Even though the General Data Protection Regulation (GDPR) privacy law has just gone into effect today, it's already causing problems for two of the tech giants it was designed to limit – Facebook and Google.
Privacy advocacy group noyb.eu, led by chair Max Schrems, has filed four complaints that Google, Facebook and its owned properties, Instagram and WhatsApp, are forcing users to consent to targeted advertising if they wish to remain using the services.
"Facebook has even blocked accounts of users who have not given consent," Schrems said In a statement outlining the complaints. "In the end users only had the choice to delete the account or hit the “agree”-button – that’s not a free choice, it more reminds of a North Korean election process."
Additionally, noyb.eu noted that access to services no longer depends "on whether a user gives consent to the use of data," citing Article 7(4) of the GDPR. Schrems said "many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases."
Schrems also noted that if the tech giants are found guilty of violating the law, the initial fines would not be exceptionally large, given Google and Facebook's 2017 total revenues, but would definitely set a precedent.
"We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR," Schrems added.
If a company is found to be in violation of the law, it faces a fine of up to €20 million (approximately $23 million) or up to 4 percent of annual revenue, whichever is greater.
In April, Facebook outlined steps it would take to be compliant with GDPR.
In a statement to Fox News, a Google spokesperson said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU."
Facebook's Chief Privacy Officer Erin Egan said the company has worked for 18 months to make sure it meets the requirements of GDPR.
"We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information," Egan said in a comment obtained by Fox News.
She continued: "Our work to improve people's privacy doesn't stop on May 25th. For example, we're building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
The EU calls GDPR the most sweeping change in data protection rules in a generation, but there are some tricky issues surrounding its rollout.
Companies are trying to understand what level of protection different data needs, whether this could force them to change the way they do business and innovate, and how to manage the EU's 28 national data regulators, who enforce the law.
"Once you try to codify the spirit (of the law) — then you get unintended consequences," said Lars Andersen, whose London-based My Nametags business handles names and phone numbers of children. Andersen said: "There's been a challenge for us: What actually do I have to do? There are a million sort of answers."
EU countries themselves aren't quite ready for the new rules. Less than half of the 28 member states have adopted national laws to implement GDPR, though the laggards are expected to do so in the next few weeks, according to WilmerHale, an international law firm.
A source familiar with Facebook's thinking noted that GDPR recognizes that not all data and data uses are the same, meaning they are required to get specific consent for how certain types of data will be used, if at all.
The source added Facebook seeks its' users consent for certain types of data processing, including ads. "Some of our other types of data processing are necessary for us to fulfil the contract we have with users to provide a personalized, free service to people around the world – ‘contractual necessity’ under GDPR," the source said. "Other data processing is carried out in our legitimate interests, having balanced those against the impact on the individual. This approach is in line with many similar companies."
As with most EU-wide regulations, enforcement of the new data protection rules falls to national authorities. While the EU stresses that the law applies to everyone, one of the big outstanding questions is whether regulators will go after any entity that breaks the law or simply focus on data giants like Google and Facebook.
"As technology increasingly becomes the fabric of business and society, it's critical that it be trusted," David Kenny, SVP of IBM Watson and Cloud Platform, told Fox News. "IBM has been helping our customers to be ready for GDPR, and beyond that, we are calling on the entire tech industry to adhere to principles of ensuring all AI systems are secure, transparent and keep data private."
The new law comes at a time when advances in technology make data more valuable, and therefore raise the stakes in protecting it.
The ability to analyze everything from consumer purchases to medical records holds enormous potential, with suggestions that it will make us healthier, improve traffic flows and other good things for society. At the same time, it provides business with huge new opportunities for profit, with some experts putting the value of the global data economy at $3 trillion.
"Data is the new soil," said Adam Schlosser, the project lead for digital and trade flows at the World Economic Forum. "It serves as a foundational element for growth."
The Associated Press contributed to this story. Follow Chris Ciaccia on Twitter @Chris_Ciaccia