions of the regulation. For Google, the 4 percent penalty would amount to nearly $4.5 billion.
The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators and Instagram with Belgian regulators as soon as the law went into effect at midnight. NYOB says it also intends to bring a complaint with Irish regulators, since Google and Facebook have their European headquarters in Dublin.
“Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases,” says Max Schrems, chair of NOYB. “Facebook has even blocked accounts of users who have not given consent. In the end, users only had the choice to delete the account or hit the ‘agree’ button–that’s not a free choice.” Some studies show that European citizens are eager to exercise their new data rights.
Apple, Amazon, and LinkedIn Too
NYOB isn’t the only group to file complaints just after the rules took effect. French digital rights advocacy group La Quadrature du Net filed similar complaints against seven organizations, including individual complaints against Google companies Gmail, YouTube and Search. It also filed complaints Monday with French privacy regulator CNIL against Facebook, Apple, Amazon, and LinkedIn. La Quadrature says it intends to bring similar complaints against complaints Skype, Outlook, Android, WhatsApp, and Instagram.
For its part, Facebook says it is working to comply with the new rules. “We have made our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download, and delete their information,” Facebook’s Chief Privacy Officer Erin Egan said in a statement.
Last week, in testimony to European Parliament leaders, Facebook CEO Mark Zuckerberg insisted his company would follow the new regulations. “We’re going to put a tool at the top of people’s apps that walks them through their settings,” he said, although he would not go as far as to say the company is in currently in full compliance of the new laws.
Stay Tuned…
In a statement the group signaled that it is just getting started with bringing complaints against companies for GDPR non-compliance. “We chose to open fire by attacking 7 of the 12 services originally targeted, and wait a bit to see how things evolve before launching the procedure against the remaining 5 services,” the group said in a statement. “The procedure of cooperation between the European CNIL will take many months, so there is no need to rush things from the beginning.”
Groups like NOYB and La Quadrature may have many targets. A recent survey by ISACA finds that more than two-thirds of the companies it surveyed aren’t fully prepared to comply with GDPR. “Awareness of—and commitment to—well-defined security, data management, and privacy policies and procedures clearly need to be an integral part of every organization’s culture, from the top down,” said Chris Dimitriadis, chair of ISACA’s GDPR Working Group. 