Max Schrems is the Austrian privacy lawyer who had complained about the transfer of his data to the United States by Facebook: he argued that, in light of the Snowden revelations, once his data was transferred by Facebook from the EU to the U.S., he no longer benefitted from an adequate level of protection. Schrems obtained a judgment of the Court of Justice of the European Union in October 2015, which invalidated the Safe Harbor agreement between the European and US authorities. We commented on that decision and the more recent one started in Vienna based on data protection law, but also on theories of tort and unjust enrichment.
These most recent complaints based on GDPR are against Google, Facebook and two Facebook subsidiaries, Whatsapp and Instagram. They were filed with four different Data Protection Authorities: the French Authority will deal with Google, the Belgian Authority with Instagram, the German Authority in Hamburg will deal with Whatsapp, and the Austrian one will deal with Facebook.
Each complaint has been filed on behalf of one individual who resides in the country where the complaint was filed and has been using the services provided by the company. Copies of the complaints have been made available on the noyb.eu website except that the identity of the individuals is not disclosed, obviously, in order to protect their privacy.
The four complaints are very similar. They are based on provisions of the GDPR (and not on the equivalent provisions of the national legislation), more precisely on the following rules:
- any data processing must be done on the basis of one of the legal basis listed in the GDPR, which includes consent and the fact that the processing is necessary for the purposes of a contract;
- consent has to be informed, freely given and “granular” i.e. specific to each data processing.
The complaints also refer to the Guidelines issued by the Article 29 Working Party on consent.
Noyb.eu claims that the consent is not granular (for Google android for example, consent covers all the services offered by Google) and not freely given since the user does not, in fact have a real choice: the four internet giants have adopted a “take it or leave it” policy: either the user consents or he/she does not consent and can no longer benefit from the services. They point out that there is a huge imbalance between users and these internet giants and that this can be taken into consideration when assessing whether consent is given freely.
Noyb.eu is asking each Data Protection Authority to initiate investigations, impose a fine and get the companies to provide them with a copy of the “Article 30 Record” which they now have to maintain under the GDPR. They claim that the maximum fine of 4% of the wordwide sales should be imposed because these are large companies with many legal experts which cannot claim that they did not know about the Guidelines issued by the Article 29 Working Party. For Google the amount of the maximum fine would 3.7 billion euros and for Facebook and its subsidiaries, 1.3 billion each. In fact, the GDPR states that several criterions have to be taken into consideration when assessing the amount of the fine and one of these criterions is whether the company cooperates with the data Protection Authority. At this stage, we do not know how the four companies will cooperate and therefore this position is probably somehow premature. Noyb.eu is also asking the Data Protection Authorities to order the companies to stop processing personal data in this manner. The European Data Protection Authorities has exercised its power to do so in a few cases.
These four complaints filed on the early hours of May 25 were the first ones, but not the last. On May 28, a French organization called “La Quadrature du Net” filed seven complaints with the French Data Protection Authority on behalf of thousands of individuals and has stated it is planning to file five more. These complaints also targeted Facebook (against which the highest number of individuals mandated La Quadrature: 10,569) but added other Google services (Gmail, YouTube and Search), Apple, Amazon and LinkedIn. As noyb.eu did, these latest complaints are asking the French Authority to order the named companies to stop their personal data processing activities and to impose fines which, according to them, should be as high as possible, given the “massive, long term and manifestly deliberate breaches”.
Who will be next?