GDPR claims first victim

August 1, 2018 by

The long arm of the European Union’s General Data Protection Regulations (GDPR) – a set of rules that strengthen people’s rights over personal information – has claimed its first victim: facebook

Facebook said that it had lost 1 million monthly active users in Europe following the introduction of the GDPR in May this year. The GDPR has onerous requirements for the processing of personal data and GDPR claims first victimrequires that consumers know what their personal information is being used for.

Consequently, facebook had to change its privacy policies to continue accessing private information for advertising purposes. To do so it needed the free consent of its users.

1 Mio EU based users, who did not consent to the new privacy policy, can no longer use their facebook account.

Yet, the GDPR prohibits such forced consent and any form of bundling of services with the requirement to consent (see Article 7(4) GDPR). Generally, consent can only be a lawful basis for the processing of personal data, if a person has actual control and a genuine choice with regard to accepting or declining the privacy terms.

Article 4(11) of the GDPR defines consent as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Facebook made user’s consent part of a non-negotiable privacy statement and such ‘consent’ would  be presumed to not have been freely given. On the other hand, users cannot withdraw their consent without losing access to their account.

Facebook users do not really have a choice in this matter. If they wanted to continue using their accounts, they needed to accept the privacy policy which appears to be a breach of  the GDPR.

This is also a reminder to Australasian business to take privacy and data protection seriously when doing business in Europe.

Facebook has been entangled in a cascade of privacy debacles. Facebook has recently been fined £500,000 pounds by the UK privacy commission and is subject to a class action following its involvement in the Cambridge Analytica scandal.

We may well be witnessing the beginning of the end of facebook.