On the 25th of May, it seemed like every company in the world just randomly decided to update their privacy policies. Well, this is no coincidence, I can assure you. It was also on this day that the European Union’s rules on General Data Protection Regulations, otherwise known as GDPR, were officially enforced— fundamentally changing the relationship between unsuspecting users and data-harvesting, monopolistic tech-giants across the globe.
Nobody was ready for GDPR, the mysterious EU laws that far exceed their intended jurisdiction. Theory suggests the law would only apply to citizens within the EU. Practice, however, shows online services are willing to outright change their entire data policies just to avoid the legal headaches.
According to a new report from The Verge, the law is even taking on the usual suspects of techno-violations, Facebook and Google, who are now staring down the barrel of $8.8 billion in major lawsuits for privacy damages — regardless of where the data is being processed or where the company collecting it is headquartered. GDPR, recognizing the international nature of the internet, dictates that any company that offers service within those 28 countries, home to 508 million EU residents, must comply with the laws of the single market or face the accountability of the courts for damages.
Simply put, the requirements dictate:
- Firms must notify users of a data breach within 72 hours of discovering user data has been compromised.
- They must request user consent in a clear, accessible, particular way, meaning they must receive informed consent on every usage without coercion from administrators.
- They must allow what’s known as “data portability,” meaning users can ask for a copy of their information and need consent to ship it off to others.
The lawsuits, set to cost Facebook €3.9 billion and Google €3.7 billion, were filed by NOYB.eu (None of Your Business), the privacy group led by Austrian lawyer and data privacy activist Max Schrems, known for being a fierce critic of the companies for their continuous scandals surrounding data harvesting.
Schrems, speaking with the BBC, said the case is in breach of GDPR because of the “take it or leave it approach” the companies employ — meaning customers are presented with a long list of fine printed legal jargon, stating they must agree to have their data harvested, shared with scrupulous third parties and targeted for advertising, or they just can’t use the site, instead choosing to delete their accounts.
“The GDPR explicitly allows any data processing that is strictly necessary for the service — but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” said noyb.eu in their legal statement. “GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
They went on to quote this public comment from Schrems:
“Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”
Schrems is right on this point. Forcing people to fill in a one-time-only consent box upon their first user login, hiding their opt-out options under countless online rabbit holes, is a form of “coercing” users that violates the strict particularized penalties outlined under GDPR. Users within the EU, and frankly around the world, should know their fundamental data rights, whether it’s current law in the EU, or if they desire some form of internet bill of rights, as some have suggested, and TrigTent has reported on in the past.
If a company were to be caught enforcing these shady tactics under GDPR, wherein informed consent hasn’t been provided, and the companies haven’t provided users their complete list of personal data upon request within 30 days, the cost of violation could be astronomical.
Under the new EU laws, maximum fines per violation amount to 4 percent of a company’s global turnover, which could crush small and medium tech businesses if found in violation of user rights, and force large-scale corporations to take user data seriously or face saying goodbye to billions of euros.
“It could bring some control to the Wild West of the third parties operating on these platforms,” said Karen Kornbluh, senior fellow for digital policy at the Council on Foreign Relations, according to Vox.
Democratic Rep. Ro Khanna, representing California’s 17th district of South San Francisco Bay, quite literally the heart of elitist Silicon Valley, has proposed similar policies within the United States, however the land of the free has taken a back seat to online liberty compared to European legislators.
“I think it’s fair to say that [Europe] is leading global policy on privacy and data protection, and they’re doing it at a time when they see the US system has been severely deficient,” Bill Kovacic, Commissioner for the Federal Trade Commission (FTC), told Vox earlier this year. “The [tech] policymaking capital is not Washington, it’s Brussels.”