Why did privacy expert Max Schrems immediately file GDPR complaints against Google and Facebook – and will he win?

Posted on Jun 23, 2018 by Glyn Moody

The General Data Protection Regulation (GDPR) came into force a few weeks ago.  As Rick Falkvinge noted in his post on the topic, its impact is potentially huge. The GDPR has already led to a flood of (annoying) emails from companies eager to tell us about their updated privacy policy, and the blocking of EU visitors to some US-based sites and services – another reason to use a VPN. But it’s not clear yet whether GDPR will fundamentally re-shape privacy around the world, or simply be ignored by most major Internet companies based outside the EU. We are about to find out. Just six minutes after the enforcement of GDPR began, the Austrian data protection authority received the first complaint under the new law:

The new General Data Protection Regulation (GDPR) which came into force today at midnight is supposed to give users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users: Tons of “consent boxes” popped up online or in applications, often combined with a threat, that the service can no longer be used if user do not consent. On the first day of GDPR noyb.eu has therefore filed four complaints against Google (Android), Facebook, WhatsApp and Instagram over “forced consent”.

“Forced consent” refers to the practice of offering two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. This is not, obviously, the effect that those behind the GDPR wished to produce. The four complaints seek rulings from the courts that this practice is now illegal, with correspondingly hefty fines, potentially amounting to billions of dollars under the GDPR.

The organization noyb.eu – which stands for “None Of Your Business” – was set up at the end of last year using crowdfunding to support its work. It specifically aims to use the new GDPR to hold powerful Internet companies to account if they abuse the privacy of their users. That’s possible thanks to an important new capability under the GDPR for activist groups to bring complaints on behalf of consumers.

The driving force behind the noyb.eu project is the Austrian privacy lawyer Max Schrems. Privacy News Online has already written about him several times. He has been tackling what he sees as Facebook’s cavalier attitude to privacy since 2013. He is probably most famous for initiating the legal challenge to the Safe Harbor framework that governed the flow of personal data from the EU to the US. As a result of his complaint, Safe Harbor was struck down by the EU’s highest court, the Court of Justice of the European Union (CJEU).

To replace Safe Harbor, the US and EU agreed a new system called Privacy Shield. But according to Schrems, the new scheme is just as flawed as the old one. The underlying problem is the access that the NSA has to EU personal data via US Internet companies. As a result, Schrems brought a complaint against the Privacy Shield framework. This has now been referred to the CJEU for a ruling, where many commentators – and Schrems himself, naturally – expect a similar result to the previous case which led to Safe Harbor being thrown out.

The CJEU cases both deal with the flow of personal data across the Atlantic. The GDPR gives digital rights activists a much more powerful weapon for fighting privacy abuse more directly. As the almost instant filing of his complaints shows, Schrems has been preparing to use the GDPR’s new requirements for some time. They are not the product of a sudden desire to challenge Internet companies, but the result of long research and planning. Couple that with the fact that Schrems has prevailed in practically every privacy case he has brought in various courts across Europe, and the assumption has to be that he has chosen his targets for good reasons, in order to set strong legal precedents, and that he has a fair chance of winning.

Schrems has also chosen carefully the data protection authorities where he has lodged his complaints so as to maximize the support he will receive from them. For example, the complaint against Google’s Android operating system has been filed with the French data protection authority CNIL. In 2015, CNIL ordered Google to remove search results globally, or face big fines. It is therefore likely that it will view noyb.eu’s move against Android with interest. Schrems filed his complaint against Facebook’s Instagram with the Belgian Privacy Commission, which forced Facebook to change its tracking of non-Facebook users back in 2015. Similarly, the complaint against WhatsApp was lodged in Hamburg, where the data protection authority is already investigating both Google and Facebook over their handling of user privacy.

The central question raised by noyb.eu’s four complaints is broadly the same: are Internet companies allowed to limit a user’s options to either accepting tracking and advertising, or not using the service at all? That stark choice certainly seems to be a clear example of “forced consent”, which the GDPR forbids, since the only way to use the service is to accept the terms on offer, whether or not they are fair. However, the counter-argument is that companies should have the right to lay down the terms for users of their service, and that nobody is forcing people to use the service if they are unhappy about the conditions.

However, there may be middle ways that satisfy both sides. For example, tracking is deployed to allow highly-targeted ads to be served up: do they need to be? The dangers of this technique have been made clear in the Cambridge Analytica scandal, where hypertargeted ads may have been used to influence elections. Already, some sites offer visitors the option of no tracking and general ads. Alternatively, the introduction of the GDPR may be the final push needed for online companies to consider charging for their services, instead of depending on advertising. For example, the Washington Post now has a “Premium EU Subscription” that promises “No on-site advertising or third-party ad tracking”, unlike the other, cheaper options. Given the funding crisis for media these days, such a shift could not only satisfy GDPR requirements but also provide much-needed additional funding for online creativity.

Even if Schrems ultimately fails with these first complaints, he has made it clear that this is just the start:

The complaints about “forced consent” are the first action of the newly founded organization noyb.eu. The Center for Digital Rights is already planning further complaints about the illegal use of user data for advertising purposes or “fictitious consent”.

Moreover, other digital rights organizations are planning to launch their own campaigns using the GDPR. For example, the French group La Quadrature du Net has sent privacy complaints to CNIL concerning five top Internet companies: three for Google (Gmail, YouTube et search), plus one each for Apple, Facebook, Amazon and LinkedIn. More are likely to follow. In the UK, Privacy International (PI) has announced a campaign investigating a range of data companies that make up what it calls “a largely hidden data ecosystem” – an important topic explored by Privacy Online News a year ago. As PI explains:

This hidden data ecosystem is comprised of thousands of non-consumer facing data companies – such as Acxiom, Criteo, Quantcast – that amass and exploit large amounts of personal data. Using the rights and obligations provided for within the new data privacy law, PI’s campaign involves investigating a selection of these companies whose business models raise questions under GDPR.

The high-profile launch of noyb.eu’s complaints against Google and Facebook just minutes after the GDPR came into force is a dramatic demonstration of how quickly this whole area is moving. But the plans by other organizations to use the GDPR to probe how well companies protect personal data are an indication that the efforts to call powerful companies to account are likely to become much wider than Schrem’s one-man crusade against global privacy violations.

Featured image of Max Schrems by http://europe-v-facebook.org.