Facebook and Google have already been targeted by four complaints based on the General Data Protection Regulation, a strict European Union law regulating digital privacy practices which went into effect today after being in the making for years. Privacy enforcement NGO noyb.eu filed complaints against Google’s Android, Facebook, and the latter’s affiliates Instagram and WhatsApp, accusing all four of forcing user consent to their privacy policies. Irish Data Protection Commissioner is also expected to become involved in the cases together with top EU privacy regulators as the European arms of all defendants are based in Ireland.
The petitions themselves are relatively similar to one another, alleging Google, Facebook, and their subsidiaries practice consent “bundling,” packaging privacy policies of many of their services together. GDPR also prevents digital companies, including websites, for denying access to their services if they are refused to utilize certain user data, which both Facebook and Google do as part of their core business models, the NGO says. GDPR doesn’t outlaw processing of necessary data Internet firms need to keep their service operational and continue improving them but mandates that the collection of any information for advertising purposes is only conducted after explicit opt-in consent has been received from users. The European privacy watchdog is hoping its complaints will set a precedent for “sane” implementations of GDPR and immediately put an end to any attempts at “fishing for consent.”
Consent pop-ups and many other practices for obtaining user permission for mining data in an aggressive manner represent GDPR‘s first major legal test, many industry watchers believe. Under the new regulatory framework, privacy violators can be penalized with up to four-percent of their annual revenues. In the case of Google and Facebook, those fines could reach well over a billion dollars. Should noyb.eu’s complaints be successful, they’re also likely to outlaw consent pop-ups preventing users from accessing websites before agreeing to their data being harvested for commercial purposes.