Privacy Ref Blog

Here We Go Again….

Not one to sit idly, twiddling his thumbs while the digital world goes by unchecked, Max Schrems has struck again. As you may recall, Schrems, a young Austrian attorney who became the EU champion of privacy rights, was the driving force behind having the EU-US Safe Harbor rule nullified. Now, on May 25, 2018, his non-profit organization, NOYB (which is actually a slang acronym for “None of Your Business”), celebrated the official implementation of the GDPR by filing four separate complaints against the digital giants Google and Facebook (can you say “déjà vu”?), and two of Facebook’s subsidiaries, Instagram and WhatsApp.

The complaints, filed by the David-ish organization on behalf of four individual EU residents, allege that these digital Goliaths are violating the GDPR by not giving their users a free choice as to whether to grant the companies access to their personal data. Instead, according to NOYB, the companies only provide for “forced consent,” meaning that users will not have access to the proffered services unless consent is provided. NOYB claims this practice violates Article 7(4) of the GDPR and runs contrary to the guidance provided by the Article 29 Data Protection Working Party in November 2017. In that guidance, the Working Party opined that:

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

[Quoted from the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as last Revised and Adopted on 10 April 2018, at pg. 5.]

Interestingly, rather than file the complaints in the jurisdictions where the companies maintain their EU headquarters (i.e., Ireland) as per Article 77 of the GDPR, NOYB filed the complaints where the individuals reside – France, Belgium, Hamburg, and Austria. Thus, there will be four distinct Data Protection Authorities reviewing identical claims and, possibly, reaching conflicting results, absent a concerted effort at collaboration and coordination in deference to the “One Stop Shop” concept of the GDPR.

Having just returned from an overseas trip where the hotel required me to consent to the collection and use of my personal information to use their “free” wifi (the term “free” being debatable in this instance), I can fully appreciate NOYB’s position. In any event, as the complaints will be testing the GDPR in many other aspects for the first time (i.e., One Stop Shop, jurisdiction, the ability of a non-profit to file claims on behalf of individuals, and, in the event of adverse rulings, the penalties to be assessed), this will be a very interesting matter to watch. So, find a comfy chair, grab some popcorn, and let the games begin.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on July 8, 2018 by Kelly Cheary

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

March 15, 2019

Protecting kids online – are we doing our best?

I’m trying to work through some thoughts about how companies repeatedly take advantage of consumers’ privacy in the US.  The latest being TikTok, a video sharing app acquired from, which has agreed to pay $5.7 million to settle allegations that it collected personal information from children – a violation of COPPA or the Children’s Online Privacy Protection Act.  Of note, TikTok is a $75 billion – with a B – dollar startup.  In GDPR terms, the maximum fine for egregious behavior could be 4% of gross revenues or in TikTok’s case $3 billion – with a B – dollars, which is a far cry from the fine that the FTC assessed for their alleged COPPA violations (FTC’s largest ever COPPA fine).

Continue reading this post...

March 13, 2019

In da House (of Representatives)

Recently, the US Congress met to discuss privacy protections from the perspective of a federal regulation. One of the most discussed topics was GDPR and whether it works or not. A lot was said, and I was pretty disappointed with the overall lack of nuance with regards to understanding what privacy is about from sitting politicians. That said, I want to go over some of the arguments.

Continue reading this post...

Other Recent Posts