It was reported last week, the day the General Data Protection Regulation (GDPR) came into effect, that Google and Facebook broke GDPR guidelines.
It was reported last week, the day the General Data Protection Regulation (GDPR) came into effect, that Google and Facebook broke GDPR guidelines and face up to $8.8 billion in fines. Despite their, sometimes strange, methods to evade compliance, Facebook seems to have fundamentally misunderstood the scope of the regulation, as the European Center for Digital Rights (noyb.eu) has pointed out in a document they published.
The main grievances listed by noyb.eu are that Facebook, Instagram, WhatsApp, and Google did not get valid consent by utilizing what looks, and feels, like a threat. It was around two months ago that I was told by an Instagram popup that if I did not accept their new privacy terms I would have my account deactivated (losing all the photos). Unfortunately, I have thousands of photos on Instagram that hold sentimental value to me, so this felt threatening and appeared to be a slightly softer version of extortion. It seems others have seen these messages in a similar light to myself. Mr. Schrems, chair of noyb.eu, stated about this scenario that, “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the “agree”-button – that’s not a free choice, it more reminds of a North Korean election process.”
In regard to this somewhat threatening method of collecting consent, Mr. Schrems explained that “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.” Similarly, if this tactic were translated into any other scenario, forced consent would not be allowed, as a consenting person must have the true intent to consent before the consent is considered valid.
Regardless, it appears any data collected that is necessary for the normal operation of the site is allowed, and no longer needs consent, to be collected. It is only data resale that seems to require a consent form to be accepted. Mr. Schrems, in regard to this issue, explained that, “Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’.”
So, it appears that Facebook and Google were in violation of GDPR before it even took effect, due to their methods of obtaining user’s consent on their services. However, it remains to be seen whether or not this argument will hold up in court, given the tenacity of corporate legal teams.