The European Union’s General Data Protection Regulation (GDPR) just became effective a few days ago, on May 25, 2018. Yet, already Facebook is facing lawsuits regarding its data sharing practices. Max Schrems, an Austrian privacy activist, filed the lawsuits against Facebook, seeking large fines. The lawsuits are by product and include separate suits against Facebook and Facebook-owned WhatsApp and Instagram.
The GDPR requires companies to justify why they are collecting data on European users and states what they intend to do with the data. Companies must receive clear consent prior to collecting any personal information and keep strict records as to any data processing.
Facebook has been preparing for the GDPR over the past year and enforcing new policies to protect users’ data, but Schrems argues that these steps are not sufficient. Specifically, Schrems claims that the companies’ “all or nothing” approach to privacy—requiring users to click a box to access the service—is a violation of the GDPR. Rather, Schrems contends that the companies should let users decide exactly how their data is used at more of a case-by-case level.
Facebook argues that its privacy measures are GDPR compliant.
Over the past 18 months, companies of all sizes have wondered how the GDPR was going to be enforced. As we expected, it looks like it will take some GDPR-related lawsuits to interpret the regulation and set precedent as to its enforcement. While May 25, 2018, was the effective date, it was not the last we’ll hear of the GDPR.