On the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.
GDPR requires clear consent and justification for any personal data collected from users, and these guidelines have pushed companies across the internet to revise their privacy policies and collection practices. But there is still widespread uncertainty over how European regulators will treat the requirements, and many companies are still unprepared for enforcement.
Both Google and Facebook have rolled out new policies and products to comply with GDPR, but Schrems’ complaints argue those policies don’t go far enough. In particular, the complaint singles out the way companies obtain consent for the privacy policies, asking users to check a box in order to access services. It’s a widespread practice for online services, but the complaints argue that it forces users into an all-or-nothing choice, a violation of the GDPR’s provisions around particularized consent.
Shrems told the Financial Times that the existing consent systems were clearly noncompliant. “They totally know that it’s going to be a violation,” he said. “They don’t even try to hide it.”
The lawsuits are broken up into specific products, with one filed against Facebook and two others against its Instagram and WhatsApp subsidiaries. A fourth suit was filed against Google’s Android operating system.
Both companies have disputed the charges, arguing that existing measures were adequate to meet GDPR requirements. “We build privacy and security into our products from the very earliest stages,” Google said in a statement, “and are committed to complying with the EU GDPR.”
Facebook offered a similar defense, saying, “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR.”
Comments
Who could have seen this coming? The lawyers see an easy payday, and they didn’t waste any time.
By ThatOneThing on 05.25.18 10:33am
Working as intended, I suspect.
By ldrn on 05.25.18 11:11am
Grabs popcorn.
Let the show begin!
By mikedon on 05.25.18 12:54pm
Day 1 is a little much, but also the lawyers are being backrolled. The EU does not work on the American system. Loser pays.
By Fkeefe4th on 05.25.18 6:23pm
I totally support the lawsuits. Mass collection of user data should be stopped to protect our democracy. Users are careless, and they will give away their data for free stuff or for the convenience without thinking about long term consequences.
Politicians are supposed to work for the good of the society. By making data mining very costly to Google and Facebook, they can force those companies to adapt less hostile business models.
By I am not Spartacus on 05.25.18 7:49pm
GDPR doesn’t stop the collection of data, it’s about the disclosure of that collection
By armrek on 05.26.18 5:22am
But a clear explanation about what those companies are collecting means that users are more aware of what kind of stuff they’re giving away. And that helps to stop this thing.
By niasco on 05.26.18 11:51pm
So you believe that governments job is to protect people from themselves even if they don’t want to be protected? This idea is the very base justification of authoritarianism and facism. Everything is for the greater good, we are doing this to help you, trust the state to make your decisions.
The pure fact is most people don’t care who knows they clicked on an ad, or that they like a band. If they had to weigh that info versus what it would cost to pay for all the services we use? They gladly give away their information. We haven’t even touched on the fact that in some cases that info is used to make products better and more specific to a persons needs.
It’s all well and good to say, hey i’d be willing to pay $20 a month for Google’s services. Sure, sounds reasonable, but lets add on another 20 for facebook, 10 for yelp, 20 for instagram, 5 for whats app, 30 for twitter, etc…. etc…. We all used MULTIPLE services from multiple companies, the idea that we are going to pay subscriptions for all of these? Not to mention the performance decline of the services who now lack our information?
I just don’t understand people who care so much about being served an ad that is relevant for you when the government actually mines and obtains as much or more data on you than these companies, and its not for your benefit at all. The only rule I’d like to see in place is one that prevents the companies from sharing any of the info with the governments.
By Jaguar10301 on 05.26.18 6:07am
this post ^^ so full of win
By fxspec06 on 05.27.18 3:51pm
I agree that people need to take more ownership over their choices (and not just in this context). If you scroll by the agreement text to get to the "Next" button, then you’ve made it clear how much you care about the fine details. If you sign a three-year contract to get a free smartphone, don’t complain when the company holds you to it. And if the phone you buy is made by a company that has a reputation for slow OS updates, why are you shocked when they don’t update your phone? There is exactly one constant in all of these scenarios.
