Schrems operates via a non-profit called None of Your Business (NOYB). His press release and the complaints are all to be found here with parallel versions in German, French, and English. He adds in the press release that the Irish Data Protection Commissioner is also likely to be involved – three of our huge whales have chosen to make their, or an, HQ, in Ireland.
NOYB has said that GDPR was supposed to give users a free choice, whether they agree to data usage or not. Not so in practice: tons of “consent boxes” popped up online or in applications, often combined with a threat that the service cannot longer be used if users do not consent.
Those that have come up with ornate ways of demanding consent might find it helpful to test their efforts against Schrems’ complaints. Take the Austrian complaint against Facebook. The gist is that a portmanteau series of consent forms (not really saying what Facebook will do with your data) is presented on a “take it or leave it” basis. You may have your own views about this if you have recently ticked all the boxes which FB wanted you to tick to carry on operating as before.
Many of us know the draconian measures which GDPR has given to EU countries’ supervising authorities, in our case, the Information Commissioners Office. NOYB say that these first complaints will be a crucial test of the law,
with a penalty of four per cent of global revenue, Google or Facebook would have to pay more than a billion euros for violating the law. Currently we do not expect that DPAs will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation.
There have been musings that GDPR was going to be a damp squib of the Y2K variety, (in retrospect) a somewhat confected attempt to persuade us that when the clock ticked to midnight and the new Millennium started, all our computers would crash, and chaos would reign. Y2K brought good business in for consultants and insurers willing to bet against these Nostradamus-like predictions.
Now the skies may not have fallen in this week, but Schrems at least is determined that things will not be as before. We will have to wait to see whether GDPR really makes a difference at a more mundane level, or as others have said, it (for EU nationals, at least) it is no more than a moderate strengthening of a data protection regime which has been in place for some years.