Privacy à la “take it or leave it”? The new General Data Protection Regulation (GDPR) which came into force today at midnight is supposed to give users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users: tons of “consent boxes” popped up online or in applications, often combined with a threat that the service can no longer be used if users do not consent. On the first day of GDPR noyb.eu has therefore filed four complaints against Google (Android), Facebook, WhatsApp and Instagram over “forced consent”.
Original Complaints, as filed:
- Google LLC (Android), filed with the French DPA (CNIL)
- Instagram (Facebook Ireland Ltd), filed with the Belgian DPA (CPP)
- WhatsApp Ireland Ltd, filed with the Hamburg DPA (HmbBfDI)
- Facebook Ireland Ltd, filed with the Austrian DPA (DSB)
Overview of the complaints. Very similar complaints were field with four authorities, to enable European coordination. In addition to the four authorities at the residence of the users, the Irish Data Protection Commissioner (link) will probably get involved in the cases too, as the headquarter of the relevant companies is in Ireland in three cases.
GDPR prohibits “bundling” The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017 (link).
Separation of necessary & unnecessary data usage. An end of “forced consent” does not mean that companies can no longer use customer data. The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent. With this complaint we want to ensure that GDPR is implemented in a sane way: Without just moving towards “fishing for consent”.
Putting an end to annoying pop-ups. If the complaints of noyb.eu are successful, it will also have a very practical effect: Annoying and obtrusive pop-ups which are used to claim a user’s consent, should in many cases be a thing of the past.
Important for SMEs. The fight against forced consent is also important for small and local companies, which usually cannot force their customers to agree to policies – other than big online monopolies.
Billion penalties, but will GDPR show teeth? These first complaints will also be a crucial test of the law: with a penalty of 4% of global revenue, Google or Facebook would have to pay more than a billion Euros for violating the law. Currently we do not expect that DPAs will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation.
noyb.eu gets privacy on your phone. Article 80 of the GDPR foresees that data subjects (in this case users from France, Belgium, Austria and Germany) can be represented by a non-profit association, as individual users are usually unable to file the relevant legal complaints. In this case all four users are represented by the non-profit noyb.eu.
Next topics for noyb.eu The complaints about “forced consent” are the first action of the newly founded organization noyb.eu. The Center for Digital Rights is already planning further complaints about the illegal use of user data for advertising purposes or “fictitious consent”.