When Mark Zuckerberg testified in front of members of the European Parliament on Tuesday, he insisted that Facebook was ready for Friday, the day when the European Unions’s strict new data privacy law went into effect. But users in Europe have already filed complaints against Facebook and others today, saying the tech companies are in violation of the General Data Protection Regulation (GDPR).
The GDPR was passed in April 2016 and instituted stringent new rules on any company that held consumer data. User agreements, notorious for being long and complicated, are now supposed to be in plain language. And companies like Facebook and Google are supposed to let you know precisely what kind of data they’re collecting and/or selling about you.
So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.
“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” Max Schrems from the European Center For Digital Rights said in a statement.
Schrems refers to the pop-ups that users in European countries now see regularly, and points to the fact that there’s been no improvement in what would be called “informed consent” about what kind of data companies like Facebook and Google are collecting that they don’t necessarily “need” in order to provide you with their services.
“If companies realise that annoying pop-ups usually don’t lead to valid consent, we should also be free from this digital plague soon,” Schrems continued. “GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
And aside from the simple desire to see companies adhere to the new legislation, advocates see compliance with GDPR as a way to tackle the virtual monopolies that the big tech companies currently have.
“The fight against forced consent ensures that the corporations cannot force users to consent,” said Schrems. “This is especially important so that monopolies have no advantage over small businesses.”
Google told the BBC that it’s “committed to complying with the EU General Data Protection Regulation” and Facebook has insisted that it’s spent the past 18 months getting prepared for GDPR. Google and Facebook did not immediately reply to Gizmodo’s request for comment.
Companies face incredibly strict fines if they’re found to be in violation of the GDPR, which would require some kind of audit to ensure their compliance. It’s not yet clear how soon European regulators will start actively enforcing the law, but companies had over two years to prepare for it.
GDPR allows the EU to collect a maximum penalty of four per cent of global revenue after the second violation, which would be in the billions of dollars for companies like Facebook and Google.
“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,’ Schrems said.
Update, 10:15am: Google just sent Gizmodo this statement:
We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.
Update: And Facebook just sent Gizmodo this statement from the company’s Chief Privacy Officer, Erin Egan:
We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.
Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.
We’ll see how that works out for them in due time.