Austrian lawyer and privacy activist Max Schrems filed several multi-billion euro complaints in courts around Europe against Google (Android), Facebook, and two Facebook subsidiaries WhatsApp and Instagram [complaints, PDF] Friday—the same day as EU data protection laws, the General Data Protection Regulation (GDPR) [official website], went into effect.
Combined, the lawsuits seek to fine a total 6.7 billion euro (€3.9 billion against Facebook, €3.7 billion against Google), or around USD $8.8 billion.
Schrems’ activist group named noyb, for “none of your business,” argues in an organization statement [press release] that these companies practice “forced consent,” which is prohibited by the GDPR:
The new General Data Protection Regulation (GDPR) which came into force today at midnight is supposed to give users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users: Tons of “consent boxes” popped up online or in applications, often combined with a threat, that the service cannot longer be used if users do not consent.
Noyb notes that the Irish Data Protection Commissioner [official website] will also likely get involved because “the headquarters of the relevant companies is in Ireland in three cases.”
As of Friday, the GDPR serves as the sole data protection rules for all companies operating in the EU, no matter where their principle place of business or headquarters. Some measures under the new rule include requiring organizations to report personal data breaches to data protection authorities, stricter thresholds of consent and transparency, and sanctions that include the ability to fine organizations up to €20 million or 4 percent of annual global turnover, whichever is higher. The new measure permits mass lawsuits, similar to class actions in the United States.
Schrems has been pursuing internet user privacy litigation for several years. The European Court of Justice (ECJ) dismissed a class action privacy lawsuit against Facebook in January, ruling that Schrems can sue Facebook in his home country as an individual [JURIST report]. In 2015, Schrems won [JURIST report] in the ECJ when it ruled that EU user data transferred to the US by various technology companies was not sufficiently protected.