Facebook and Google may already have fallen foul of European privacy laws which took effect today, in a move that critics say could cost the companies billions.
A group that campaigns for data protection rights says it has filed legal complaints against the sites, as well as Instagram and WhatsApp, over their handling of GDPR.
The group NOYB.EU – which stands for ‘none of your business’ – has taken issue over the way the firms obtain users’ consent under the new EU rules.
It claims its action could force the US internet giants to pay up to €7 billion (£6.1 / $8.2 billion).
Privacy group NOYB.EU has taken issue over the way the firms obtain users’ consent under the new EU rules. Max Schrems, a veteran of legal fights against Facebook and chair of the group, said this amounts to ‘forced consent’, which is prohibited by GDPR
In a statement Friday, the Austrian-based group argued that the companies are making users’ consent to their new terms of service a requirement if they want to continue using the service.
Those who object have to delete their account.
Max Schrems, a veteran of legal fights against Facebook and chair of the privacy group, said this amounts to ‘forced consent’, prohibited by the EU’s General Data Protection Regulation (GDPR).
Starting today, companies that collect or process the personal information of EU residents must comply with new rules that protect the privacy of people’s data.
The European Union’s General Data Protection Regulation is a new data protection law that aims to strengthen and unify data protection for all individuals within the EU.
This means cracking down on how companies like Google and Facebook use and sell the data they collect on their users.
The law marks the biggest overhaul of personal data privacy rules since the birth of the internet.
Under GDPR, companies will be required to report data breaches within 72 hours, as well as to allow customers to export their data and delete it.
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Further, the controller must provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Under the right to be forgotten, also known as Data Erasure, are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subject withdrawing their consent.
This right requires controllers to compare the subjects’ rights to ‘the public interest in the availability of the data’ when considering such requests.
Facebook and Google may already have fallen foul of European privacy laws which took effect today, in a move that could cost the companies billions, activists say. This is the latest in a growing list of criticisms levelled against Mark Zuckerberg’s firm
The rollout has been welcomed but is also causing confusion.
Companies are trying to understand what level of protection different data needs, whether this could force them to change the way they do business and innovate, and how to manage the EU’s 28 national data regulators, who enforce the law.
That uncertainty, together with stiff penalties for violating the law, has convinced internet-based businesses such as Unroll.me, an inbox management firm, and gaming company Ragnarok Online to block EU users from their sites. U.S. retailer Pottery Barn said it would no longer ship to EU addresses.
Earlier today, The Los Angeles Times said it was freezing readers in parts of Europe out of its website as new privacy rules come into force across the European Union.
Web users in Germany who visited the site got a notice saying the L.A. Times is ‘engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.’
It added that the company is trying to ‘identify technical compliance solutions that will provide all readers with our award-winning journalism.’
No further details were provided.
Companies worldwide have been sending their customers notices in recent days informing about changes to their terms of service, as part of efforts to comply with the new European rules, known as the General Data Protection Regulation.
The new data privacy law has some Europeans scratching their heads over what to do.
In Finland, the government says it has been contacted by households asking whether the law means they can no longer email invitations for a child’s birthday party.
The Finnish Justice Ministry’s Anu Talus told broadcaster YLE that the data privacy rules do not affect private households. The law only affects data that is intended for professional or commercial activities.
The broadcaster tody listed another case that had citizens puzzled.
Should timetables for users of Finnish saunas, which show residents’ names, be removed from the facility?
Finland’s Data Protection Ombudsman Reijo Aarnio said that was a ‘typical issue of interpretation,’ adding it was probably fine to assume that a sauna schedule can be visible.