Europe’s General Data Protection Regulation (GDPR) took effect today, and complaints were promptly filed by a nonprofit group against Facebook, Google, WhatsApp and Instagram over “forced consent.”
The Austria-based group None Of Your Business (Noyb) argues that “Tons of “consent boxes” popped up online or in applications, often combined with a threat, that the service cannot longer be used if users do not consent.”
Noyb apparently was ready with its complaints when GDPR became law at midnight in Europe.
The complaints were filed with four authorities, based on the residences of users. Article 80 of the GDPR allows users to be represented by a non-profit association, Noyb states.
The case against Google was filed with the CNL in France, and the complaint against Instagram with the DPA in Belgium.
The filing against Facebook was with Austria’s DSB and the one against WhatsApp was filed with the Hamburg data commissioner.
In addition, Ireland’s data protection commissioner will probably get involved in the cases “as the headquarter of the relevant companies
is in Ireland in three cases,” according to Noyb.
Noyb contends that “The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data.”
The group also seeks to halt “annoying and obtrusive pop-ups which are used to claim a user’s consent.”
The filings will level the playing field for small companies that “usually cannot force their customers to agree to policies,” Noyb continues.
The group does not expect that authorities “will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation.” The maximum penalty is 4% of global revenue.
Facebook responded in a statement that it has spent 18 months preparing to meet the requirements of GDPR, according to the BBC.
Google told the BBC: "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation."