New privacy group noyb (None of Your Business) has filed three lawsuits against Facebook and one lawsuit against Google claiming that the companies are not complying with the newly-introduced General Data Protection Regulation as they are forcing users to accept the data collection policies in exchange for using their services. The lawsuit was filed just a few hours after GDPR become law throughout the European Union.
Complaints were filed against Facebook (along with WhatsApp and Instagram) with data protection regulators in Austria, Belgium, and Germany, asking for nearly $4.6 billion in damages. A separate lawsuit was filed in France with CNIL (the French data protection agency) with regard to Android. The amounts were calculated based on GDPR’s maximum penalty of 4% of turnover.
What is noyb?
noyb is a new privacy group based in Austria that has been crowdfunded by 2500 donations of $370000 to date. The leader of noyb is Austrian privacy campaigner Max Schrems, who has had multiple cases with the Irish Data Protection Commission already. Facebook, and many other American Internet companies, are based in Ireland, which gives the Irish DPC increased responsibility in Europe. It must be assumed that noyb filed the suits outside Ireland because of Irish DPC general policy of negotiations rather than aggressive enforcement.
Who is Max Schrems?
Max Schrems has already won a landmark European court ruling in 2015 that invalidated a ‘safe harbour’ agreement between the European Union and the United States allowing firms to transfer personal data from the EU to the United States, where data protection rules were already much less strict that Europe. That gap between United States and Europe has significantly widened with the introduction of GDPR.
What is the core of the complaint?
The core of the complaint is that the online services can only obtain passive consent for data that is required to directly provide their services. noyb contends that many companies, but specifically Facebook and Google with Android, are using forced consent. Since data related to advertising services is not strictly necessary to provide the services, noyb argue that explicit consent is required. The noyb suit contends that the explicit consent for non-necessary data collection must be optional and obtained. At the moment, many online services provide a take it or leave it approach.
The press release on noyb says, “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the “agree”-button – that’s not a free choice, it more reminds of a North Korean election process.”
The noyb specially cites GDPR Article 7(4) as prohibiting forced consent and any form of bundling a service with the requirement to consent. The suit also contends that Facebook does not explain to users on what legal basis their data is collected, so there can be no informed consent anyway.
Is noyb likely to win its case?
There have been previous successes in European rulings, in 2014, that appear to support the noyb position regarding the distinction between data that is necessary for a service and data that is collected and used for other purposes (advertising in this particular case). The noyb case is essentially a test case on the interpretation of the GDPR regulations, which on paper appear to strongly support individual data rights over corporate use of personal data.
So on paper at least, noyb has a strong case. That will not stop Google and Facebook fighting every step of the way.
Expect to be reading about this case on ComplianceJunction for years to come.