NOYB explained

noyb
Type:Non-profit organization
Registration Id:1354838270
Founder:Max Schrems
Location:Vienna, Austria
Key People:Max Schrems
Petra Leupold
Christof Tschohl
Num Employees:15
Num Members:4,400+

NOYB – European Center for Digital Rights (styled as "noyb", from "none of your business") is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general.[1] [2] The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members.[3] Currently, NOYB is financed by more than 4,400 supporting members.

While many privacy organisations focus attention on governments, NOYB puts its focus on privacy issues and privacy violations in the private sector. Under Article 80, the GDPR foresees that non-profit organizations can take action or represent users.[4] NOYB is also recognized as a "qualified entity" to bring consumer class actions in Belgium.[5]

Notable actions

EU–US data transfers/"Schrems I" (2016)

The Irish Data Protection Commission (DPC) filed a lawsuit against Schrems and Facebook in 2016, based on a complaint from 2013, which had led to the so-called "Safe Harbor Decision". Back then, the Court of Justice of the European Union (CJEU) had invalidated the Safe Harbor data transfer system with its decision. When the case was referred back to the DPC the Irish regulator found that Facebook had in fact relied on Standard Contact Clauses, not on the invalidated Safe Harbor. The DPC then found that there were "well-founded" concerns by Schrems under these instruments too, but instead of taking action against Facebook, initiated proceedings against Facebook and Schrems before the Irish High Court. The case was ultimately referred to the CJEU in C-311/18 (called "Schrems II"; see Max Schrems#Schrems II). NOYB supported this private case of Schrems.

"Forced consent" complaints (2018)

Within hours after General Data Protection Regulation rules went into effect on 25 May 2018, NOYB filed complaints against Facebook and subsidiaries WhatsApp and Instagram, as well as Google (targeting Android), for allegedly violating Article 7(4) by attempting to completely block use of their services if users decline to accept all data processing consents, in a bundled grant which also includes consents deemed unnecessary to use the service.[6] [7] [8] [9] [10] Based on the complaint, the French data protection authority CNIL has issued a €50 million fine against Google.[11] The other cases are still pending.

Spotify case (2019)

Since Spotify is based in Sweden, the Swedish data protection authority (IMY) was responsible. However, this authority took its time. For over four years, no decision was made on the complaint against the streaming service. So in 2022, NOYB first filed a complaint for inaction in Sweden. The lawsuit was decided in favor of the privacy activists. The IMY then imposed a GDPR fine of 58 million Swedish kronor (about EUR 5 million) on Spotify.

Apple tracking case (2020)

In mid November 2020, NOYB announced that complaints were filed to both the German and Spanish Data Protection Authorities,[12] [13] [14] claiming "IDFA (Apple's Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour". In a slight change from their previous legal strategy in other similar cases, NOYB notes that, because the complaint is based on Article5(3) of the ePrivacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without appealing to EU Data Protection Authorities under the GDPR.[15]

Open letter on GDPR cooperation mechanism (2020)

NOYB also focuses on putting pressure on regulators to enforce privacy laws on the books. In an open letter,[16] the NGO has accused the Irish Data Protection Commission of acting too slowly and having 10 meetings with Facebook before the coming into application of the GDPR.[17]

Schrems II – Court of Justice Judgment on Privacy Shield (2020)

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield and decided that Facebook and other companies that fall under US surveillance laws cannot rely on "Standard Contractual Clauses" (SCCs) since US surveillance laws were found to be conflicting EU fundamental rights. This judgement was based on a long lasting case of Max Schrems and NOYB. US companies' foreign customers' data are not protected from the U.S. intelligence services. The CJEU found that this violates the "essence" of certain EU fundamental rights.[18]

The Court has also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that a DPA is "required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence".[19]

Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract.[20]

Mass complaints on EU–US data transfers (2020)

After the Schrems II judgment, B filed 101 complaints against EU/EEA companies against controllers using Google Analytics or Facebook Connect and thereby transferring data to the US despite the Court finding (link to Privacy Shield) that US surveillance laws violate the essence of EU fundamental rights. The organization thereby wanted to point out the lack of enforcement of Schrems II.[21] [22] These model complaints led to the creation of a special taskforce by the European Data Protection Board (EDPB) which is tasked to coordinate the complaints and to prepare recommendations for controllers and processors.[23] On January 12, 2022, the Austrian Data Protection Authority (DSB) reached a partial decision in favour of NOYB, stating that the continuous use of Google Analytics violates the GDPR.[24] This decision affects most websites in the European Union since Google Analytics is the most common traffic analysis tool.[25]

Google Advertising ID tracking (2021)

On April 7, 2021, NOYB filed a complaint in France charging that Android users were being tracked by Google without giving consent.[26] [27]

"Google's software creates the AAID without the user's knowledge or consent. The identification number functions like a license plate that uniquely identifies the phone of a user and can be shared among companies. After its creation, Google and third parties (e.g. applications providers and advertisers) can access the AAID to track users' behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU "Cookie Law" (Article 5(3) of the e-Privacy Directive) and requires the users' informed and unambiguous consent."[28] [29]

