On the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.
GDPR requires clear consent and justification for any personal data collected from users, and these guidelines have pushed companies across the internet to revise their privacy policies and collection practices. But there is still widespread uncertainty over how European regulators will treat the requirements, and many companies are still unprepared for enforcement.
Both Google and Facebook have rolled out new policies and products to comply with GDPR, but Schrems’ complaints argue those policies don’t go far enough. In particular, the complaint singles out the way companies obtain consent for the privacy policies, asking users to check a box in order to access services. It’s a widespread practice for online services, but the complaints argue that it forces users into an all-or-nothing choice, a violation of the GDPR’s provisions around particularized consent.
Shrems told the Financial Times that the existing consent systems were clearly noncompliant. “They totally know that it’s going to be a violation,” he said. “They don’t even try to hide it.”
The lawsuits are broken up into specific products, with one filed against Facebook and two others against its Instagram and WhatsApp subsidiaries. A fourth suit was filed against Google’s Android operating system.
Both companies have disputed the charges, arguing that existing measures were adequate to meet GDPR requirements. “We build privacy and security into our products from the very earliest stages,” Google said in a statement, “and are committed to complying with the EU GDPR.”
Facebook offered a similar defense, saying, “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR.”