Europe's General Data Protection Regulation (“GDPR”) became effective last Friday, May 25. That same day, the non-profit NOYB (from the colloquial “none of your business”) filed lawsuits against Google, together with Facebook, and Facebook-owned businesses Instagram and WhatsApp (collectively “Facebook”). The lawsuit seeks a combined 7.6 billion Euros (about US $8.8 billion dollars) from these companies. Other organizations which process information relating to individuals in the EU should take notice as similar lawsuits will inevitably follow.
GDPR is the European Union’s new data-protection regulation.Unlike its predecessor, the Data Protection Directive (which applied only to organizations established in the EU (i..e. that had offices, personnel, or services in the EU), the GDPR applies to organizations “offering goods or services” to or that “monitor” the “behavior” of individuals in the EU. This extra-territorial application has left non-EU organizations scrambling to revise their data collection and privacy practices. Although guidance from the EU suggests that the incidental processing of personal data of individuals in the EU may not be sufficient to cause an organization to be subject to GDPR, any organization with a website offering goods or services to individuals in the EU, or monitoring their behavior, would be wise to determine if it is subject to GDPR.
The GDPR departs from its predecessor, and most other regulations, in another important way: enforcement is not restricted to regulatory authorities or individual claims. Instead, the GDPR allows non-profit organizations to file lawsuits on behalf of individuals as part of a collective redress effort. There have been rumblings for months that Max Schrems, a long-time privacy activist and thorn in Facebook’s side, was amassing a war chest to fund a non-profit. Schrems didn’t disappoint. NYOB, the organization bringing the suit on behalf of four individual users, is the product of his efforts.
In a nutshell, the lawsuits allege that Google and Facebook violate the GDPR by offering users a “take it or leave it” consent option that robs users of a “free choice” and fails to comply with the requirement for consent to be specific to the particular purpose for which the data is to be processed. In other words, users must authorize Google and Facebook to use their personal information for a broad array of purposes or the users will be denied access to Google and Facebook’s services. The lawsuits don’t allege the individual users suffered any actual damages (nor could they realistically have been injured in the few hours the GDPR was effective before the suits were filed). They allege only that Google and Facebook’s consent options violate the GDPR. The price tag for these violations? Up to four percent of the companies’ global revenues—the maximum penalty that can be imposed for GDPR violations.
Some US organizations, especially those without a physical presence in the EU (and possibly not subject to the EU’s jurisdiction) may ask why this matters. After all, there is no obvious mechanism for regulatory authorities or non-profit organizations to enforce the GDPR outside of Europe. But US organizations are coming under increasing public scrutiny for their data privacy practices, and all states now have some form of data breach/data privacy law on the books. Also now looming over US businesses is a California ballot initiative, the California Consumer Privacy Act, that would subject any company using data collected from California residents to requirements similar to those found in the GDPR. This law could have far-reaching effects on US organizations doing business with California residents without some of the enforcement questions currently dogging the GDPR.