Internet giants under investigation for GDPR infringement
High-profile social media companies Facebook, WhatsApp and Instagram, as well as search engine Google, were all hit with complaints to regulators within hours of the General Data Protection Regulation (GDPR) going live. They face total fines as high as €9.1bn if found guilty, but the actual punishment is predicted to fall short of that figure.
Privacy group noyb.eu, run by Austrian activist Max Schrems, said all four companies had breached the GDPR for ‘forced consent’, where companies ask users to consent to use of their personal data for continued access to a service.
Noyb.eu said these companies had adopted a “take it or leave it” approach that is not in the spirit of the new GDPR rules.
The new laws have also caused problems for companies in US, which fall within the reach of GDPR if they hold or use data on EU citizens. Several US news websites, including Los Angeles Times and New York Daily News, blocked European users from access to their sites on Friday as they worked to comply with GDPR rules.
Noyb.eu filed complaints with four European data authorities – in France, Belgium, Germany and Austria – over misgivings with Facebook, WhatsApp, Instagram and Google. The Irish Data Protection Commissioner is also likely to be involved as three of the named companies are headquartered in Ireland. Noyb.eu estimates that Google would face a potential fine of €3.7bn if it was found to be in breach of the new rules, while Instagram, WhatsApp and Facebook each face a maximum charge of €1.8bn.
“Tons of ‘consent boxes’ popped up online or in applications, often combined with a threat, that the service cannot longer be used if users do not consent,” noyb.eu said. “The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent. Consequently, access to services can no longer depend on whether a user gives consent to the use of data,” it added.
Noyb.eu said its complaint could trigger an end of “annoying and obtrusive popups” to claim users’ consent to their data. It also said its complaints would be “a crucial test of the law”. “We do not expect that DPAs will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation,” noyb.eu said.
Google issued a statement to say it is committed to complying with GDPR while Facebook, which owns Instagram and WhatsApp, said it has worked on implementing GDPR during the past 18 months.