Privacy Ref Blog

Here We Go Again….

Not one to sit idly, twiddling his thumbs while the digital world goes by unchecked, Max Schrems has struck again. As you may recall, Schrems, a young Austrian attorney who became the EU champion of privacy rights, was the driving force behind having the EU-US Safe Harbor rule nullified. Now, on May 25, 2018, his non-profit organization, NOYB (which is actually a slang acronym for “None of Your Business”), celebrated the official implementation of the GDPR by filing four separate complaints against the digital giants Google and Facebook (can you say “déjà vu”?), and two of Facebook’s subsidiaries, Instagram and WhatsApp.

The complaints, filed by the David-ish organization on behalf of four individual EU residents, allege that these digital Goliaths are violating the GDPR by not giving their users a free choice as to whether to grant the companies access to their personal data. Instead, according to NOYB, the companies only provide for “forced consent,” meaning that users will not have access to the proffered services unless consent is provided. NOYB claims this practice violates Article 7(4) of the GDPR and runs contrary to the guidance provided by the Article 29 Data Protection Working Party in November 2017. In that guidance, the Working Party opined that:

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

[Quoted from the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as last Revised and Adopted on 10 April 2018, at pg. 5.]

Interestingly, rather than file the complaints in the jurisdictions where the companies maintain their EU headquarters (i.e., Ireland) as per Article 77 of the GDPR, NOYB filed the complaints where the individuals reside – France, Belgium, Hamburg, and Austria. Thus, there will be four distinct Data Protection Authorities reviewing identical claims and, possibly, reaching conflicting results, absent a concerted effort at collaboration and coordination in deference to the “One Stop Shop” concept of the GDPR.

Having just returned from an overseas trip where the hotel required me to consent to the collection and use of my personal information to use their “free” wifi (the term “free” being debatable in this instance), I can fully appreciate NOYB’s position. In any event, as the complaints will be testing the GDPR in many other aspects for the first time (i.e., One Stop Shop, jurisdiction, the ability of a non-profit to file claims on behalf of individuals, and, in the event of adverse rulings, the penalties to be assessed), this will be a very interesting matter to watch. So, find a comfy chair, grab some popcorn, and let the games begin.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on July 8, 2018 by Kelly Cheary


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

September 19, 2018

Preparing your customer-facing staff
My wife and I went to a favorite pizza place the other day. It is a small chain that has a loyalty program. The server, having seen us on a few other occasions, asked us if we wanted to sign up. All we needed to do was provide an email address, phone number, and name then we would be good to go. My wife gave me "the look", knowing what was coming next. I asked the server "can you tell me about your privacy policy?" Continue reading this post...

August 27, 2018

What in the World??
With many of us so busily focused on compliance with the European Union’s General Data Protection Regulation (“GDPR”) - and probably soon to be focused on the new California Consumer Privacy Act - it is easy to neglect (albeit inadvertently) other areas of the world. If you are a company with international operations or are collecting the personal information of non-EU foreign residents, this could be a costly mistake. Continue reading this post...

Other Recent Posts

PRIVACY REF