Privacy Ref Blog

Here We Go Again….

Not one to sit idly, twiddling his thumbs while the digital world goes by unchecked, Max Schrems has struck again. As you may recall, Schrems, a young Austrian attorney who became the EU champion of privacy rights, was the driving force behind having the EU-US Safe Harbor rule nullified. Now, on May 25, 2018, his non-profit organization, NOYB (which is actually a slang acronym for “None of Your Business”), celebrated the official implementation of the GDPR by filing four separate complaints against the digital giants Google and Facebook (can you say “déjà vu”?), and two of Facebook’s subsidiaries, Instagram and WhatsApp.

The complaints, filed by the David-ish organization on behalf of four individual EU residents, allege that these digital Goliaths are violating the GDPR by not giving their users a free choice as to whether to grant the companies access to their personal data. Instead, according to NOYB, the companies only provide for “forced consent,” meaning that users will not have access to the proffered services unless consent is provided. NOYB claims this practice violates Article 7(4) of the GDPR and runs contrary to the guidance provided by the Article 29 Data Protection Working Party in November 2017. In that guidance, the Working Party opined that:

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

[Quoted from the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as last Revised and Adopted on 10 April 2018, at pg. 5.]

Interestingly, rather than file the complaints in the jurisdictions where the companies maintain their EU headquarters (i.e., Ireland) as per Article 77 of the GDPR, NOYB filed the complaints where the individuals reside – France, Belgium, Hamburg, and Austria. Thus, there will be four distinct Data Protection Authorities reviewing identical claims and, possibly, reaching conflicting results, absent a concerted effort at collaboration and coordination in deference to the “One Stop Shop” concept of the GDPR.

Having just returned from an overseas trip where the hotel required me to consent to the collection and use of my personal information to use their “free” wifi (the term “free” being debatable in this instance), I can fully appreciate NOYB’s position. In any event, as the complaints will be testing the GDPR in many other aspects for the first time (i.e., One Stop Shop, jurisdiction, the ability of a non-profit to file claims on behalf of individuals, and, in the event of adverse rulings, the penalties to be assessed), this will be a very interesting matter to watch. So, find a comfy chair, grab some popcorn, and let the games begin.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on July 8, 2018 by Kelly Cheary

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

November 12, 2018

My path towards privacy
My path towards a career in the privacy field was a circuitous route. As a perennially engaged Political Organizer and activist, information privacy and data management would not have been the most obvious path for my next endeavor. However, after serving on a campaign that featured the most famous political data breach in history, privacy and the importance of data management came crashing into my life. Continue reading this post...

November 2, 2018

A few weeks ago, I made it to Austin, TX for the Privacy Security and Risk Conference being held by the IAPP. As always, it was a great conference with pros and those who have only just begun as privacy professionals. One of the most interesting aspects of the conference was the focus on the newest US based privacy regulation, the California Consumer Protection Act. While not being in California, it was obviously the center of the conversation as many eyed this upcoming regulation as the next possible GDPR. Continue reading this post...

Other Recent Posts