So it didn’t take long for Max Schrems to use the GDPR to file his first complaint. For those of you who don’t know Max Schrems, he’s the privacy lawyer who successfully challenged Facebook Ireland to prohibit the transfer of data from Ireland to the US.
The challenge lead to the Safe Harbour framework being invalidated and the new Privacy Shield framework coming into effect.
It didn’t take Max more than a couple of hours to file a complaint stating that both Facebook and Google are coercing their users into accepting their data protection policies. The complaints call into question the business model of these companies, where ‘free’ services are provided in exchange for the user accepting to be profiled by way of data collected on how they use data. As of May 25, my own Facebook account required that I either accept its policies or delete my account.
I’m sure many of you experienced the same thing. I’ve still not accepted it and still not deleted it. It’ll be interesting to see how these complaints play out as there seems to be a pretty large gap between how Schrems reads the GDPR and how Facebook has chosen to implement it.
Misuse of data
But it’s not only Schrems’ complaint. Facebook has also been sued for data misuse in Spain, where it faces a class action suit. The Spanish OCU (Organisation of Consumers and Users) is suing Facebook for $230 per Facebook user in Spain because of its misuse of personal data. The complaint focuses on two major tenets of the GDPR: Facebook’s failing to inform users about how their data will be used and not receiving consent for that use.
So we knew the big tech companies would be targeted quickly, but what’s the immediate lesson here for smaller and mid-sized companies? Make sure you’ve got your privacy policies in place, make sure they’re accurate and, if you’re using consent as your legal basis, make sure consent practices are in place.
To find out first-hand about all aspects of GDPR compliance, including consent, take a free trial of GDPR365.