The ink was barely dry on the European Union’s new General Data Protection Regulation (GDPR) when a European privacy advocate sued Google, Facebook and Facebook-owned Instagram and Whatsapp, claiming they violated the regulation by using “forced consent” practices to obtain consumer data.
The lawsuits were filed with data protection agencies (DPAs) in Austria, Belgium, France and Germany by crowdfunded non-governmental agency noyb.eu (for “none of your business”) and its chairman, Austrian attorney Max Schrems. Ireland’s DPA may also be involved, as GDPR calls for inter-agency cooperation in privacy issues, and Instagram, Whatsapp and Facebook all have their European headquarters there.
In a nutshell, Schrems argues that “forced consent,” i.e. cutting off of services or accounts for anyone who refuses to hit the “agree” button, is a violation of GDPR. The new law requires service providers to give users a choice in terms of consent, unless it’s required to make the service work.
“Facebook has even blocked accounts of users who have not given consent,” Schrems said in a statement. “In the end users only had the choice to delete the account or hit the ‘agree’ button – that’s not a free choice, it more reminds of a North Korean election process.”
In a release on the complaints, noyb.eu said the removal of forced consent wouldn’t prohibit service providers from using customer data.
“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” the group said.
Both Google and Facebook say existing measures they have taken make them compliant with GDPR, according to The Verge. “We build privacy and security into our products from the very earliest stages,” Google said in a statement, “and are committed to complying with the EU GDPR.”
“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR,” Facebook said in its statement.
Facebook founder Mark Zuckerberg also addressed the issue at the VivaTech conference in Paris, according to TechCrunch.
“We’ve been rolling out the GDPR (consent) flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline,” Zuckerberg said. “And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads.”
TechCrunch points out, however, that Facebook doesn’t give users the choice to accept or decline targeted advertising, but to quit the service entirely.