Google & Facebook Facing $8.1 Billion in Lawsuits on Day 1 of GDPR Roll-Out
Wow. Will write more on this and update this blog post soon. Companies need to be aware of how to protect itself from GDPR and other privacy violation exposures.
A lawsuit against Google, Facebook, What's App and Instagram was filed by NOYB (European Center for Digital Rights), an Austrian non-profit. The complaints could result in $8.1 billion in GDPR penalties.
The GDPR requires that firms obtain "explicit consent" from customers in order to use their data. Under the GDPR, the EU can fine firms up to 4% of global annual turnover or $23.4 million, whichever is greater for violations. Individual users will be entitled to compensation from organizations where their rights are breached even if they do not suffer material damage.
The basic allegation here is that Google, Facebook, What's App and Instagram are in violation of the GDPR because they have "forced consent" from users to obtain the right to use their data. For example, Facebook has been accused of "blackmail" by giving its users only 2 options: accept the new rules and hand over more data than needed to operate the service, or deactivate their account. Also, Facebook is accused of using fake red dots suggesting new messages, which the user could only see if they agreed to the new terms of service.
Many see these legal complaints as "tests" of the EU's new GDPR. Here are a few more requirements:
- One Month Rule. When a user seeks to obtain the details of the data an organization is processing on them, including the details of the other parties it is being shared with, the organization must respond to the request within one month and will not be permitted to charge for processing the request.
- Transparency. Organizations are obligated to process data in a transparent way in line with the accountability principles built into the regulation.
- Right to be Forgotten. With a few caveats, individuals have the right to fully erase their data.
- Right to Withdraw Consent. Users have the right to withdraw their consent at any time.
The solution for many companies is to appoint a data-protection officer who must be independent in their role and be able to advise the organization on data-protection issues at the highest level within the organization.