ARTICLE
7 June 2018

GDPR - The First Complaints

CC
Clyde & Co

Contributor

Clyde & Co logo
Clyde & Co is a leading, sector-focused global law firm with 415 partners, 2200 legal professionals and 3800 staff in over 50 offices and associated offices on six continents. The firm specialises in the sectors that move, build and power our connected world and the insurance that underpins it, namely: transport, infrastructure, energy, trade & commodities and insurance. With a strong focus on developed and emerging markets, the firm is one of the fastest growing law firms in the world with ambitious plans for further growth.
Explore
Lexpert Firm Profile
In the run-up to Friday 25 May 2018, many organisations were hopeful that the European Supervisory Authorities would adopt a softly-softly approach to enforcing GDPR; however...
European Union Privacy
Photo of Charlotte Worlock
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In the run-up to Friday 25 May 2018, many organisations were hopeful that the European Supervisory Authorities would adopt a softly-softly approach to enforcing GDPR; however, this was to overlook certain key user-driven aspects of the Regulation.

In the run-up to Friday 25 May 2018, many organisations were hopeful that the European Supervisory Authorities would adopt a softly-softly approach to enforcing GDPR; however, this was to overlook certain key user-driven aspects of the Regulation, including:

  • Article 77 - which provides data subjects with the right to lodge complaints with a Supervisory Authority, alleging that the processing of their personal data infringes GDPR;
  • Article 78 - which provides data subjects with the right to an effective judicial remedy against a Supervisory Authority for failure to handle any such complaints; and,
  • Article 80 - which allows data subjects to mandate a not-for-profit organisation to exercise these rights on their behalf.

In this way, the impact of the implementation of GDPR was felt at once, as not-for-profit organisations immediately lodged data subjects' complaints across Europe against some of the largest global technology and social media companies:

  • On 25 May 2018 itself, four complaints alleging breaches of GDPR were lodged against Google (in France), Instagram (in Belgium), WhatsApp (in Germany) and Facebook (in Austria), by "None of Your Business" ("NOYB"), a privacy NGO created by privacy activist and lawyer, Max Schrems, acting on behalf of a single data subject for each complaint, and requesting that maximum fines of 4% of worldwide annual turnover be imposed upon each company.
  • On 28 May 2018, similar complaints were filed against Facebook, Google, Apple, Amazon and LinkedIn in France by a French digital rights group, Quadrature du Net ("La Quad"). Each of La Quad's complaints are brought on behalf of around 9,000 to 10,000 data subjects, and La Quad also indicated that they intend to bring similar complaints against Android, WhatsApp, Instagram, Skype and Outlook.

Underlying all of the lodged complaints is that GDPR requires companies to have at least one of six lawful bases for processing personal data. Here, the targeted companies all opted to base their processing activities on consent, which is a lawful basis for such activity under Article 6. However, the complaints assert that these companies are acting in violation of the conditions for consent set forth under Article 7, which include the requirements that consent be given freely, and can be withdrawn at any time. Recital 43 explains that consent is presumed not to be freely given when there is a clear imbalance between the data subject and the controller, and also if the provision of a service is dependent on the consent despite such consent not being necessary for performance the service. All of the complaints lodged by NOYB and La Quad allege that the targeted companies have adopted a "take it or leave it" approach to consent, and therefore are exploiting their market dominance by forcing data subjects to consent to the processing of their personal data for a purpose beyond that which is necessary (in this case sharing or using data for targeted advertising) because, unless individuals agree to give their consent, they are unable to use the service.

As the first test of the new regime, the regulatory response to these first complaints is being followed with great interest around the world, not least because fines against any of the targeted companies could run to billions of dollars. Aside from the amounts of any fines, we are closely monitoring the shape of the investigations themselves, differing approaches between the Supervisory Authorities, how the Supervisory Authorities handle the potential floodgate issue of identical complaints being alleged against the same companies but lodged by different consumer groups with different Supervisory Authorities, and crucially, whether any fines that ultimately are issued are insurable.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Charlotte Worlock
Charlotte Worlock
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More