A group that campaigns for data protection rights in Europe says it’s filed legal complaints against Google, Facebook, Instagram, and WhatsApp over the way they obtain users’ consent under new EU privacy rules – General Data Protection Regulation (GDPR). Starting Friday, companies that collect or process the personal information of EU residents must comply with new rules that protect the privacy of people’s data.
The group NOYB.EU – which stands for “none of your business” – claims its action could force the US Internet giants to pay up to EUR 7 billion ($8.2 billion). In a statement Friday, the group argued that the companies are making users’ consent to their new terms of service a requirement if they want to continue using the service. Those who object have to delete their account.
Max Schrems, a veteran of legal fights against Facebook and chair of the privacy group, said this amounts to “forced consent,” prohibited by the EU’s GDPR rules.
The rollout of the General Data Protection Regulation has been welcomed but is also causing confusion. Companies are trying to understand what level of protection different data needs, whether this could force them to change the way they do business and innovate, and how to manage the EU’s 28 national data regulators, who enforce the law.
That uncertainty, together with stiff penalties for violating the law, has convinced Internet-based businesses such as Unroll.me, an inbox management firm, and gaming company Ragnarok Online to block EU users from their sites. U.S. retailer Pottery Barn said it would no longer ship to EU addresses.
In Finland, the government says it has been contacted by households asking whether the law means they can no longer email invitations for a child’s birthday party.
The Finnish Justice Ministry’s Anu Talus told broadcaster YLE that the data privacy rules do not affect private households. The law only affects data that is intended for professional or commercial activities.
The broadcaster listed on Friday another case that had citizens puzzled. Should timetables for users of Finnish saunas, which show residents’ names, be removed from the facility? Finland’s Data Protection Ombudsman Reijo Aarnio said that was a “typical issue of interpretation,” adding it was probably fine to assume that a sauna schedule can be visible.
Separately, the Los Angeles Times is freezing readers in parts of Europe out of its website as new privacy rules come into force across the European Union.
Web users in Germany who visited the site Friday got a notice saying the L.A. Times is “engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market.”
It adds that the company is trying to “identify technical compliance solutions that will provide all readers with our award-winning journalism.”
Companies worldwide have been sending their customers notices in recent days informing about changes to their terms of service, as part of efforts to comply with the new European rules, known as the General Data Protection Regulation