GDPR is meant to give the European Union more teeth in enforcing individual privacy protection. Based on the notion of “privacy by default,” the law requires companies such as Facebook and Google to ensure that they collect and store personal data safely and securely.
To that end, the first major complaints came early Friday morning from Max Schrems, an Austrian privacy activist who has successfully challenged Facebook in the past. This time, Schrems and his organization — a lobbying group called noyb, which stands for None of Your Business — has focused its efforts on Facebook and two of its services, WhatsApp and Instagram, as well as Google’s Android smartphone operating system, charging that they violate the new E.U. law because of how they obtain users’ consent.
If local regulators agree that these companies ran afoul of GDPR, they each could see fines reaching into the billions of euros. But it isn’t the only legal threat on the horizon. Some privacy-minded organizations are hoping to use the new law to force changes at other major companies, including tech giants such as Amazon and Microsoft, data brokers such as Acxiom and Internet providers such as Verizon. New players such as the Digital Freedom Fund, with the backing of high-powered donors, are preparing to lend key financial support to upcoming litigation.
“For us this is very much the start,” said Ailidh Callander, a legal officer at Privacy International, a Britain-based privacy watchdog. “This is the new standard that many companies around the world need to meet, and we will be vigilant in how they implement it.”
Under GDPR, businesses are required to communicate — clearly, not in legalese — exactly how they collect information and why. Tech giants and other firms also must obtain explicit permission from Web users before they siphon their data. Users, meanwhile, can request copies of the information amassed by a company, such as Facebook and Google, which must delete it if a consumer requests that.
Before Friday, the day GDPR entered effect, these and other new requirements prompted companies including Apple, Facebook, Google and some of the Valley’s other top brands to retool their privacy policies — resulting in a barrage of emails updating users as to their new rights.
Going forward, European citizens and privacy advocates alike are empowered to file complaints either in their home countries or to authorities in places such as Ireland, where U.S. tech firms including Facebook and Google maintain their European headquarters. In the past, at least, E.U. regulators have shown great willingness to challenge U.S. companies on everything from privacy to competition to taxes. Many are hoping that the E.U. takes an even more aggressive tact with Silicon Valley now that it has new powers at its disposal.
Already, privacy watchdogs are contemplating ways to bring the full force of the GDPR against companies they see as most troubling to web users. Starting with Facebook and Google, Schrems contends that the tech companies already have violated Europe’s new data protection rules because they forced users to agree to their privacy policies or else lose access to those major sites and services entirely.
“In the end users only had the choice to delete the account or hit the ‘agree’-button — that’s not a free choice, it more reminds of a North Korean election process,” Schrems said in a statement.
In response, a spokeswoman for Google said Friday that the company had built “privacy and security into our products from the very earliest stages and are committed to complying with the E.U. General Data Protection Regulation.”
Erin Egan, the chief privacy officer of Facebook, also stressed the company had followed the law. “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR,” she said in a statement.
These and other tech giants face the potential for further complaints: A French-based organization, La Quadrature du Net, also announced it would file 12 complaints against companies like Amazon, Facebook, Google and Microsoft come Monday.
Other watchdog organizations plan to huddle in Brussels next month, said Jeff Chester, who leads the Center for Digital Democracy and co-chairs the Trans-Atlantic Consumer Dialog, a collection of privacy advocates from the United States and Europe. The goal, he said in an interview, is to “develop strategies and plans to bring regulatory cases, to bring lawsuits, against key companies, to force them to change their practices in the United States.”
Chester already has a potential target in mind. “Verizon is at the top of my list because they’re vulnerable for AOL,” he said, referring to the wireless giant’s previous acquisition. It also owns a portion of the former search company Yahoo. And privacy hawks in the United States have been seething for years that broadband providers manage to slip away from recent federal regulation of their privacy practices.
Privacy International, meanwhile, is focusing its attention on the “hidden data ecosystem,” said Callander, a field that includes companies such as Axciom, a company that amasses vast dossiers on people, from their socioeconomic backgrounds to their online shopping habits.
To start, Callander said Friday that her organization had sent initial investigatory letters to “understand how they think what they do, and how they treat personal data, complies with their obligations under GDPR.” From there, she said privacy advocates would decide if, how and where they would file complaints.
New sources of funding for these and other legal cases also have emerged in recent weeks. That includes the new Digital Freedom Fund, which launched in January with the backing of major players such as the Open Society Foundation, a grantmaking effort operated by George Soros, as well as the Omidyar Network, created by eBay founder Pierre Omidyar.
The Digital Freedom Fund generally seeks to focus its time and attention on “financially supporting strategic court cases” that could spell improvements in digital rights for all Europeans, said Jonathan McCully, the group’s legal adviser, in an interview Friday. In addition to offering legal and financial support to privacy cases making their way through the European legal system, McCully said that the fund also sought to aid individuals whose privacy had been breached by connecting them with “pro bono” legal support.
The prospect of hefty fines under the new law has had a different impact on smaller firms, which preferred to shut down their services to European users rather than comply with GDPR. This was the case with the websites Unroll.me and Klout, a social media analysis firm.
Likewise, a number of prominent U.S. media outlets — including the Los Angeles Times, the Baltimore Sun and the Orlando Sentinel — were blocking European users altogether Friday because of the updated privacy standards.
The law comes on the books days after Facebook CEO Mark Zuckerberg appeared in Brussels on Tuesday to take a round of heat from European lawmakers, and amid growing concern about the way social media companies in general — and Facebook in particular — handle social responsibilities beyond the networks they create.
On Wednesday, Zuckerberg met with French President Emmanuel Macron in Paris, where a number of tech company CEOs gathered at the Tech for Good conference designed to brainstorm how these firms might improve their commitment to serve society.