Facebook and DPC complaint (2021)

NOYB filed a complaint against the Irish Data Protection Commissioner (DPC) for corruption and possible bribery in 2021 under Austrian law for an affair concerning Facebook.[30] [31] [32]

Administrative fine for Grindr over illegal sharing of user data (2021)

Together with the Norwegian Consumer Council, NOYB filed three strategic complaints against the dating app Grindr and several adtech companies over illegal sharing of users' data in January 2020. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.[33] These complaints are based on the report "Out of Control" by the Norwegian Consumer Council.[34]

One year after the complaint was filed, the Norwegian Data Protection Authority upheld the complaint against Grindr, confirming that Grindr did not receive valid consent from users in an advance notification. The Authority imposed a fine of 100 million NOK (€9.63 million) on Grindr,[35] which was then reduced to 65 million NOK (€6.5 million) in the final decision since Grindr's actual revenue was lower than previously assumed and the company undertook measures to remedy deficiencies in their previous consent management platform.[36]

Action against the use of dark patterns in cookie banners (2021)

On August 10, 2021, NOYB filed 422 complaints against companies using deceptive cookie banners on their website. This wave of complaints was the outcome of a "Legal Tech" initiative by the organization in the course of which thousands of websites in Europe had been automatically checked for violations with a tool that was developed specifically for this purpose.[37] [38] In response to those complaints an EDPB task force was set up to exchange views on legal analysis and possible infringements and to streamline communication.[39] In its effort to overcome the necessity of cookie banners, NOYB has also co-developed Advanced Data Protection Control together with the Sustainable Computing Lab of the Vienna University of Economics. The ADPC browser signal poses a feasible alternative to cookie banners through its automated mechanism for the communication of users' privacy decisions and data controllers' responses.[40] [41]

Austrian Court: Google Analytics illegal in Europe (2022)

In early 2022, an Austrian court ruled that the use of Google Analytics on European websites was illegal. The case in question was filed in August 2020, from a Google user accessing an Austrian website for health related issues. The website used Google Analytics, and data about the user was transmitted to Google. The Google user complained to the Austrian data protection authority alongside NOYB. The issue at hand has a direct reference to Article 44 under GDPR, since the user cannot be afforded the correct level of protections established, thus making it a clear violation of GDPR.[42] France's data watchdog CNIL concurred with the Austrian ruling in mid February 2022.[43] Schrems duly commented:

Furthermore, in mid 2022, the Austrian DPA also ruled that Google's anonymization was insufficient in protecting user privacy, and that Article 44 of GDPR does not allow for a risk-based approach that Google had argued for.[44]

