Europe’s General Data Protection Regulation (GDPR) took effect
today, and complaints were promptly filed by a nonprofit group against Facebook, Google, WhatsApp and Instagram over
“forced consent.”
The Austria-based group None Of Your Business (Noyb) argues that “Tons of “consent boxes” popped up online or in applications, often combined
with a threat, that the service cannot longer be used if users do not consent.”
Noyb apparently was ready with its complaints when GDPR became law at midnight in Europe.
The
complaints were filed with four authorities, based on the residences of users. Article 80 of the GDPR allows users to be represented by a non-profit association, Noyb states.
The case against
Google was filed with the CNL in France, and the complaint against Instagram with the DPA in Belgium.
The filing against Facebook was with Austria’s DSB and the one against WhatsApp was
filed with the Hamburg data commissioner.
In addition, Ireland’s data protection commissioner will probably get involved in the cases “as the headquarter of the relevant companies
is in Ireland in three cases,” according to Noyb.
Noyb contends that “The GDPR prohibits such forced consent and any form of bundling a service with the requirement to
consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data.”
The group also seeks to halt “annoying
and obtrusive pop-ups which are used to claim a user’s consent.”
The filings will level the playing field for small companies that “usually cannot force their customers
to agree to policies,” Noyb continues.
The group does not expect that authorities “will use the full penalty powers, but we would expect a reasonable penalty, given the
obvious violation.” The maximum penalty is 4% of global revenue.
Facebook responded in a statement that it has spent 18 months preparing to meet the requirements of GDPR, according to
the BBC.
Google told the BBC: "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation."