NOYB
NOYB – European Center for Digital Rights (styled as "noyb", from "none of your business") is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general.[1][2] The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members.[3] Currently, NOYB is financed by more than 4,400 supporting members.
Founded | June 12, 2017 |
---|---|
Founder | Max Schrems |
Type | Non-profit organization |
Registration no. | 1354838270 |
Location | |
Members | 4,400+ |
Key people | Max Schrems Petra Leupold Christof Tschohl |
Employees | 15 |
Website | noyb |
While many privacy organisations focus attention on governments, NOYB puts its focus on privacy issues and privacy violations in the private sector. Under Article 80, the GDPR foresees that non-profit organizations can take action or represent users.[4] NOYB is also recognized as a "qualified entity" to bring consumer class actions in Belgium.[5]
Notable actions
EU–US data transfers/"Schrems I" (2016)
The Irish Data Protection Commission (DPC) filed a lawsuit against Schrems and Facebook in 2016, based on a complaint from 2013, which had led to the so-called "Safe Harbor Decision". Back then, the Court of Justice of the European Union (CJEU) had invalidated the Safe Harbor data transfer system with its decision. When the case was referred back to the DPC the Irish regulator found that Facebook had in fact relied on Standard Contact Clauses, not on the invalidated Safe Harbor. The DPC then found that there were "well-founded" concerns by Schrems under these instruments too, but instead of taking action against Facebook, initiated proceedings against Facebook and Schrems before the Irish High Court. The case was ultimately referred to the CJEU in C-311/18 (called "Schrems II"; see Max Schrems#Schrems II). NOYB supported this private case of Schrems.
"Forced consent" complaints (2018)
Within hours after General Data Protection Regulation rules went into effect on 25 May 2018, NOYB filed complaints against Facebook and subsidiaries WhatsApp and Instagram, as well as Google (targeting Android), for allegedly violating Article 7(4) by attempting to completely block use of their services if users decline to accept all data processing consents, in a bundled grant which also includes consents deemed unnecessary to use the service.[6][7][8][9][10] Based on the complaint, the French data protection authority CNIL has issued a €50 million fine against Google.[11] The other cases are still pending.
Spotify case (2019)
Since Spotify is based in Sweden, the Swedish data protection authority (IMY) was responsible. However, this authority took its time. For over four years, no decision was made on the complaint against the streaming service. So in 2022, NOYB first filed a complaint for inaction in Sweden. The lawsuit was decided in favor of the privacy activists. The IMY then imposed a GDPR fine of 58 million Swedish kronor (about EUR 5 million) on Spotify.
Apple tracking case (2020)
In mid November 2020, NOYB announced that complaints were filed to both the German and Spanish Data Protection Authorities,[12][13][14] claiming "IDFA (Apple's Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour".[15] In a slight change from their previous legal strategy in other similar cases, NOYB notes that, because the complaint is based on Article5(3) of the ePrivacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without appealing to EU Data Protection Authorities under the GDPR.
Open letter on GDPR cooperation mechanism (2020)
NOYB also focuses on putting pressure on regulators to enforce privacy laws on the books. In an open letter,[16] the NGO has accused the Irish Data Protection Commission of acting too slowly and having 10 meetings with Facebook before the coming into application of the GDPR.[17]
Schrems II – Court of Justice Judgment on Privacy Shield (2020)
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield and decided that Facebook and other companies that fall under US surveillance laws cannot rely on "Standard Contractual Clauses" (SCCs) since US surveillance laws were found to be conflicting EU fundamental rights. This judgement was based on a long lasting case of Max Schrems and NOYB. US companies' foreign customers' data are not protected from the U.S. intelligence services. The CJEU found that this violates the "essence" of certain EU fundamental rights.[18]
The Court has also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that a DPA is "required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence".[19]
Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract.[20]
Mass complaints on EU–US data transfers (2020)
After the Schrems II judgment, B filed 101 complaints against EU/EEA companies against controllers using Google Analytics or Facebook Connect and thereby transferring data to the US despite the Court finding (link to Privacy Shield) that US surveillance laws violate the essence of EU fundamental rights. The organization thereby wanted to point out the lack of enforcement of Schrems II.[21][22] These model complaints led to the creation of a special taskforce by the European Data Protection Board (EDPB) which is tasked to coordinate the complaints and to prepare recommendations for controllers and processors.[23] On January 12, 2022, the Austrian Data Protection Authority (DSB) reached a partial decision in favour of NOYB, stating that the continuous use of Google Analytics violates the GDPR.[24] This decision affects most websites in the European Union since Google Analytics is the most common traffic analysis tool.[25]
Google Advertising ID tracking (2021)
