On the day GDPR regulation was released, four companies were both swiftly struck with lawsuits and potential fines. Facebook, Google’s Andriod OS, Instagram and WhatsApp are the companies at the heart of the data security complaints.

#News: Facebook, Google’s Andriod OS, Instagram and WhatsApp are the heart of the data security #GDPR complaints. Click To Tweet

Behind the lawsuits is the non-profit group known as None of Your Business (noyb.eu), with EU privacy activist Max Schrems as the driving force. The basis of these lawsuits detail that the tech company methods for obtaining user consent is a direct violation of the GDPR.

Currently, to give consent a user selects an ‘I accept’ box, the lawsuit claims that this method is vague and gives an inflexible choice to users. This is problematic. because users are not explained to what data is being used or why, how it correlates to the platform’s services and it suggests that in order to use the service you must comply.

What are the Lawsuits Filed?

The lawsuits that are filed detail each company’s vague conclusiveness in asking for user consent. All tech companies involved are supposedly asking for user consent without detailing what the consent is specifically for, and why it is necessary. Additionally, data is being collected for unnecessary and/or unrelated services.

Each company is accused of reworking the GDPR to meet their needs. Max Schrems declared,

“It almost seems like a coordinated effort to redefine the GDPR, in the sense of, ‘If we just do this for the next year or two, then everyone will accept this is just the way to do.’

The exact potential fines and complaints filed are listed below.

CompanyAuthority PenaltyComplaint
Google’s Android OSFrance€ 3.7 billionPDF
InstagramBelgium€ 1.3 billionPDF
WhatsAppHamburg€ 1.3 billionPDF
FacebookAustria€ 1.3 billionPDF


Max Schrems proclaimed,

“Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button – that’s not a free choice.”

It’s a goal within these filings by the NOYB group that pop ups will be banished since they are used to capture consent and are intrusive to users.

What Does the GDPR State?

GDPR requires that companies provide consent to users. Also, GDPR states that any company asking for consent needs a legitimate reason and must demonstrate transparent consent.

In Article 7(4) of the GDPR, it states that forced consent is unallowed as well as any bundling type activity of consent services. In other words, for each task a company wishes to utilize an individual’s data for, they must explain and ask. All collected data must be necessary for the services a website performs per GDPR.

What Happens Next?

It’s too soon to tell if the companies accused will be found in non-compliance. If they are, it is sure to impact each company in means of operational and financial aspects.

For the data privacy group, None of Your Business, they have an arsenal of complaints at the ready. Their next goal is to approach the illegal use of individual data for advertisement purposes.

The lawsuits filed are directly linked to the fundamental meaning of GDPR. Do note that, the GDPR is expansive and travels many avenues. These complaints hit the core of data security, but there are many other stipulations within the GDPR that are likely to be assessed in the future. Companies should heed caution and ensure their platforms are compliant with GDPR regulations. Don’t miss a blog post. Sign up for the e-newsletter.