BEUC study: Facebook, Google, Apple, Amazon all fail GDPR

Mark Zuckerberg Facebook CEO
Facebook CEO Mark Zuckerberg.

Justin Sullivan/Getty Images

Remember all those endless emails and app notifications about how important your privacy is to tech firms?

That was all about those firms having to obey new European privacy rules, officially known as the GDPR. But a new study from a European consumer group has found that most popular tech companies are falling short of properly obeying the rules.

The consumer group, BEUC, found post-GDPR privacy policies from 14 companies including Apple, Amazon, Facebook, and Google are “vague” and “insufficient.” BEUC used artificial intelligence to scan every firm’s privacy policy, comprising more than 80,000 words in total.

Monica Goyens, director general of the European said: “A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law. This is very concerning. It is key that enforcement authorities take a close look at this.”


According to the analysis, Facebook doesn’t tell users about how it might use sensitive information that is protected under GDPR, such as religious and political views. While Facebook tells users these are protected categories, it doesn’t actually state how the company might use that data should you choose to give it up.

Facebook also doesn’t properly explain why it needs people’s device data, how people can opt out of tracking on Facebook, and how third parties might use people’s information.

BEUC criticised Google’s language as “unclear” on how it uses people’s information for advertising or other purposes. The group also found Apple’s collection of voice and image data worrying, and said the firm didn’t give a good enough explanation of how it gathers that information.

And it criticised Amazon for making a “vague threat” to users who don’t hand over personal data. Specifically, Amazon tells users who don’t disclose their data that some features won’t be available to them — but the company isn’t clear about what those features are.

None of the companies immediately responded to a request for comment.


The new rules are seen as a way of controlling the big Silicon Valley firms. They face fines of up to 4% of their annual turnover if they don’t comply with the legislation.

Aside from fines, the tech firms are also under threat from lawsuits. BEUC said it was considering legal action. And its report follows $8 billion (£6 billion) in GDPR-related lawsuits filed by the Austrian privacy activist and lawyer Max Schrems.