In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.
At least four significant complaints were filed on May 25 by privacy activist Max Schrems—who brought down the U.S.-EU Safe Harbor Framework in 2015—and his non-profit organization, None of Your Business (“NOYB”). Schrems filed complaints with several national data protection authorities against Google and other U.S. technology companies alleging that they “forced” users to consent to their privacy policies by offering only one alternative—agree to the policy or lose all access to the companies’ services.
The complaints call for investigations by the supervisory authorities and, under Article 83, propose fines of up to 4% of the companies’ worldwide annual turnover of the preceding year (the maximum possible fine under the GDPR).
We are in the early days of the GDPR, and there is still great uncertainty as to the scope and potential impact of its private right of action, but the complaints highlight the potentially significant role that private actors may end up playing in GDPR enforcement.
Generally, individuals have two ways to vindicate an alleged infringement of their privacy rights under the GDPR. First, under Articles 77 and 78(2), they can lodge a complaint against the infringing company with a supervisory authority, and if the supervisory authority fails to conduct an investigation, the private actor can seek a judicial remedy against the supervisory authority. Second, under Articles 79 and 82, the private actor can seek a judicial remedy directly against the infringing company for damages. Additionally, Article 80(1) allows a non-profit organization—like NOYB—to represent (and even receive compensation on behalf of) an individual, as long as the organization’s statutory objectives are in the public interest and the organization is active in the space of data rights.
For now, NOYB is using the first approach in its complaints. It is requesting that supervisory authorities in France, Belgium, Germany, and Austria investigate the allegations of forced user consent. However, the results of those investigations could form a basis for subsequent private complaints against the companies, particularly if the authorities bolster NOYB’s infringement claims and indicate that they believe there was harm to the users.
In addition to a full investigation, NOYB requests that, pursuant to Article 58(2), the supervisory authorities stop all illegitimate processing operations by the companies and impose “effective, proportionate and dissuasive” fines under Article 83.
This may become an important issue for some U.S. companies, and we will be closely watching the developments of the GDPR’s private rights of action and providing updates here on any significant developments. The Davis Polk Cyber Portal 2.0, which is now available to assist Davis Polk clients with their cybersecurity and data privacy obligations, includes several new GDPR resources.
The authors gratefully acknowledge the assistance of summer associate Mathew Elder in preparing this entry.