In the run-up to Friday 25 May 2018, many organisations were hopeful that the European Supervisory Authorities would adopt a softly-softly approach to enforcing GDPR; however, this was to overlook certain key user-driven aspects of the Regulation, including:
- Article 77 - which provides data subjects with the right to lodge complaints with a Supervisory Authority, alleging that the processing of their personal data infringes GDPR;
- Article 78 - which provides data subjects with the right to an effective judicial remedy against a Supervisory Authority for failure to handle any such complaints; and,
- Article 80 - which allows data subjects to mandate a not-for-profit organisation to exercise these rights on their behalf.
In this way, the impact of the implementation of GDPR was felt at once, as not-for-profit organisations immediately lodged data subjects' complaints across Europe against some of the largest global technology and social media companies:
- On 25 May 2018 itself, four complaints alleging breaches of GDPR were lodged against Google (in France), Instagram (in Belgium), WhatsApp (in Germany) and Facebook (in Austria), by "None of Your Business" ("NOYB"), a privacy NGO created by privacy activist and lawyer, Max Schrems, acting on behalf of a single data subject for each complaint, and requesting that maximum fines of 4% of worldwide annual turnover be imposed upon each company.
- On 28 May 2018, similar complaints were filed against Facebook, Google, Apple, Amazon and LinkedIn in France by a French digital rights group, Quadrature du Net ("La Quad"). Each of La Quad's complaints are brought on behalf of around 9,000 to 10,000 data subjects, and La Quad also indicated that they intend to bring similar complaints against Android, WhatsApp, Instagram, Skype and Outlook.
Underlying all of the lodged complaints is that GDPR requires companies to have at least one of six lawful bases for processing personal data. Here, the targeted companies all opted to base their processing activities on consent, which is a lawful basis for such activity under Article 6. However, the complaints assert that these companies are acting in violation of the conditions for consent set forth under Article 7, which include the requirements that consent be given freely, and can be withdrawn at any time. Recital 43 explains that consent is presumed not to be freely given when there is a clear imbalance between the data subject and the controller, and also if the provision of a service is dependent on the consent despite such consent not being necessary for performance the service. All of the complaints lodged by NOYB and La Quad allege that the targeted companies have adopted a "take it or leave it" approach to consent, and therefore are exploiting their market dominance by forcing data subjects to consent to the processing of their personal data for a purpose beyond that which is necessary (in this case sharing or using data for targeted advertising) because, unless individuals agree to give their consent, they are unable to use the service.
As the first test of the new regime, the regulatory response to these first complaints is being followed with great interest around the world, not least because fines against any of the targeted companies could run to billions of dollars. Aside from the amounts of any fines, we are closely monitoring the shape of the investigations themselves, differing approaches between the Supervisory Authorities, how the Supervisory Authorities handle the potential floodgate issue of identical complaints being alleged against the same companies but lodged by different consumer groups with different Supervisory Authorities, and crucially, whether any fines that ultimately are issued are insurable.