Max attacks: Schrems launches €7bn worth of GDPR cases in Europe

25 May 2018

Max Schrems during a visit to Dublin in 2015. Image: Connor McKenna

Austrian data privacy activist Max Schrems is quick off the mark and is already taking Facebook and Google to task under GDPR.

As the General Data Protection Regulation (GDPR) becomes law in Europe today (25 May), Austrian privacy campaigner Max Schrems has already launched legal broadsides against internet giants.

Schrems has filed three complaints worth a total €3.9bn against Facebook and its subsidiaries, WhatsApp and Instagram, via regulators in Austria, Belgium and Germany. He has also filed another complaint worth €3.7bn in France, focused on Google’s Android mobile operating system.

These first legal tests of GDPR strike at the heart of the business models of giants such as Facebook and Google, which provide free online services in return for the harvesting of your data – once you have granted your consent, that is.

In Ireland this morning, Data Protection Commissioner Helen Dixon – recently described by The New York Times as “one of tech’s most important regulators” – said that GDPR is about “allowing society benefit from the good in technology but ensuring we are protected from the harms of excessive and unfair processing”.

The latest complaints filed by Schrems and his crowdfunded group None of Your Business (NOYB) centre on the notion of consent as a legal basis for processing people’s data.

Max pain

There is no doubt that Schrems is a massive and inconvenient pain in the backside for tech giants who see people as the product and just want to get on with making money from your data, and rewarding shareholders.

But, in truth, Schrems has been prophetic about what has come to pass, especially if you look at the recent Cambridge Analytica data scandal.

Under the complaints, NOYB alleges that users are being railroaded or coerced into granting consent in order to access services.

“Facebook has even blocked accounts of users who have not given consent,” said Schrems in a statement.

“In the end, users only had the choice to delete the account or hit the ‘agree’ button – that’s not a free choice; it more reminds of a North Korean election process.

“Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”

Schrems said the purpose of the cases is to enable better European coordination.

The crux of the matter is whether data needs to be actually gathered at all (and consent granted) in order to provide some of these services. According to NOYB, GDPR prevents forced consent and any form of bundling a service with the requirement of consent.

In plain English, Schrems does not want to see corporate sleight of hand when it comes to users volunteering their data in exchange for something they are told is free. And users should be told why their data is needed.

NOYB points out that GDPR explicitly allows any data processing that is strictly necessary for the service, but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.

“It’s simple: anything strictly necessary for a service does not need consent boxes any more. For everything else, users must have a real choice to say ‘yes’ or ‘no’,” Schrems said.

Interview with Max Schrems

Three years ago, ahead of Schrems’ pivotal court battles with Facebook and before most people even knew what GDPR was, we caught up with Schrems during a visit to Dublin. His views then are just as valid today.

Max Shrems interview, part 1

Max Shrems interview, part 2

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years