UK Markets open in 4 hrs 50 mins

Facebook, WhatsApp and Google accused of breaking new data protection law

Margi Murphy
WhatsApp is asking European users to consent to its data privacy policy - PA

Facebook and Google are some of the first companies to become subject to GDPR complaints just hours after the law came into effect.

The technology giants stand accused of breaching the law because of the way they force users to consent to their privacy policies, or face losing their accounts, in a move compared to the “North Korean election process”.

Europe-based privacy campaign group noyb.eu, led by Austrian privacy activist Max Schrems, on Friday filed four complaints against Facebook, WhatsApp and Instagram (which are owned by Facebook) and Google.

The group found issue with the pop-ups and threats that a users’ accounts would be deactivated if they did not agree to their information to being collected as per each company’s policy.

Mr Schrems said: "Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the 'agree' button – that’s not a free choice, it more reminds of a North Korean election process."

At a glance | Your data rights under GDPR

The General Data Protection Regulation is a new law that changes how personal data can be collected and used, affecting companies based outside Europe, if they offer services here.

To avoid liability, companies have been asking users or customers to opt in to their data collection policy or lose their account.

Noyb.eu claims that this is forbidden under the new law, which was drawn up to give consumers more transparency about how their information is used. If the complaints are upheld the companies could face fines. The maximum penalty is 20m or 4pc of global turnover, whichever is highest.

Companies block Europeans rather than comply with data law | Will the GDPR fallout continue?

The new law and the notion of consent does not mean that companies can no longer use customer data. The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs users’ consent.

Mr Schrems said: "It's simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’."

In the case of Google, the group is bringing a claim against its Android operating system, which anyone who activates a new phone must opt into for it to work. Within this policy, Noyb.eu points out, that the transfer of data, including "political, philosophical or religious beliefs, sexual orientation, health information" and the data's purpose is not transparent. 

The remaining three complaints against Facebook, WhatsApp and Instagram are being brought against Facebook Ireland. 

Technology intelligence - newsletter promo - EOA