On April 7, 2021, NOYB filed a complaint in France charging that Android users were being tracked by Google without giving consent.[26][27]
"Google's software creates the AAID without the user's knowledge or consent. The identification number functions like a license plate that uniquely identifies the phone of a user and can be shared among companies. After its creation, Google and third parties (e.g. applications providers and advertisers) can access the AAID to track users' behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU "Cookie Law" (Article 5(3) of the e-Privacy Directive) and requires the users' informed and unambiguous consent."[28][29]
Facebook and DPC complaint (2021)
NOYB filed a complaint against the Irish Data Protection Commissioner (DPC) for corruption and possible bribery in 2021 under Austrian law for an affair concerning Facebook.[30][31][32]
Administrative fine for Grindr over illegal sharing of user data (2021)
Together with the Norwegian Consumer Council, NOYB filed three strategic complaints against the dating app Grindr and several adtech companies over illegal sharing of users' data in January 2020. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.[33] These complaints are based on the report "Out of Control" by the Norwegian Consumer Council.[34]
One year after the complaint was filed, the Norwegian Data Protection Authority upheld the complaint against Grindr, confirming that Grindr did not receive valid consent from users in an advance notification. The Authority imposed a fine of 100 million NOK (€9.63 million) on Grindr,[35] which was then reduced to 65 million NOK (€6.5 million) in the final decision since Grindr's actual revenue was lower than previously assumed and the company undertook measures to remedy deficiencies in their previous consent management platform.[36]
Action against the use of dark patterns in cookie banners (2021)
On August 10, 2021, NOYB filed 422 complaints against companies using deceptive cookie banners on their website. This wave of complaints was the outcome of a "Legal Tech" initiative by the organization in the course of which thousands of websites in Europe had been automatically checked for violations with a tool that was developed specifically for this purpose.[37][38] In response to those complaints an EDPB task force was set up to exchange views on legal analysis and possible infringements and to streamline communication.[39] In its effort to overcome the necessity of cookie banners, NOYB has also co-developed Advanced Data Protection Control together with the Sustainable Computing Lab of the Vienna University of Economics. The ADPC browser signal poses a feasible alternative to cookie banners through its automated mechanism for the communication of users' privacy decisions and data controllers' responses.[40][41]
Austrian Court: Google Analytics illegal in Europe (2022)
In early 2022, an Austrian court ruled that the use of Google Analytics on European websites was illegal. The case in question was filed in August 2020, from a Google user accessing an Austrian website for health related issues. The website used Google Analytics, and data about the user was transmitted to Google. The Google user complained to the Austrian data protection authority alongside NOYB. The issue at hand has a direct reference to Article 44 under GDPR, since the user cannot be afforded the correct level of protections established, thus making it a clear violation of GDPR.[42] France's data watchdog CNIL concurred with the Austrian ruling in mid February 2022.[43] Schrems duly commented:
This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.
Furthermore, in mid 2022, the Austrian DPA also ruled that Google's anonymization was insufficient in protecting user privacy, and that Article 44 of GDPR does not allow for a risk-based approach that Google had argued for.[44]
Other
NOYB also started a collaborative wiki on the General Data Protection Regulation, called GDPRhub.eu. On the webpage they collect English summaries of local GDPR decisions by Data Protection Authorities or Courts.
References
- "Austrian activist launches consumers' digital rights group". Associated Press. 28 November 2017. Archived from the original on 11 December 2017. Retrieved 10 December 2017.
- Scally, Derek (30 November 2017). "Time to tell tech firms that private data is 'none of your business' – Max Schrems". The Irish Times. Archived from the original on 30 November 2017. Retrieved 10 December 2017.
- Hill, Rebecca (29 November 2017). "Max Schrems launches privacy NGO, wins €60k within first 24 hours". The Register. Archived from the original on 29 November 2017. Retrieved 10 December 2017.
- "REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL". Official Journal of the European Union. Article 80 – Representation of data subjects. Retrieved 8 June 2020.
- "Moniteur Belge – Belgisch Staatsblad". Federal Public Service Justice. Retrieved 31 October 2020.
- "GDPR: noyb.eu filed four complaints over 'forced consent' against Google, Instagram, WhatsApp and Facebook" (PDF). NOYB. 25 May 2018. Archived (PDF) from the original on 25 May 2018. Retrieved 26 May 2018.
- "Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR". The Verge. Archived from the original on 25 May 2018. Retrieved 26 May 2018.
- "Max Schrems files first cases under GDPR against Facebook and Google". The Irish Times. Archived from the original on 25 May 2018. Retrieved 26 May 2018.
- "Facebook, Google face first GDPR complaints over 'forced consent'". TechCrunch. 25 May 2018. Archived from the original on 26 May 2018. Retrieved 26 May 2018.
