GDPR day 1: Google and Facebook sued for ‘forced consent’

Welcome to GDPR day one. Google and Facebook are already facing formal complaints that they’re in violation of the new privacy rules, the penalty for which can be millions or even billions of euros.

A privacy advocacy organization called noyb.eu has filed four complaints against Google, Facebook, WhatsApp and Instagram over what it calls consent bundling or “forced consent,” meaning no access to services without consent. The entity is chaired by Max Schrems, who as a law student brought the case against Facebook that caused the downfall of the US-EU data Safe Harbor agreement.

The complaints, which have been filed in France, Germany, Belgium and Austria, argue:

GDPR prohibits “bundling.” The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017.

The organization seeks to separate use of the services from consent to use customer data for advertising purposes. Ominously for Google and Facebook, the organization’s website suggests that these complaints “are the first action” in a list of intended additional complaints.

While one purpose of GDPR is to give consumers more control over their personal data and prevent unauthorized uses, another relatively clear goal of the law is to create a legal and regulatory tool to manage (or restrain) Google and Facebook and their use of data. Schrems’s organization is directed toward the latter objective.

Also today, publications owned by Tronc, formerly Tribune Media, have blocked access for Europeans. Tronc owns the Chicago Tribune, New York Daily News and The Baltimore Sun. Formerly, it owned the Los Angeles Times, one of the sites now blocking Europeans.

According to Slate, the following message appeared to EU citizens trying to access the Los Angeles Times site: “We are currently not available in your region, but we are actively exploring options to make our content available to you again.” A more blunt message showed up on The Arizona Daily Star’s site: “We recogise [sic] that you are attempting to access this website from a country belonging to the European Economic Area, including the EU which enforces the General Data Protection Regulation and therefore cannot grant you access at this time.”