Facebook bête noire Max Schrems, the Austrian privacy campaigner, today launched lawsuits worth over €7 billion under GDPR – Europe’s new data protection laws – against Facebook, Google, Instagram and WhatsApp.
The law suits were filed against Google in France, Instagram in Belgium Whatsapp in Ireland and Facebook in Austria by activist group noyb.eu.
The suites accuse the companies of forcing users to accept their data collection policies. The company says it seeks users’ consent for certain specific types of data processing, such as ads based on data from partners; political, religious, and relationship information on user profiles and face recognition.
It claims others are necessary to provide personalised, free service to people around the world “contractual necessity” under GDPR.
Facebook’s chief privacy officer Erin Egan told Computer Business Review: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.”
She added: “Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
Brian Vecci, Technical Evangelist at Varonis said: “It’s not surprising that the big tech companies are the first to face problems now that the GDPR is in effect. They have the most data about the most people and their business depends on exploiting it. Ignoring it is the last thing that the big tech companies have been doing, but that’s not necessarily true of all of the other companies…”
He added: “In our recent Global Data Risk Report, we found that 58% of companies have more than 100,000 folders open to everyone in the company, meaning that data is neither secure nor private. Companies that take at least the first step of mapping out what personal data they have, identifying where it’s exposed, and monitoring how it’s used—even if they haven’t yet started fixing the problems they’ll inevitably find—are going to be way ahead of everyone else. The big tech companies are in the spotlight right now but they’re not the only ones who are going to have to face the music.”
In a paper published by noyb.eu, Max Schrems said: “It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’.
Facebook says on its GDPR page: “As is the case today, any transfers of personal data outside of the EEA (European Economic Area) must meet certain legal requirements. Facebook Inc. is certified under the Privacy Shield framework. Under this framework, we receive and process personal data from our advertisers in the EU. We do this in connection with certain products, including data file Custom Audiences, attribution checkup and certain offline conversion lift studies.”
Google commented, “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”