- Meyer, David. "Google, Facebook hit with serious GDPR complaints: Others will be soon". ZDNet. Archived from the original on 28 May 2018. Retrieved 26 May 2018.
- "The CNIL's restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC". CNIL. Retrieved 8 June 2020.
- "SPANISH COMPLAINT UNDER ARTICLE 22(2) LEY 34/2002" (PDF). NOYB.
- "GERMAN COMPLAINT" (PDF). NOYB.
- "Apple tracks iPhone users without consent, claims activist Max Schrems". Financial Times. 16 November 2020. Retrieved 16 November 2020.
- "noyb files complaints against Apple's tracking code 'IDFA'". NOYB. 16 November 2020.
- "Open Letter on "confidential" dealings in Facebook case". NOYB. Retrieved 8 June 2020.
- "NOYB Annual Report 2020" (PDF). NOYB. 24 June 2021. Archived from the original on 28 December 2019. Retrieved 1 February 2022.
- "NOYB Annual Report 2020" (PDF). NOYB. 24 June 2021. Retrieved 1 February 2022.
- "JUDGMENT OF THE COURT (Grand Chamber)". CURIA. 16 July 2020. Retrieved 1 February 2022.
- "CJEU Statement – First Statement". NOYB. 24 June 2020.
- "101 Complaints on EU–US Transfers filed". NOYB. 17 August 2020. Retrieved 1 February 2022.
- "Max Schrems on the EU court ruling that could cut Facebook in two". TechCrunch. 26 August 2020. Retrieved 1 February 2020.
- "European Data Protection Board – Thirty-seventh Plenary session". NOYB. 4 September 2020. Retrieved 1 February 2022.
- "Partial Decision of the Austrian DSB" (PDF). NOYB. 13 January 2022. Retrieved 1 February 2022.
- "Usage statistics of traffic analysis tools for websites". W3Techs. 27 February 2019. Retrieved 1 February 2022.
- Boland, Hannah. (7 April 2021). "Google accused of tracking Android users without their consent". The Telegraph website Retrieved 9 April 2021.
- "Complaint filed to the Data Protection Authority of France" (PDF). NOYB. Retrieved 9 April 2021.
- "Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones". NOYB. Retrieved 9 April 2021.
- "Max Schrems accuses Google of illegally tracking Android users". Financial Times. 4 June 2021. Retrieved 1 February 2022.
- "Facebook's lead EU privacy watchdog accused of corruption". TechCrunch. 23 November 2021. Retrieved 3 January 2022.
- "Irish DPC removes noyb from GDPR procedure – Criminal report filed". NOYB. Retrieved 3 January 2022.
- "First noyb "Advent Reading" from Facebook/DPC Documents". NOYB. Retrieved 3 January 2022.
- "Three GDPR Complaints filed against Grindr, Twitter and the AdTech companies Smaato, OpenX, AdColony and AT&T's AppNexus". NOYB. 14 January 2020. Retrieved 1 February 2022.
- "Report: Out of control". Forbrukerrådet. 14 January 2020. Retrieved 1 February 2022.
- "The NO DPA imposes fine against Grindr LLC". Retrieved 24 February 2022.
- "Norwegian DPA imposes fine against Grindr LLC". European Data Protection Board. 13 December 2021. Retrieved 1 February 2022.
- "noyb files 422 formal GDPR complaints on nerve-wrecking "Cookie Banners"". NOYB. 10 August 2021. Retrieved 1 February 2022.
- "noyb Takes Aim at "Cookie Banner Terror" While CNIL Enforces Cookie Guidelines". JD SUPRA. 2 July 2021. Retrieved 1 February 2022.
- "EDPB establishes cookie banner taskforce". EDPB. 27 September 2021. Retrieved 1 February 2022.
- "Advanced Data Protection Control (ADPC)". ADPC. Retrieved 1 February 2022.
- Human, Soheil; Schrems, Max; Toner, Alan; Gerben; Wagner, Ben (13 September 2021). "Advanced Data Protection Control (ADPC)". Vienna University of Economics and Business. Sustainable Computing Reports and Specifications. Retrieved 1 February 2022.
- Hanna (19 January 2022). "Google Analytics declared illegal in the EU". Tutanota. Hanover, Germany. Retrieved 16 February 2022.
- Mathieu Pollet (2 February 2022). "France joins Austria in finding Google Analytics illegal". Euractiv. Retrieved 16 February 2022.
- "UPDATE on 101 complaints: Austrian DPA rejects "risk based approach" for data transfers to third countries" (PDF). NOYB. 2 May 2022. Retrieved 3 May 2022.