Privacy Ref Blog

Here We Go Again….

Not one to sit idly, twiddling his thumbs while the digital world goes by unchecked, Max Schrems has struck again. As you may recall, Schrems, a young Austrian attorney who became the EU champion of privacy rights, was the driving force behind having the EU-US Safe Harbor rule nullified. Now, on May 25, 2018, his non-profit organization, NOYB (which is actually a slang acronym for “None of Your Business”), celebrated the official implementation of the GDPR by filing four separate complaints against the digital giants Google and Facebook (can you say “déjà vu”?), and two of Facebook’s subsidiaries, Instagram and WhatsApp.

The complaints, filed by the David-ish organization on behalf of four individual EU residents, allege that these digital Goliaths are violating the GDPR by not giving their users a free choice as to whether to grant the companies access to their personal data. Instead, according to NOYB, the companies only provide for “forced consent,” meaning that users will not have access to the proffered services unless consent is provided. NOYB claims this practice violates Article 7(4) of the GDPR and runs contrary to the guidance provided by the Article 29 Data Protection Working Party in November 2017. In that guidance, the Working Party opined that:

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

[Quoted from the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as last Revised and Adopted on 10 April 2018, at pg. 5.]

Interestingly, rather than file the complaints in the jurisdictions where the companies maintain their EU headquarters (i.e., Ireland) as per Article 77 of the GDPR, NOYB filed the complaints where the individuals reside – France, Belgium, Hamburg, and Austria. Thus, there will be four distinct Data Protection Authorities reviewing identical claims and, possibly, reaching conflicting results, absent a concerted effort at collaboration and coordination in deference to the “One Stop Shop” concept of the GDPR.

Having just returned from an overseas trip where the hotel required me to consent to the collection and use of my personal information to use their “free” wifi (the term “free” being debatable in this instance), I can fully appreciate NOYB’s position. In any event, as the complaints will be testing the GDPR in many other aspects for the first time (i.e., One Stop Shop, jurisdiction, the ability of a non-profit to file claims on behalf of individuals, and, in the event of adverse rulings, the penalties to be assessed), this will be a very interesting matter to watch. So, find a comfy chair, grab some popcorn, and let the games begin.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on July 8, 2018 by Kelly Cheary


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

July 9, 2018

Don’t Forget Basic Communication
Most of us have been wrapped up in GDPR preparations for several months. While there are many organizations "not quite there yet", many others have made great strides towards compliance. As we continue to do assessments for clients, both GDPR and General Privacy,  I have been surprised at the frequency of the gap between a privacy official describing their organization's data subjects, information collected, and business processes  with the reality of what is happening. Continue reading this post...

California – The Next GDPR?
Starting January 1, 2020, if you are a for-profit company doing business in California, you may have new data privacy compliance obligations. Specifically, California just enacted the California Consumer Privacy Act of 2018 (the country’s strictest data privacy law to date), placing new privacy mandates on certain businesses with respect to the personal information of consumers (defined as natural persons who are California residents). Many aspects of the new law smack of EU-GDPR influences, such as a new and improved (in other words, broader) definition of personal information and the inclusion of guaranteed consumer rights with respect to such personal information. If your business is already in compliance with the EU’s GDPR, the California law will be nothing new to you. For other businesses, however, you have 18 months to get with the program. Continue reading this post...

Other Recent Posts

PRIVACY REF