US Companies Sued for European Privacy Law Violations

As I blogged about recently, many US companies must now comply with European data privacy laws.

The new set of  European Union (EU) regulations is called the General Data Protection Regulation(GDPR).

If you’ve gotten a lot of emails recently from companies updating their privacy policies, the GDPR is why.

High Fines

Violating the GDPR can be very expensive. A company that fails to comply with the GDPR can be fined 4% of its annual revenue.

The GDPR went into effect at midnight on Friday, May 25, 2018.

As the New York Times reported, 48 minutes later, an Austrian privacy advocacy group filed the first of four complaints against Facebook and Google and Facebook’s WhatsApp and Instagram subsidiaries.

The group is called NOYB — short for “none of your business.”

The complaints were filed in Austria, Belgium, France, and Germany and ask regulators to impose fines up to $4.3 billion on Alphabet (Google’s parent company) and $1.5 billion each on Facebook and its subsidiaries.

Wunderkind

The brains behind NYOB is Max Schrems, a 30-year-old Austrian lawyer.

Despite his relevant youth, Schrems has had an outsized impact on privacy law.

As I blogged about previously, while Schrems was still a law student, and after he studied for a semester in the US, he launched a class action in Vienna on behalf of 25,000 Facebook users, claiming that the company had violated their privacy rights.

That case led to an EU court decision that the then-existing “Safe Harbor” framework for data transfers between the EU and the U.S. was invalid — and sent governments, companies, and lawyers scrambling for a solution that would allow internet-based businesses to continue more-or-less as usual.

A new EU-U.S. “Privacy Shield” program was adopted in July of 2016.

But the GDPR goes far behind the Privacy Shield program.

Pick and Choose

According to the Times, Schrems claims that the companies he sued weren’t compliant with the GDPR. He says that the defendants aren’t allowing users to pick and choose which types of data they share, as the law requires.

The GDPR is causing widespread headaches for Internet companies and for lawyers who have to wade through more than 100 pages of regulations in hopes of understanding the new law.

As the Times noted,

Tech companies never thought that Europe’s data collection rules would be painless. But they may not have anticipated the chaos that unfurled last week, as lawyers rushed to tease apart the law’s complications and companies barraged people with messages about their new, G.D.P.R.-compliant privacy policies.

Blocked

Some publications have even blocked European readers while they tried to figure out how to comply with the new law.

The market for certain types of invasive ads has also dried up, as Digiday reports:

Since the early hours of May 25, ad exchanges have seen European ad demand volumes plummet between 25 and 40 percent in some cases, according to sources. Ad tech vendors scrambled to inform clients that they predict steep drops in demand coming through their platforms from Google. Some U.S. publishers have halted all programmatic ads on their European sites.

Other countries are looking to adopt laws similar to the GDPR, which could cause further headaches for companies and their lawyers.