First GDPR Complaints Filed Against Facebook, Google, Instagram and WhatsApp

Within hours of the European Union’s new General Data Protection Regulation (GDPR) going into force on May 25th, a new non-profit – the European Center for Digital Rights (aka “noyb” for none of your business) – filed actions Facebook, Google, Instagram and WhatsApp seeking between 1.3 to 3.7 billion euros in penalties.

Company Authority Maximum Penalty
€ 3.7 Mrd PDF
Instagram DPA
€ 1.3 Mrd PDF
WhatsApp HmbBfDI
€ 1.3 Mrd PDF
Facebook DSB
€ 1.3 Mrd PDF

Taking advantage of Article 80 of the GDPR that enables data subjects to assign their claim to non-profit associations, renowned European privacy advocate Max Schrems has formed noyb and filed these claims on GDPR’s first dawn.

As explained in noyb’s press release:

GDPR prohibits “bundling” The GDPR prohibits such forced consent and any form of bundling a service with the requirement to consent (see Article 7(4) GDPR). Consequently access to services can no longer depend on whether a user gives consent to the use of data. On this issue a very clear guideline of the European data protection authorities has already been published in November 2017 (link).

Separation of necessary & unnecessary data usage. An end of “forced consent” does not mean that companies can no longer use customer data. The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent. With this complaint we want to ensure that GDPR is implemented in a sane way: Without just moving towards “fishing for consent”.

Putting an end to annoying pop-ups. If the complaints of are successful, it will also have a very practical effect: Annoying and obtrusive pop-ups which are used to claim a user’s consent, should in many cases be a thing of the past.


Schrems sees these complaints as a “crucial test” of how Europe’s Data Protection Authorities [DPA’s] will enforce GDPR which permits penalties of up to 4 percent of global revenue.  “[W]e do not expect that DPAs will use the full penalty powers, but we would expect a reasonable penalty, given the obvious violation.”

Schrems next target is “the illegal use of user data for advertising purposes or ‘fictitious consent’.”

Images courtesy of noyb.