Google and Facebook hit by GDPR complaints

Complaints have been filed against Facebook, WhatsApp, Instagram and Google within hours of new EU data laws taking effect.

Privacy group Noyb said it filed the complaints because it believes the technology companies are using what it calls "forced consent".

As part of the new General Data Protection Regulation (GDPR), companies that gather data are required to gain consent, freely given, from users to collect and use their personal information.

However, the group argues that the firms have threatened to no longer offer services to those who do not consent to new terms of service.

Noyb chairman Max Schrems said: "Facebook has even blocked accounts of users who have not given consent.

"In the end users only had the choice to delete the account or hit the 'agree' button - that's not a free choice, it more reminds of a North Korean election process."

In response, a Google spokesman said: "We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation.

"Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU."

(Yui Mok/PA)
(Yui Mok/PA)

The complaints were filed in France, Belgium, Germany and Austria, and if upheld could see the firms hit with large fines under the new rules.

Facebook's chief privacy officer Erin Egan said: "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.

"Our work to improve people's privacy doesn't stop on May 25. For example, we're building Clear History - a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward."

Noyb argues that there should be a separation between what it calls "necessary and unnecessary data usage", and that processing data for the purpose of targeted advertising is not a necessary purpose and should, therefore, have a separate consent option.

"The GDPR explicitly allows any data processing that is strictly necessary for the service - but using the data additionally for advertisement or to sell it on needs the users' free opt-in consent," it said.

"It's simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say 'yes' or 'no'," Mr Schrems added.