Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria. These “Day 1” complaints could have a definite impact on ad-supported online businesses.
The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis of “consent,” the complaints allege that such consent is invalid under the GDPR. The complaints encourage EU supervisory authorities to investigate, prohibit processing based on the alleged invalid consent, and impose “effective, proportionate, and dissuasive” fines.
In particular, the complaints allege that these companies utilize users’ personal data for purposes outside of the provision of services to consumers, focusing especially on uses such as profiling or advertising. The complaints object that users cannot “freely” consent to such use of data because the companies fail to offer users the opportunity to continue using the services without such data use. The complaints allege an “imbalance of power” between these companies and their users, claiming that these companies use their “dominant market position” to force unfavorable terms on data subjects.
These complaints are yet to be resolved by EU supervisory authorities. If supervisory authorities adopt NOYB’s view, the impact could be significant for large internet companies. Effectively, such companies may be practically unable to rely upon consumer consent as a legal basis for processing EU personal data. Such an outcome could impact the ad-supported business model adopted by many large tech companies by forcing these companies to offer EU consumers a version of services which do not involve the collection or use of consumer data for advertising or marketing purposes.