The Privacy Lawyer Giving Big Tech an $8.8 Billion Headache

At midnight last Friday, the European Union’s long-awaited new data-protection rules, known as the General Data Protection Regulation, officially kicked in.

Forty-eight minutes later, Facebook and Google got their first taste of how troublesome the new European privacy regime could be.

At 12:48 a.m. Brussels time, an Austrian privacy advocacy group filed the first of its four complaints against the Silicon Valley tech giants. The nonprofit organization NOYB — short for “none of your business” — claimed that Google and Facebook, along with two of Facebook’s subsidiaries, WhatsApp and Instagram, failed to give European users specific control over the use of their data, in violation of the new rules.

The complaints, which were filed in France, Belgium, Germany and Austria, ask regulators to impose fines of as much as $4.3 billion on Google’s parent company, Alphabet, and $1.5 billion each on Facebook, Instagram and WhatsApp — roughly 4 percent of each company’s 2017 revenue, the maximum penalty allowed under the G.D.P.R.


Even for cash-flush tech giants, those would be painful checks to write.

The architect of NOYB’s campaign is Max Schrems, 30, an Austrian lawyer who has made a career of hounding American tech giants over their data-collection practices. Several years ago, when he was still in law school, Mr. Schrems took on Facebook with a series of legal complaints, claiming the social network was violating European data protection laws.

Later, Mr. Schrems successfully challenged the “Safe Harbor” policies that let tech companies store data about Europeans in the United States. That case sent shock waves through the tech industry, and made him a hero among digital privacy hawks. Edward Snowden, the whistle-blower and activist, declared that Mr. Schrems had “changed the world for the better.”

I spoke with Mr. Schrems on Monday, several days after the start of his new privacy crusade. He said that while the timing of his latest volley was mainly symbolic — the organization had been preparing complaints against Facebook and Google for months — its substance was very real.

Mr. Schrems, in Vienna, contends that tech companies are in effect leaving users no choice but to agree to their data policies.CreditHeinz-Peter Bader/Reuters

“It was important to point that out the first day, that this is not compliant,” Mr. Schrems told me. Facebook and Google, he said, have “fundamentally tried to ignore or redefine” the new European laws by forcing users to consent to wide-ranging data collection, without telling them exactly how their data would be used.

“All of these cases should be absolutely won,” he added.

Tech companies never thought that Europe’s data collection rules would be painless. But they may not have anticipated the chaos that unfurled last week, as lawyers rushed to tease apart the law’s complications and companies barraged people with messages about their new, G.D.P.R.-compliant privacy policies.

As other countries also look to establish their own European-style privacy regulations, the potential impact of the G.D.P.R. across the globe has turned a feeding frenzy of ambitious lawyers, lobbyists and activists into a kind of crowdsourced rule-making process that will ultimately determine how the new rules are enforced.

There has already been fallout from the G.D.P.R. in the digital media and advertising industries, where the new rules caused several American publications to shut themselves off to European users and the market for certain invasive types of digital advertising dried up. Faced with the prospect of stiff penalties, a few smaller American tech companies threw up their hands and stopped serving Europe altogether.

As global companies, Facebook and Google don’t have the option of cutting off the Continent. In statements, both companies defended their data collection practices, saying they fully complied with the new European regulations.

“We have prepared for the past 18 months to ensure we meet the requirements of the G.D.P.R.,” Erin Egan, Facebook’s chief privacy officer, said in a statement. “We have made our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download and delete their information.”

A Google spokesman, Al Verney, said, “We build privacy and security into our products from the very earliest stages and are committed to complying with the E.U. General Data Protection Regulation.”

At the core of Mr. Schrems’s complaints is the question of whether tech companies are giving people realistic choices about how their data is collected and used.

Like many companies, Facebook and Google, which developed the Android mobile operating system, prompted users last week to accept new terms of service that explained their data collection particulars. Facebook members who declined to accept the new terms were unable to log into their accounts. Android users who didn’t agree to the new terms were, in effect, locked out of their phones.

Mr. Schrems said these all-or-nothing privacy policies violated the G.D.P.R.’s requirement that consent be particularized and “freely given.” To comply with the law, he said, large tech platforms need to give privacy-conscious users the option of sharing certain types of data but not others.

Realistically, Mr. Schrems said, “you’re not going to walk away from all your friends on Facebook.”

Opponents of the G.D.P.R. have said the law could end up backfiring by making it harder for smaller companies, which don’t tend to have huge teams of European legal experts at their disposal, to compete with the American tech giants. It could mean that European users are required to pay more for certain internet services, to offset reduced advertising revenue. (The Washington Post is already offering an ad- and tracking-free “premium E.U. subscription” that costs 50 percent more than a regular subscription.) In a worst-case scenario, it could turn Europe into a kind of technological dead zone, a place where influential American tech companies simply refuse to tread.

Mr. Schrems shrugged off these concerns. The European market is too lucrative for companies like Google and Facebook to abandon, he said. And he doesn’t believe that social networks and search engines would suffer unduly if they were forced to be more judicious about how they collected fine-grain data about people for the purposes of selling more ads.

“You can still make a lot of money without microtargeting,” he said.

Mr. Schrems’s quest is far from finished. Regulators could decide not to pursue investigations, expensive litigation could drag on for years, and Silicon Valley companies are furiously adding lobbyists to try to influence the nascent rule-making process.

But if these types of complaints succeed — and it’s not entirely crazy to think that they could, given the current antipathy toward American tech giants and the satisfaction that European officials might take in kneecapping a few of them — it could be a watershed moment for large tech companies.

“Massive fines in this case would have pretty significant repercussions,” said Courtney M. Bowman, a lawyer at the firm Proskauer Rose who specializes in international privacy law. “It would be a strong signal from the E.U. authorities that this isn’t just a law that’s on the books that isn’t going to be enforced,” she said.

Whether or not Facebook and Google end up paying billion-dollar fines, it’s clear that the G.D.P.R. has already introduced a new, scary variable into Silicon Valley’s privacy calculations. If tech giants know that privacy wonks like Mr. Schrems are watching their moves carefully, probing for openings to file complaints against them — and now, they undoubtedly do — they will need to think twice before adding new, privacy-invading features.

“It’s about who has control over information in an information age,” Mr. Schrems said. “Who has power over all this stuff?”

Email Kevin Roose at, or follow him on Facebook at and on Twitter: @kevinroose.


Previous articleHow to Secure Your Work Place Data
Next articleStrategic Planning Meeting Produces New Vision and Mission for ARMA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.