Notes and References

  1. News: Austrian activist launches consumers' digital rights group . . November 28, 2017 . live . https://web.archive.org/web/20171211012810/https://www.apnews.com/18a537b8b234445fa4eab2633a4a516d . December 11, 2017 . December 10, 2017 .
  2. News: Scally . Derek . Time to tell tech firms that private data is 'none of your business' – Max Schrems . . November 30, 2017 . live . https://web.archive.org/web/20171130082725/https://www.irishtimes.com/business/technology/time-to-tell-tech-firms-that-private-data-is-none-of-your-business-max-schrems-1.3309734 . November 30, 2017 . December 10, 2017 .
  3. News: Hill . Rebecca . Max Schrems launches privacy NGO, wins €60k within first 24 hours . . November 29, 2017 . live . https://web.archive.org/web/20171129225011/https://www.theregister.co.uk/2017/11/29/schrems_launches_privacy_enforcement_ngo_pulls_in_nearly_60k_in_first_24_hours/ . November 29, 2017 . December 10, 2017 .
  4. Web site: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL . 2020-06-08 . . Article 80 – Representation of data subjects.
  5. Web site: Moniteur Belge – Belgisch Staatsblad . 2020-10-31 . Federal Public Service Justice.
  6. Web site: 25 May 2018 . GDPR: noyb.eu filed four complaints over 'forced consent' against Google, Instagram, WhatsApp and Facebook . live . https://web.archive.org/web/20180525211528/https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf . 25 May 2018 . 26 May 2018 . NOYB.
  7. News: Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR. The Verge. 26 May 2018. https://web.archive.org/web/20180525235251/https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe. 25 May 2018. live.
  8. News: Max Schrems files first cases under GDPR against Facebook and Google. The Irish Times. 26 May 2018. en-US. https://web.archive.org/web/20180525201624/https://www.irishtimes.com/business/technology/max-schrems-files-first-cases-under-gdpr-against-facebook-and-google-1.3508177. 25 May 2018. live.
  9. Web site: Facebook, Google face first GDPR complaints over 'forced consent'. TechCrunch. 25 May 2018 . 26 May 2018. https://web.archive.org/web/20180526030448/https://techcrunch.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/. 26 May 2018. live.
  10. News: Google, Facebook hit with serious GDPR complaints: Others will be soon. Meyer. David. ZDNet. 26 May 2018. en. https://web.archive.org/web/20180528090334/https://www.zdnet.com/article/google-facebook-hit-with-serious-gdpr-complaints-others-will-be-soon/. 28 May 2018. live.
  11. Web site: The CNIL's restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC . 2020-06-08 . CNIL.
  12. Web site: SPANISH COMPLAINT UNDER ARTICLE 22(2) LEY 34/2002 . NOYB.
  13. Web site: GERMAN COMPLAINT . NOYB.
  14. News: 2020-11-16 . Apple tracks iPhone users without consent, claims activist Max Schrems . . 2020-11-16.
  15. Web site: 16 November 2020 . noyb files complaints against Apple's tracking code 'IDFA' . NOYB.
  16. Web site: Open Letter on "confidential" dealings in Facebook case . 2020-06-08 . NOYB . en.
  17. Web site: 2021-06-24 . NOYB Annual Report 2020 . live . https://web.archive.org/web/20191228111507/https://www.politico.eu/article/we-have-a-huge-problem-european-regulator-despairs-over-lack-of-enforcement/ . 2019-12-28 . 2022-02-01 . NOYB.
  18. Web site: 2021-06-24 . NOYB Annual Report 2020 . 2022-02-01 . NOYB.
  19. Web site: 2020-07-16. JUDGMENT OF THE COURT (Grand Chamber). 2022-02-01. CURIA.
  20. Web site: 2020-06-24 . CJEU Statement – First Statement . NOYB.
  21. Web site: 2020-08-17 . 101 Complaints on EU–US Transfers filed . 2022-02-01 . NOYB.
  22. News: 2020-08-26. Max Schrems on the EU court ruling that could cut Facebook in two. TechCrunch. 2020-02-01.
  23. Web site: 2020-09-04 . European Data Protection Board – Thirty-seventh Plenary session . 2022-02-01 . NOYB.
  24. Web site: 2022-01-13 . Partial Decision of the Austrian DSB . 2022-02-01 . NOYB.
  25. Web site: 2019-02-27. Usage statistics of traffic analysis tools for websites. 2022-02-01. W3Techs.
  26. Boland, Hannah. (7 April 2021). "Google accused of tracking Android users without their consent". The Telegraph website Retrieved 9 April 2021.
  27. Web site: Complaint filed to the Data Protection Authority of France . 2021-04-09 . NOYB.
  28. Web site: Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones . 2021-04-09 . NOYB.
  29. News: 2021-06-04. Max Schrems accuses Google of illegally tracking Android users. Financial Times. 2022-02-01.
  30. Web site: Facebook's lead EU privacy watchdog accused of corruption. 2022-01-03. TechCrunch. 23 November 2021 . en-US.
  31. Web site: Irish DPC removes noyb from GDPR procedure – Criminal report filed . 2022-01-03 . NOYB . en.
  32. Web site: First noyb "Advent Reading" from Facebook/DPC Documents . 2022-01-03 . NOYB . en.
  33. Web site: 2020-01-14 . Three GDPR Complaints filed against Grindr, Twitter and the AdTech companies Smaato, OpenX, AdColony and AT&T's AppNexus . 2022-02-01 . NOYB.
  34. Web site: 2020-01-14 . Report: Out of control . 2022-02-01 . Forbrukerrådet.
  35. Web site: The NO DPA imposes fine against Grindr LLC. 2022-02-24. en.
  36. Web site: 2021-12-13. Norwegian DPA imposes fine against Grindr LLC. 2022-02-01. European Data Protection Board.
  37. Web site: 2021-08-10 . noyb files 422 formal GDPR complaints on nerve-wrecking "Cookie Banners" . 2022-02-01 . NOYB.
  38. Web site: 2021-07-02. noyb Takes Aim at "Cookie Banner Terror" While CNIL Enforces Cookie Guidelines. 2022-02-01. JD SUPRA.
  39. Web site: 2021-09-27. EDPB establishes cookie banner taskforce. 2022-02-01. EDPB.
  40. Web site: Advanced Data Protection Control (ADPC). 2022-02-01. ADPC.
  41. 2021-09-13. Advanced Data Protection Control (ADPC). 2022-02-01. Vienna University of Economics and Business. Sustainable Computing Reports and Specifications . Human . Soheil . Schrems . Max . Toner . Alan . Gerben . Wagner . Ben .
  42. Web site: Hanna . Google Analytics declared illegal in the EU . 19 January 2022 . Tutanota . Hanover, Germany . 2022-02-16.
  43. Web site: Mathieu Pollet . France joins Austria in finding Google Analytics illegal . 2 February 2022. Euractiv . 2022-02-16.
  44. Web site: 2022-05-02 . UPDATE on 101 complaints: Austrian DPA rejects "risk based approach" for data transfers to third countries . 2022-05-03 . NOYB.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "NOYB".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.