The European Union’s General Data Protection Regulation has been in effect for less than a week. It was always clear that a vast number of companies would comply in only the most perfunctory way, at least while the law was being tested. But the big tech companies, sure to face scrutiny, were expected to show a little more rigor. Instead, they appear to be hoping that they won’t get caught or that their lawyers will take care of any complaints.
Most consumers don’t have the time or expertise to complain about shoddy GDPR compliance. Max Schrems, the Austrian lawyer who has waged a privacy crusade against Facebook since 2011, does. His nonprofit group, NOYB (None of Your Business), has filed complaints with privacy regulators against Google, Facebook, Instagram and WhatsApp. Schrems has a pretty good idea of the corners these services are trying to cut when it comes to GDPR compliance.
A Facebook user represented by NOYB claims in the complaint to the Austrian authorities that the social network demands consent to its entire privacy policy, listing only account deletion as an alternative. The policy, meanwhile, empowers the company to collect every possible kind of data, including information about political and religious views. It requires the user to accept data collection for advertising purposes as if it were essential to the use of Facebook, part of the contract offered by the service -- though most users, especially long-standing ones who joined before Facebook’s monetization, would be surprised if told directly that personalized ads were an inalienable part of the deal.
"Consent can only be a lawful ground for processing if data subjects are offered a genuine and realistic choice to accept or decline the terms of a service or to decline these terms without detriment," the complaint says.
That neatly sums up the most basic GDPR requirement. As someone who has searched in vain for ways to reject some of Facebook’s new rules, I must agree with Schrems that the company fails to fulfill it. My consent to the terms of service was not freely given: I was told I’d have to delete my account if I disagreed with anything in the document.
The Google complaint was filed in France on behalf of a user who couldn’t activate a new Android phone without the wholesale acceptance of Google’s new terms of service -- which say kinds of data will be collected whatever happens. Google, the complaint says, “relies on an overall bundled consent to anything contained in the privacy policy for Android phones, which includes several other products. This would also render consent invalid, as such consent would not be in any way ‘specific,’ but rather based on an ‘all or nothing’ approach.”
The Instagram and WhatsApp complaints, submitted in Belgium and Germany, are similar to the Facebook one: The social network’s general approach to complying with the GDPR is no different for Facebook-owned companies.
On NOYB’s web page, Schrems has listed the maximum penalties for violating the privacy regulation; they run in the billions of euros, and they looked nice in news headlines. But there will be protracted legal arguments before Facebook and Google are fined anything. The cases will move from privacy watchdogs to courts. Schrems will crowdsource his expenses, a few euros at a time, as he’s done before. The US internet giants will splash millions on defenses meant to wear him out. It may take years.
Perhaps someday a court will decide that our consent to their terms of service wasn’t given freely. Fines will be paid, and new consent forms will be pushed to us.
It’s not beyond the engineering powers of both Facebook and Google to provide users with a simple checklist so they could pick what they’re willing or not willing to allow. They decided instead to take their chances with the legal process.
That’s not a trust-inducing policy. It’s also shortsighted. Papua New Guinea, a nation of 8 million next to Australia, has just moved to shut down Facebook for a month, ostensibly to give it time to get rid of fake accounts and illegal content. Such drastic measures haven’t been aired in Europe yet, but open contempt for the rules could easily lead to regulatory escalation. Uber found that out the hard way in Europe; as a result it will probably never be able to build the kind of presence in Europe that it did in the US. It could be even worse for Facebook and Google, which have built up near-monopoly power in Europe: Losing revenue because of adverse regulation is more painful than not being able to increase it.
By Leonid Bershidsky
Leonid Bershidsky is a Bloomberg Opinion columnist covering European politics and business. -- Ed.