The First Day of the Rest of Our Lives? GDPR Activist Complaints Allege Shortcomings and Seek Maximum Penalties

This is not an email about what the General Data Protection Regulation (GDPR) is. We assume you've received dozens of those recently (including from us). As those emails promised, GDPR Day 1 finally came. And it began with a series of pre-dawn complaints filed with various EU privacy regulators.

An Austrian privacy activist filed complaints against Facebook and Google within hours of the  GDPR taking effect on Friday, May 25, 2018.

The complaints—lodged with regulators in Austria, Belgium, Germany, and France—primarily allege improper “forced consent.” They argue that consent mechanisms for accepting the terms and conditions of certain Google and Facebook products (including WhatsApp and Instagram) are improper under the new regulations because “the data subject has no genuine or real choice, feels compelled to consent[,] or will endure negative consequences if they do not consent.” The total maximum potential penalty sought in the complaints is €7.6 billion, according to a summary posted by the activist.

Early, non-governmental activism under GDPR like these complaints may be limited to large, headline-grabbing business, but EU Regulators likely will spring into action soon. “I’m sure you won’t have to wait for a couple of months,” Andrea Jelinek, head of the European Data Protection Board, told the Wall Street Journal on Friday. Still, early enforcement actions will likely involve serious or high-profile violations rather than minor infractions. Indeed, as EU administrative agencies undertake initial GDPR-driven high-profile investigations, the companies at issue should be able to thoughtfully engage and test the strength of the activist’s allegations.    

As you probably know by now, GDPR is not territorially limited to the EU, and American companies are taking seriously their new obligations towards EU residents and covered data. Many have been implementing technical and policy updates for months. Yet fearing large penalties—up to 4% of global revenue—some companies that were unable to ensure GDPR compliance by May 25 have chosen to block their sites from EU users. 

Blocking EU users may be an appropriate short-term risk-management tool for certain companies, but in reality, nearly half of 1,000 American businesses surveyed last month said they would not be GDPR-compliant by May 25th.

If your business is not yet GDPR-compliant, you have plenty of company. The Day 1 complaints filed against Google and Facebook are a stark reminder, however, that GDPR is here and its teeth are not limited investigations initiated by single-user complaints. Non-compliant businesses should prioritize the policy and technical changes needed to comply while other business—and EU regulators themselves—are also adjusting to this new data-privacy paradigm. For organizations that have not committed to ongoing data privacy compliance, enforcement, commercial and reputational risks will only increase as time passes.