It’s a big problem that so many people think they deserve to get everything for free. If Hotmail, Yahoo Mail, GMail, and every other free email provider never existed, the Internet would look a lot different right now. As you say, people need to take stock of how much they get for free before they start complaining about ads, expressing outrage over apps that cost more than a buck, and claiming that every article they don’t like on a website is clickbait.
By Scatterthought on 05.28.18 5:06pm
Except their business models are not hostile. It actually has enabled the ability to provide high quality services to massive amounts of people for very limited monetary cost.
Entire industries have been built on top of these companies, especially Google.
But somehow having a targeted advertisement served to you is hostile…
By descendency on 05.26.18 9:10am
You do realize that GDPR isn’t supposed to stop data collection right?
By KidAKidB on 05.26.18 6:09pm
Except there are no lawsuits, so there’s that.
You cannot use the GDPR to sue someone, what he did instead was file a complaint with the regulatory bodies in 4 different European countries. They will probably tell Google and Facebook to get their shit in order, and only if they refuse to do so will there be fines.
By Aaargh20318 on 05.26.18 12:09pm
I honestly don’t get his complaint against Android.
By ldrn on 05.27.18 3:16am
How so?
By tomflack on 05.27.18 10:19pm
From the translations, it looks like he says it’s "forced consent" to using a Google account, but you don’t need a google account to use android, so…
By ldrn on 05.27.18 11:24pm
And does the Google account even matter if no one is forcing you to use Android in the first place?
By Scatterthought on 05.28.18 5:10pm
Maybe google play services is collecting data even if you’re not signed in. It’s been a while since I set up an android phone but I seem to remember T&S separate to the google account.
By tomflack on 05.29.18 5:44am
I am wondering which companies or websites will survive if they stopped mining user data to do anything beyond providing the service that the user went to them for.
By mkumar12345 on 05.27.18 12:54pm
I’m excited for what this is going to do to large companies playing fast-and-loose with our data, but terrified for what this will do to small startups whose only interaction with a lawyer has been "how do I incorporate my company?" Large companies can throw massive resources at their armies of hundreds of lawyers, whereas startups have no such resources. Huge, sweeping legislation like this always has unintended consequences, and I truly hope one of these consequences isn’t large companies using it as a barrier to upstart competition.
By Smartyflix on 05.25.18 10:38am
How would start ups being negatively affected be anyone’s fault than the GDPR?
Europeans want to have their cake and eat it too. Yes small start ups will be affected and if it costs large companies too much or creates huge barriers for launching services they just won’t launch new services in the EU.
By My Only Name Change on 05.25.18 10:46am
Could you be more precise about which small startups will be affected and by which part of the GDPR?
I believe that a start-up has to follow legal rules relating to employment, commerce, insurance etc. So clearly it’s possible to exist within a legal environment. The past few years we’ve seen a big push of start-ups in heavily regulated environment like construction, healthcare, fintech. So even more restrictive environments do not make it impossible to create start-ups. And of course there’s always been hugely profitable BtoB start-ups who never stopped to complain about the costs of being compliant with their clients’ security practices.
I could see it being a problem for small start-ups with huge userbases which have existing systems designed to vacuum data carelessly. The cost is in the refactoring of the system, which is mostly a one-time cost. Data retrieval and deletion can also be automated. But future companies will integrate user consent and data minimisation the same way that they integrate other development best practices.
Unless of course the start-ups you’re talking about are just marketing fronts for personal info resellers. I guess Europe will have to do without them.
By Culture Scout on 05.25.18 11:10am
Should say regulated instead of restrictive. A more or heavily regulated industry/environment can be more restrictive to which start-ups have a chance at success. But it doesn’t necessarily mean failure. More regulations just means more rules to play by. Those rules can be expensive to implement if they require expensive capital investment.
By roonhawk on 05.25.18 11:19am
Which could theoretically relate to any company that uses ads to fund services. I suppose your right Europeans can do without or grab their wallets.
By My Only Name Change on 05.25.18 11:31am
Luckily you can have an ad-based business model without reselling user data. We’re safe then?
By Culture Scout on 05.25.18 11:36am