As GDPR takes effect, Austrian activist challenges 'forced consent'

On the first day the European Union's new data protection laws went into effect, An Austrian lawyer and privacy advocate wasted no time filing complaints against several tech giants, arguing they were acting illegally. 

Austrian lawyer and privacy activist Max Schrems displays his Facebook account's updated terms page at a cafe on May 22, 2018 in Vienna. Mr. Schrems won a landmark lawsuit in 2015 that prevented the EU from transferring user data to the US – where it would be less regulated.

Heinz-Peter Bader/Reuters

May 25, 2018

As Europe's new privacy law took effect on Friday, one activist wasted no time in asserting the additional rights it gives people over the data that companies want to collect about them.

Austrian Max Schrems filed complaints against Google , Facebook, Instagram, and WhatsApp, arguing they were acting illegally by forcing users to accept intrusive terms of service or lose access.

That take-it-or-leave-it approach, Mr. Schrems told Reuters Television, violates people's right under the General Data Protection Regulation (GDPR) to choose freely whether to allow companies to use their data.

Democrats begin soul-searching – and finger-pointing – after devastating loss

"You have to have a 'yes or no' option," Schrems said in an interview recorded in Vienna before he filed the complaints in various European jurisdictions.

"A lot of these companies now force you to consent to the new privacy policy, which is totally against the law."

The GDPR overhauls data protection laws in the European Union that predate the rise of the internet and, most importantly, foresees fines of up to 4 percent of global revenues for companies that break the rules.

That puts potential sanctions in the ballpark of anti-trust fines levied by Brussels that, in Google's case, have run into billions of dollars.

Andrea Jelinek, who heads both Austria's Data Protection Authority and a new European Data Protection Board set up under GDPR, appeared to express sympathy with Schrems' arguments at a news conference in Brussels.

They took up arms to fight Russia. They’ve taken up pens to express themselves.

Asked about the merits of Schrems' complaints, Ms. Jelinek said: "If there is forced consent, there is no consent."

Schrems was a law student when he first took on Facebook and he's been fighting Mark Zuckerberg's social network ever since –becoming the poster-boy for data privacy.

He won a landmark European court ruling in 2015 that invalidated a "safe harbor" agreement allowing firms to transfer personal data from the EU to the United States, where data protection is less strict.

With GDPR in mind, he recently set up a non-profit called None of Your Business (NOYB) that plans legal action to blunt the ability of the tech titans to harvest data that they then use to sell targeted advertising.

His laptop perched on the table of a traditional Viennese coffee house, Schrems showed how a pop-up message on Facebook seeks consent to use his data – and how he is blocked when he refuses.

"The only way is to really accept it, otherwise you cannot use your Facebook any more," Schrems explained.

"As you can see, I have my messages there and I cannot read them unless I agree."

Erin Egan, Facebook's chief privacy officer, said in a statement that the company has prepared for 18 months to ensure it meets the requirements of GDPR by making its policies clearer and its privacy settings easier to find.

Facebook, which has more than 2 billion regular users, has also said that advertising allows it to remain free, and that the whole service, including ads, is meant to be personalized based on user data.

Schrems said, however, that Instagram, a photo-sharing network popular with younger users, and encrypted messaging service WhatsApp – both owned by Facebook – also use pop-ups to gain consent and bar users who refuse.

The action brought by NOYB against Google relates to new smartphones using its Android operating system. Buyers are required to hand over their data or else own "a 1,000-euro brick" that they can't use, Schrems said.

Google did not immediately respond to a request for comment.

NOYB is filing the four claims with data protection authorities in France, Belgium, Germany, and Austria. Ensuing litigation may play out in Ireland, where both Facebook and Google have their European headquarters.

One filing, made against Facebook on behalf of an Austrian woman, asks the country's data protection authority to investigate and, as appropriate, prohibit data processing operations based on invalid consent.

It also asks the regulator to impose "effective, proportionate, and dissuasive" fines as foreseen by GDPR, which in Facebook's case could run to 1.3 billion euros ($1.5 billion).

"So far it was cheaper just to ignore privacy rights," said Schrems. "Now, hopefully, it's going to be cheaper to follow them because the penalties are so high."

This story was reported by Reuters.