Big American technology companies were the first to be hit with complaints for how they handle users’ personal information under the new EU data protection regulation known as GDPR.
As the sweeping privacy legislation took effect across the EU on Friday (25 May), Facebook and Google came under scrutiny in four separate cases in Austria, Belgium, France and Germany.
NOYB, a privacy NGO run by Austrian lawyer Max Schrems, filed complaints against Google, Facebook, and Facebook-owned Instagram and WhatsApp, for their alleged breach of the GDPR’s rules requiring a company to obtain explicit consent from users before processing their personal data.
Schrems was also behind a landmark 2015 lawsuit that brought down the Safe Harbour data sharing agreement between the EU and the United States.
American tech companies can expect to come under even more pressure in the next few days. French NGO La Quadrature du Net is collecting signatures for a class action lawsuit against Facebook, Google, Amazon, Apple and Microsoft and will send its complaint to France’s national data protection authority on Monday (28 May).
Arthur Messaud, a legal advisor at the NGO, said the lawsuit will take aim at the companies’ alleged use of “forced consent”, following the same legal grounds as Schrems’ complaints.
“Consent should not be a condition and should not be bound to the fact that you can access a service, but this is exactly what happens on Facebook or Google. You cannot use Facebook if you do not consent to how they use your data,” Messaud said.
GDPR creates a new system that requires national data protection authorities from every EU country to consult and agree as a group on each case that draws on the law.
They must also reach a consensus on whether to sanction companies that break the rules – the law gives regulators the power to slap firms with a record-high fine of €20 million or 4% of their global turnover.
But it’s unlikely that most companies will face fines that high.
Andrea Jelinek, the chair of the European data protection board, the new umbrella group of national regulators, told a Brussels conference inaugurating the GDPR on Friday, “I promise, we are no sanctioning machines.”
“If it’s necessary to fine, we won’t hesitate to do it,” she added.
Complaints can be filed in any EU country, but one national regulator must take the lead on investigations if a company is based in their jurisdiction.
Facebook and Google have their European headquarters in Ireland. That means that the new system will put Ireland’s privacy authority in the spotlight as legal grievances pile up.
“There’s no doubt there will be lots of pressure that will be brought to bear, lots of consultation that will need to take place,” Helen Dixon, the Irish data protection authority, told reporters on Friday after a meeting of the national privacy regulators in Brussels.
“We are going to have a lot on our plates,” Dixon said of her Dublin office.
The Irish authority has announced plans to hire more staff this year to deal with the new complaints. In addition to new in-house hires, Dixon said she may borrow legal experts from other countries’ regulators to deal with upcoming investigations.
Jelinek, who also serves as Austria’s privacy authority, told a Brussels conference on Friday that her office had received the complaint against Facebook from Schrems’ NGO at 1:26AM that morning. The GDPR took effect at midnight.
Schrems lodged the complaint against Facebook in Austria, while his NGO’s files against Google were sent to France’s authority, the complaint against WhatsApp went to Hamburg’s watchdog and another complaint against Instagram to Belgium.
NOYB said in a statement that it distributed the four complaints to different authorities in order “to enable European cooperation”. The four offices will forward the files to Dublin. Dixon said on Friday afternoon that her office has not yet received Schrems’ complaints.
In a show of companies’ uncertainty over how to comply with the GDPR, some websites shut down their services for European internet users on Friday.
Websites of American media outlets including the Los Angeles Times were blocked in the EU. A notice displayed to Europeans who tried to access the newspaper’s website said, “our website is currently unavailable in most European countries.
We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market”.
Jelinek told reporters she had not yet been in contact with with the Los Angeles Times over the issue.
“I’m convinced that the loss of information won’t be that that big because I’m sure the Los Angeles Times will reopen their website,” she said.
On Friday, twelve EU countries had confirmed that their national laws were updated to make room for the GDPR. Eight more countries informed the European Commission that they will finish those legal procedures soon.
But another eight countries, Bulgaria, Belgium, Cyprus, Greece, the Czech Republic, Hungary, Lithuania and Slovenia, missed the 25 May deadline altogether and did not appear close to introducing the GDPR into their national legal systems.
EU Justice Commissioner Vera Jourova told the GDPR conference on Friday that she had written earlier that morning to ministers who oversee data protection laws in each of the 28 EU countries. To some ministers, she shared a congratulatory message. But Jourova’s letters to ministers from the eight unprepared countries included a warning that they must update their legal systems.
There could be a wave of legal battles ahead: if countries do not translate the GDPR into national law, the Commission could take them to court.