Europe’s sweeping data protection law came into force on Friday. And legal experts say big tech companies are already violating the new rules.
Facebook (FB) and its subsidiaries Whatsapp and Instagram, as well as Google (GOOGL), are facing lawsuits for failure to comply with the General Data Protection Regulation (GDPR).
The companies could face billions of dollars in fines if European regulators agree they failed to comply.
“We’re looking for big companies that really willfully violate the law, that kind of try to ignore it and try to get away with it,” said Max Schrems, an Austrian lawyer whose NGO, None of Your Business, filed the lawsuits.
The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators and Instagram with Belgian regulators as soon as the law went into effect at midnight.
From Friday, European data regulators can impose fines of up to 4% of global annual sales each time the companies run afoul of the new law.
“There is no grace period,” James Dipple-Johnstone, the deputy commissioner of the UK’s data protection authority. “We will be looking at the algorithms they use to profit off data to make sure they are fair,” he added.
Schrems has been fighting Facebook over data protection for almost a decade. His earlier lawsuit successfully challenged Facebook’s ability to transfer data from the European Union to the United States.
The next battleground with the company is GDPR.
According to Schrems and other legal experts, Facebook is breaking a GDPR rule intended to prevent companies from hoovering up sensitive information like political opinions, religious beliefs, ethnicity and sexuality without their users’ consent.
Michael Veale, a Technology Policy Expert at University College London, said that even if users’ completely remove sensitive traits from their profiles, Facebook can still glean information such as sexual orientation by analyzing their behavior on the platform and other websites.
“Facebook has trackers on 40% of websites that are visited in the world,” Veale said. “So really, Facebook can infer things from the great amount of data it has about you from across your mobile devices and apps that also send data to Facebook. The law forbids Facebook from making these inferences without explicit consent.”
Testifying in front of the European Parliament leaders on Tuesday, Facebook CEO Mark Zuckerberg insisted his company would follow the new regulations.
“We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information,” Facebook’s Chief Privacy Officer Erin Egan said in a statement emailed to CNNMoney.
Egan also said the company is building a new tool called “Clear History” which will allow users to “see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
The suit against Google alleges that users of the company’s Android software are forced to turn over personal data to use an Android-powered mobile device.
The lawsuit alleges this “forced consent” amounts to a violation of GDPR, which guarantees individuals the right to consent when companies want to collect and process their personal data.
Google told CNNMoney it is committed to complying with the new law.
Schrems says the new rules are tough enough to prevent the kind of data scraping that Cambridge Analytica before the 2016 U.S. election. He’s taking legal action to ensure GDPR is properly enforced.
“If we enforce the properly, we can actually get a balance in this digitalized age,” says Schrems. “In the end, you should be able to use Facebook without worrying 24/7 about your data,” he added.