The General Data Protection Regulation (GDPR) is a landmark piece of E.U. legislation that widely expands consumer protections and rights about what data companies can gather about E.U. citizens online, and how they do it. (If you’ve been wondering why you’ve been getting dozens of emails from companies about updated privacy policies, you can thank the GDPR.) The GDPR officially went into effect today — and Facebook and Google are already feeling the heat.
Max Schrems, an Austrian lawyer and privacy advocate who has been involved in a long-running legal battle with Facebook about its privacy policies, filed complaints on behalf of four E.U. citizens against Facebook, Facebook-owned Instagram and WhatsApp, and Google’s mobile OS Android, claiming that the companies used “forced consent” in order to get users to agree to the companies’ updated privacy policies.
“GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.” Schrems says in a statement from his nonprofit NOBY (None of Your Business). “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’-button — that’s not a free choice, it more reminds of a North Korean election process.”
Under the GDPR, companies must get explicit consent to gather and share data about you, unless that data is deemed essential to the company doing business. (An e-commerce company, for instance, wouldn’t need your permission to share your address with a third-party shipping company in order to send you a package.) The question that Schrems is attempting to force the companies and the E.U. to answer is whether collecting detailed personal information for ad targeting is essential for these companies to operate.
The GDPR has some real bite to it: If a company is found to be in violation of the GDPR, it can face fines of up to 4 percent of its global revenue. For Facebook, which brought in over $40 billion last year, that means fines of $1.6 billion. Alphabet, Google’s parent company, brought in $110 billion in revenue last year, and could face fines of $4.4 billion.
Schrems, speaking to the Financial Times, said that the fact that the fines were “mind-blowing” made it all the more surprising that neither company took the GDPR regulations more seriously. “They totally know that it’s going to be a violation, they don’t even try to hide it,” said Schrems.
Facebook’s chief privacy officer, Erin Egan said it in a statement: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.”
In its own statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”
While Google and Facebook seem prepared to take on complaints, other American-based companies aren’t pressing their luck. Dozens of websites have started to simply block all visitors from the E.U. rather than face potential GDPR fines. Many more will be watching closely to see what happens as two of the largest tech companies in the world face the scrutiny of a newly empowered E.U.