Member in the Spotlight: noyb

This is the 12th article of the series “EDRi member in the Spotlight” in which our members have the opportunity to present themselves and their work in depth.

Today we get to know more about noyb – none of your business, which has been part of the EDRi network as a member since 2018.

noyb Q&A

1. Who are you and what is your organisation’s goal and mission?

noyb (none of your business) is a non-profit privacy organisation with a pan-European scope of activities.

We aim to stop privacy violations in the private sector by focusing on the enforcement of EEA data protection legislation (the GDPR) by closing the gap between law and reality by collectively enforcing citizens’ rights: many companies do not comply with the strict data protection laws in Europe. Since it is usually too complicated and expensive for individuals to claim and enforce their rights, these companies are not likely to change their practices without external pressure.

noyb files complaints with EU data protection authorities and lawsuits in courts on behalf of the individuals whose data are processed in violation of the GDPR. We strategically select cases with high impact, serious GDPR violations and/or immediate effect on the rights of a large number of individuals.

noyb uses best practices from consumer rights groups, privacy activists, hackers, and legal tech initiatives and merges them into a stable European enforcement platform.

2. How did it all begin, and how did your organisation develop its work?

noyb was established in 2018 in Vienna (Austria) and is the brain child of Max Schrems – an Austrian lawyer and privacy activist. Max is well-known among privacy professionals for having brought a number of successful legal cases in the area of privacy and data protection. His cases against Facebook at the Court of Justice of the EU (invalidating the EU-US Safe Harbour Agreement and the EU-US Privacy Shield) were widely reported. To continue with high-impact enforcement work, Max set up a professional privacy NGO that brings cases against large corporations on behalf of users. He was ultimately able to realise his vision through noyb.

Alongside Max, noyb’s Board of Directors consists of Christof Tschohl, a lawyer and privacy expert, and Petra Leupold, a lawyer and consumer rights expert. Within two years, noyb grew to a team of 14 staff.

Together with the many new enforcement possibilities under EU data protection regulation (in particular the GDPR), noyb is able to pursue privacy cases in a more effective manner. To date, noyb has submitted over 130 complaints against companies in all EU/EEA jurisdictions. In addition, several court cases brought by noyb are pending before the Austrian and Irish courts.

In the future, noyb is planning to bring more cases directly in other EU courts in order to discover alternative avenues of effective GDPR enforcement. Furthermore, noyb also makes use of PR and media initiatives to emphasise and ensure the right to privacy without having to file complaints and lawsuits with a data protection authority or court.

Ultimately, noyb has been joining forces with existing organisations, resources and structures to maximise the impact of the GDPR. A crucial part of noyb’s work is done in cooperation with other organisations, many of which are members of EDRi. noyb has established relations with over 40 NGOs across the EU/EEA.

3. The biggest opportunity created by advancements in information and communication technology is…

Thanks to information and communications technologies, we are easily connected to others, to news, to information and media, and to various content on the internet (working from home, remote visits of a museum, eGov, etc.). All this is made possible with the use of fast connections, cheap devices, and high volumes of data.

Given the above, advancements in ICT provides a huge opportunity for individuals to shift the power imbalance with oligopolistic entities by creating new structures/dynamics of decentralised cooperation and knowledge sharing.

4. The biggest threat created by advancements in information and communication technology is…

While one can reach the whole world through the internet, it is not surprising that the technology sector has become globalised: our data is transferred around the globe, and can be subject to surveillance by third countries that do not share European standards.

In addition, the constant connections and the vast amount of data collected make it virtually impossible for people to know where their data ends up, and to know how to exercise effective control over their data: the digital environment has become too complex, too fast and too opaque to be understandable by the average user.

That is why the biggest threat is the increasing complexity of its development around the globe: consequently, citizens keep losing control of their data, despite strong legal frameworks like the GDPR. We are aware that there will always be a certain gap between legal requirements and the technological and economic reality – but currently the level of non-compliance with the GDPR among some industries is simply outrageous. We see it as our mission to narrow this gap as much as possible.

Finally, insights created from people’s data trails are oftentimes not used for the benefit of developing individuals, society, and humanity as a whole. Instead, the dominant economic models and many governmental approaches and policies rely on intrusive, constant, and hidden monitoring of people for financial gain or population control.

5. Which are the biggest victories/successes/achievements of your organisation?

We consider every change that leads to a more privacy friendly environment a success. It is always satisfying to see organisations revising their practices after reading our reports or seeing our successful enforcement actions. We are also pleased to see people telling us about the higher level of freedom of choice they get because companies revise their practices and ask their users for informed, specific and free consent.

Among the achievements from enforcement actions, one of our biggest accomplishments is the victory at the CJEU in the case C‑311/18 (so-called “Schrems II”). We believe that it is an important ruling that reiterates the CJEU’s statement in 2016 in the “Schrems I” case, namely, that the GDPR requires a high level of protection of European data within the EU/EEA but also beyond its borders. We also celebrated the outcome of our complaint against Google that we filed in 2018 (the day the GDPR became applicable). This resulted in the French data protection authority (CNIL) issuing a record-breaking fine of 50 million euros against Google. This fine was fully upheld by the French court.

6. If your organisation could now change one thing in your country, what would that be?

noyb is not operating in any specific country, but throughout the EU/EEA. While Member States all committed to the rule of law, having well-funded Data Protection Authorities (DPAs) and access to justice in many Member States is still not as easy as it should be. We are hoping that many more Member States take the opportunity to e.g. implement Article 80 of the GDPR fully, fund their DPAs properly or improve the procedural law that governs DPAs. At the same time, we also hope that some DPAs that have not made such a switch, will change their internal culture to be more of an “enforcement authority”, which is the role that the law foresees.

Furthermore, we would like to see the possibility for digital rights organisations to bring collective judicial redress actions regarding data protection violations. Such an action would enable us to claim damages from the controllers, which is often more effective than filing a complaint with a data protection authority. With the Directive on collective redress adopted in June 2020, this should become a reality. However, we still have to wait for two years before the text becomes implemented into various national laws.

7. What is the biggest challenge your organisation is currently facing in your country?

The lack of harmonised administrative procedures among the data protection authorities: when we file a complaint with a certain data protection authority, chances are that the data protection authority of another Member State will handle the complaint as the “lead data protection authority”. This normally occurs when the company we file against is based in a second member state. However, this situation frequently leads to a clash of national procedures, where different procedural rules may coexist regarding the use of languages, the deadlines, the role of the parties in the procedure, or the way to communicate with the data protection authority. Very often, these rules are conflicting but the data protection authorities blindly apply their own national laws. This refusal to “zoom out” and look at the bigger picture results in a massive impairment to a uniform enforcement of GDPR rights throughout Europe.

Massive delays in handling complaints by some data protection authorities: in most jurisdictions, there is no timeframe within which a data protection authority has to investigate a case or adopt a decision. Ultimately, this leads to delays in investigations, hearings of the interested parties, and eventually a delay in the adoption of a final decision. As certain big tech companies have placed their headquarters in Member States with especially slow or unwilling data protection authorities, GDPR enforcement against these companies is further impaired.

8. How can one get in touch with you if they want to help as a volunteer, or donate to support your work?

There are two ways:

1. You can become a noyb volunteer (simply send an email to: info (at) noyb (dot) eu)
2.  You can become a Supporting Member

Above all, you can always write to us at: info (at) noyb (dot) eu. We are always happy to hear from you!

Discover more about noyb