Europe’s sweeping data protection law, General Data Protection Regulation (GDPR), came into force on Friday, 25th May, 2018. Legal experts now say big tech companies are already violating the new rules, reports CNNMoney.

Facebook (FB) and its subsidiaries, Whatsapp, and Instagram, as well as Google (GOOGL), are facing lawsuits for failure to comply with the General Data Protection Regulation (GDPR).

The companies could face billions of dollars in fines if European regulators agree they failed to comply.

“We are looking for big companies that really willfully violate the law, that kind of try to ignore it and try to get away with it,” said Max Schrems, an Austrian lawyer, whose NGO, None of Your Business, filed the lawsuits.

The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators and finally, Instagram with Belgian regulators, as soon as the law went into effect at midnight.

From Friday, European data regulators can impose fines of up to 4% of global annual sales each time the companies run afoul of the new law.

“There is no grace period,” James Dipple-Johnstone, the deputy commissioner of the UK’s data protection authority. “We will be looking at the algorithms they use to profit off data to make sure they are fair,” he added.

Schrems has been fighting Facebook over data protection for almost a decade. His earlier lawsuit successfully challenged Facebook’s ability to transfer data from the European Union to the United States. According to Schrems and other legal experts, Facebook is breaking a GDPR rule intended to prevent companies from hoovering up sensitive information like political opinions, religious beliefs, ethnicity and sexuality without their users’ consent.

Michael Veale, a Technology Policy Expert at University College London, said that even if users’ completely remove sensitive traits from their profiles, Facebook can still glean information such as sexual orientation by analyzing their behavior on the platform and other websites.

“Facebook has trackers on 40% of websites that are visited in the world,” Veale said. “So really, Facebook can infer things from the great amount of data it has about you from across your mobile devices and apps that also send data to Facebook. The law forbids Facebook from making these inferences without explicit consent.”

Testifying in front of the European Parliament leaders last Tuesday, Facebook CEO, Mark Zuckerberg insisted his company would follow the new regulations.

“We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information,” Facebook’s Chief Privacy Officer Erin Egan said in a statement emailed to CNNMoney.

Egan also said the company is building a new tool called “Clear History” which will allow users to “see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

The suit against Google alleges that users of the company’s Android software are forced to turn over personal data to use an Android-powered mobile device.

The lawsuit alleges this “forced consent” amounts to a violation of GDPR, which guarantees individuals the right to consent, when companies want to collect and process their personal data.

Google told CNNMoney it is committed to complying with the new law.

Schrems says the new rules are tough enough to prevent the kind of data scraping that Cambridge Analytica did before the 2016 U.S. election. He is taking legal action to ensure GDPR is properly enforced.

“If we enforce this properly, we can actually get a balance in this digitalised age,” says Schrems. “In the end, you should be able to use Facebook without worrying 24/7 about your data,” he added.