Privacy Ref Blog

Here We Go Again….

Not one to sit idly, twiddling his thumbs while the digital world goes by unchecked, Max Schrems has struck again. As you may recall, Schrems, a young Austrian attorney who became the EU champion of privacy rights, was the driving force behind having the EU-US Safe Harbor rule nullified. Now, on May 25, 2018, his non-profit organization, NOYB (which is actually a slang acronym for “None of Your Business”), celebrated the official implementation of the GDPR by filing four separate complaints against the digital giants Google and Facebook (can you say “déjà vu”?), and two of Facebook’s subsidiaries, Instagram and WhatsApp.

The complaints, filed by the David-ish organization on behalf of four individual EU residents, allege that these digital Goliaths are violating the GDPR by not giving their users a free choice as to whether to grant the companies access to their personal data. Instead, according to NOYB, the companies only provide for “forced consent,” meaning that users will not have access to the proffered services unless consent is provided. NOYB claims this practice violates Article 7(4) of the GDPR and runs contrary to the guidance provided by the Article 29 Data Protection Working Party in November 2017. In that guidance, the Working Party opined that:

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The notion of imbalance between the controller and the data subject is also taken into consideration by the GDPR.

[Quoted from the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, Adopted on 28 November 2017, as last Revised and Adopted on 10 April 2018, at pg. 5.]

Interestingly, rather than file the complaints in the jurisdictions where the companies maintain their EU headquarters (i.e., Ireland) as per Article 77 of the GDPR, NOYB filed the complaints where the individuals reside – France, Belgium, Hamburg, and Austria. Thus, there will be four distinct Data Protection Authorities reviewing identical claims and, possibly, reaching conflicting results, absent a concerted effort at collaboration and coordination in deference to the “One Stop Shop” concept of the GDPR.

Having just returned from an overseas trip where the hotel required me to consent to the collection and use of my personal information to use their “free” wifi (the term “free” being debatable in this instance), I can fully appreciate NOYB’s position. In any event, as the complaints will be testing the GDPR in many other aspects for the first time (i.e., One Stop Shop, jurisdiction, the ability of a non-profit to file claims on behalf of individuals, and, in the event of adverse rulings, the penalties to be assessed), this will be a very interesting matter to watch. So, find a comfy chair, grab some popcorn, and let the games begin.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on July 8, 2018 by Kelly Cheary

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 31, 2019

We are now offering Privacy Professional Training from the IAPP at our Houston and Nashua offices in addition our Delray Beach location.

Latest Blog Posts

June 13, 2019

Fifty States, Fifty Laws

The big news lately is that individual states are proposing their own privacy laws. California has the California Consumer Protection Act and now New York and Maine have also proposed laws. There has been discussion of a federal law, however it seems unlikely that any kind of landmark legislation on privacy passes through to be signed. How is a business to be ready for up to 50 different laws?

Continue reading this post...

June 12, 2019

Privacy Comes at a Price
At Apple’s World Wide Developers Conference last week, the message was all about Privacy. Apple has been more privacy-minded than other tech companies – that’s not news and it’s why I have an iPhone. They’ve introduced some interesting privacy features, such as showing location tracking, which I think is pretty cool. I don’t leave my location setting on, rather turn it on when I need directions and then back off. It’s tedious, but I’m not confident that when I’ve turned off location services, apps aren’t tracking me even though I said “no”. Sadly, I don’t think no means no on the Internet. So, I’ll be able to see if I’m right or wrong. Continue reading this post...

Other Recent Posts