Washington, DC - On day one of GDPR enforcement an Austrian privacy activists sues Google and Facebook

“Happy GDPR Day! You’ve been served.”

That’s how, in my head, Google and Facebook were served with a group of multi-billion dollar lawsuits on day one of GDPR enforceability. Chances are it didn’t happen like this at all, but please let me go on imagining a process server disguised as a cake deliveryman sneaking into Mountain View and Menlo Park and serving up some lawsuits.

Max Schrems, an Austrian privacy activist, has clearly been waiting for this day for a while. He’s suing Google for 3.7 billion Euros and Facebook for 3.9 billion. The lawsuits are further broken down to target specific products, such as Instagram, WhatsApp and Android OS.

Shrems has already told the Financial Times that, “they totally know that it’s going to be a violation… They don’t even try to hide it.”

Obviously, Google and Facebook disagreed, with Google saying:

“We build privacy and security into our products from the very earliest stages and are committed to complying with the EU GDPR.”

And Facebook responding with:

“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR.”

The GDPR, which became enforceable today, requires that companies respect European citizens’ data rights by, among other things, providing data portability, the right to be forgotten and by making clear notifications that inform the data subject what is being collected and what it’s being used for.

It’s that last part the Schrems takes issue with. He claims that the companies are coercing users into accepting their data profiling practices.

“Facebook gave users the choice of deleting the account or pushing a button [to agree], that is blackmail, pure and simple.”

The lawsuits were filed across a number of jurisdictions, including Austria, Belgium and Hamburg, with the Android filing coming in France. It’s possible that the Facebook issue will be routed to the Irish Data Protection Commission as part of the GDPR’s One-stop Shop mechanism, as a result of Facebook’s EU headquarters being located in Dublin.

What makes these suits so interesting is that they are the first of their kind and will be the first practical application of the new regulations since they became enforceable.

One of the aspects of the GDPR that these suits will help to set precedent for comes with regard to the legal bases claimed as justification for the processing. For instance, Facebook’s Privacy Policy lists all six without mentioning what basis justifies what processing. Additionally, the suits argue that the data the services collect – using questionable consent practices – is not strictly necessary for the service being pitched. Instead the data is collected and processed for a different purpose – it’s used for advertising.

These lawsuits aim to prevent larger companies from extorting users for more data than is strictly necessary.

“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.”

Obviously, springing these suits on day one is largely a political stunt, and I do wonder if the timing – before many DPAs have announced they will begin penalizing companies and before any case law has been established around the new regulation – may ultimately be a detriment to the cause.

But make no mistake about it, the suits have merit.

It will be interesting to watch them play out.