VIENNA / LONDON (Reuters) – When the new Data Protection Act came into force on Friday, an activist wasted no time in asserting the additional rights people get over the data that companies want to collect about them.
This take-it-or-leave-it approach, Schrems told Reuters Television, violates people's right under the General Data Protection Regulation to freely choose whether companies may use their data.
"You must have a yes or no," Schrems said in an interview he had taken in Vienna before filing the complaints in various European jurisdictions.
The GDPR revises the data protection laws in the European Union, which preceded the rise of the Internet. Most importantly, companies that breach the rules impose fines of up to four percent of global sales.
This brings potential sanctions to the list of antitrust fines imposed by Brussels, which cost billions of dollars on Google.
Andrea Jelinek, who heads both the Austrian Data Protection Authority and a new European Data Protection Board, said she expects complaints to arrive as soon as the law enters into force in the 28-member European Union.
SCOURGE OF FACEBOOK
Schrems was a 23-year-old law student when he first joined Facebook and has since fought against Mark Zuckerberg's social network ̵
In 2015, he won an important ruling by the European Court of Justice that lifted a "safe harbor" agreement that allowed companies to transfer personal data from the EU to the US, where privacy is less stringent.
Regarding the GDPR, he recently set up a non-profit organization called Noy of Your Business (noyb.eu), which is planning legal steps to enable the Tech Titans to collect data which they sell targeted advertising.
With his laptop on the table of a traditional Viennese coffee house, Schrems showed how a pop-up message on Facebook agrees to use his data – and how it is blocked if he refuses.
"The only way is really to accept, otherwise you can no longer use your Facebook," explains Schrems.
"As you can see, I have my messages there and I can not read them if I do not agree."
Erin Egan, Facebook's privacy officer, said in a statement that the company had been preparing for 18 months to comply with the GDPR by making its policies clearer and privacy settings easier to find.
Facebook, which has more than 2 billion regular users, has also said that advertising allows it to stay free, and that the entire service, including advertising, should be personalized based on user data.
Schrems said Instagram, a younger-favorite photo-sharing network, and WhatsApp, the encrypted messaging service – both owned by Facebook – also use pop-ups, to get approval bar users who reject.
The action of Noyb against Google refers to new smartphones with Android operating system. Buyers need to share their data or "own a 1,000-euro brick" that they can not use, said Schrems.
Google did not respond immediately to a comment.
noyb submits the four lawsuits to the data protection authorities in France, Belgium, Germany and Austria. The following litigation may be in Ireland, where both Facebook and Google have their European headquarters.
An application filed against Facebook on behalf of an Austrian asks the country's DPA to investigate and, if necessary, prohibit data processing on the basis of invalid consent.
He also calls on the regulator to impose "effective, proportionate and dissuasive" fines, as foreseen in the GDPR, which could amount to 1.3 billion euros (1.5 billion US dollars) in the case of Facebook.
"So far it has been cheaper to simply ignore privacy," says Schrems. "Now, hopefully, it will be cheaper to follow them because the penalties are so high."
Additional coverage by David Ingram in San Francisco and Julia Fioretti in Brussels; Letter from Douglas Busvine; Editing by Keith Weir