Privacy activism in the era of the GDPR
Tips to be on the "good guys" side
14 September 2018
The privacy "scandals" that have erupted in the recent years – from the revelation of the NSA's surveillance programs to the exposure of Cambridge Analytica's misuse of the data of millions of Facebook users – have put data protection at the forefront of the public debate. Against the backdrop of growing public concern over States' and companies' exploitation of personal data, some key participants in the debate – privacy activist groups (i.e. not-for-profit organisations advocating for privacy rights, either exclusively or along other rights such as consumer rights) - have naturally gained visibility.
Now, with the General Data Protection Regulation (GDPR), privacy activist groups can mobilise new tools to fight what they deem violations of rights and become even more visible. They can bring claims before data protection authorities and judicial actions before courts on behalf of individuals, or without a mandate from data subjects where local law allows it.
This is a step change compared to the regime that applied before the GDPR. Directive 95/46/EC solely imposed that EU Member States allow individuals to seek judicial remedy to enforce their rights and pursue compensation, without envisaging that not-for-profit entities could play a role in that matter. EU Member States could freely decide what prerogatives to accord to privacy activist groups (if any), leading to a mosaic of regimes in the EU.
By granting privacy activist groups a role in seeking the enforcement of data protection rights, the GDPR will likely have the effect of increasing the probability that breaches be brought to the attention of authorities, investigated, and sanctioned. More concretely, what can privacy activist groups do under the GDPR? What have they done already? And how can companies mitigate the risk of being the targets of their campaigns?
How can privacy activist groups seek enforcement of people's rights under the GDPR?
Privacy activist groups can seek enforcement of the GDPR in two ways: (i) via representative actions on behalf of individuals and (ii) independently of any mandate.
(i) Firstly, a privacy activist group can be mandated by an individual to lodge a complaint before a data protection authority or act before a court. More precisely, a privacy activist group can on behalf of an individual:
- lodge a complaint with a data protection authority regarding processing that concerns that individual, either in the individual's place of residence, place of work or in the place of the alleged infringement;
- act before the courts where the controller or processor has an establishment or where the individual habitually resides. Not only can the privacy activist group pursue judicial remedy for this individual in case of infringement of his or her rights under the GDPR (e.g. the remedy can consist in an order for the controller or processor to cease the unlawful processing, or suppress illegally obtained personal data), it can also act before a court to recover material damage and non-material damage for the individual (e.g. distress) if local law allows it.
(ii) Secondly, the GDPR lets EU Member States decide whether to allow privacy activist groups, independently of any mandate, to lodge a complaint before competent data protection authorities and pursue remedies before courts if they consider that the rights of an individual under the GDPR have been infringed. Consequently, privacy activist group powers will vary across EU Member States, depending of what the latter allow or do not allow.
What actions have privacy activist groups initiated since 25 May 2018?
Privacy activist groups have not waited to try their new powers. As soon as the GDPR became applicable, some have lodged complaints focused on the "consent" requirements of the GDPR against the most obvious targets, the "GAFAM".
First, NOYB – European Center for Digital Rights (founded by Max Schrems) lodged complaints before the French, Belgian, Austrian and Hamburg data protection authorities, against Google, WhatsApp and Facebook (including Instagram), all focused on their practice of requiring users to "consent" to privacy policies and terms of service, and each time on behalf on only one individual.
La Quadrature du Net then followed with complaints before the French data protection authority against Google, Apple, Facebook, Amazon and Microsoft, also centered on the "free and explicit consent" requirement, on behalf of more than 12 000 French residents. The mandates were obtained over 6 weeks via online forms.
This is just the beginning. Both NOYB and La Quadrature du Net plan for further complaints against different companies and with different scopes, and other groups will certainly manifest themselves in the future.
A few tips to mitigate the risk of being targeted by privacy activist groups
- Be GDPR compliant: Obviously, being compliant with the GDPR is the ultimate way to reduce the risk.
- Be totally prepared for breaches: Plan, communication strategy, relationships with stakeholders, "war games" to assess the level of preparedness... A data breach may not only trigger the notification obligations of the GDPR, it is also likely to draw the attention of privacy activists and engender complaints for failure to implement adequate security measures. Not to mention the impacts on the company's reputation...
- Foster a culture of transparency: Privacy activist groups will likely be less inclined to target a transparent company that explains in plain language to consumers what it does with their data, for which reasons, and offers them effortless ways to exercise their rights.
- Less is more: Go for a leaner approach to data processing: Processing less personal data – as encouraged by the GDPR data minimisation principle – leads to a better control over data, a better management of data subjects' requests and claims, and facilitates compliance more generally.
- Implement efficient processes to respond to consumer requests: Never underestimate consumer requests. Privacy complaints often arise from one untreated or badly managed data subject's request.
- Organise a legal watch: Follow privacy activists' activities, to know the aspects of the GDPR that preoccupy individuals the most and how data protection authorities' and courts' interpret legal requirements.
- Appoint a Data Protection Officer (DPO) even if not required: As contact point for data subjects, the DPO is often in a position to defuse conflicts with individuals before they lodge complaints or mandate privacy interest groups to act on their behalf.