Because My Data is None of Your Business: Europe-Based noyb™ Delivers Data Protection Regulation Enforcement to Ensure Privacy Rights

TL; DR: Europe-based noyb™, a non-government organization seeking to protect data privacy through strategic litigation, is working to close the gap between laws and reality by enforcing agreed upon regulations. The collaborative effort aims to unite experts from the privacy, tech, and consumer rights sectors, maximizing the organization’s impact. By creating best practices for upholding privacy rights, noyb will ensure a systematic and effective approach.

We all know from personal experience that a bored internet user can dig up some pretty bizarre material online. Among those curious tidbits of information are articles on so-called “birthday twins” — two unrelated people brought into the world on the same date. There’s Gladys Knight and Rudy Giuliani, both born on May 28, 1944, who went on to lead musical and political careers that couldn’t be further apart. There’s also the paradoxical pairing of Weird Al Yankovic and Nancy Grace, two disparate souls both delivered on October 23, 1958.

Others who share the same birthday — think legendary movie star Barbara Stanwyck and Orville Redenbacher, who was obsessed with crafting the perfect movie theater popcorn — pair quite well. Such is also the case with the General Data Protection Regulation (GDPR), a well-known European privacy law, and noyb™, a Europe-based privacy enforcement agency, both independently brought to life on May 25, 2018.

“noyb officially came into force as a non-government organization (NGO) on the implementation date of GDPR in the European Union,” said Ioannis Kouvakas, Data Protection Lawyer at noyb. “GDPR allows nonprofit organizations to protect individuals’ rights, but before noyb, there had never been an NGO focused exclusively on enforcing data privacy rights against controllers.”

According to Ioannis, noyb — which stands for None Of Your Business — is the brainchild of Austrian lawyer and privacy activist Max Schrems, who set up the NGO as a European organization intended to protect the data privacy rights of individuals systematically. Today, the NGO employs strategic litigation to ensure regulatory compliance and close the gap between the law and reality. Through industry collaboration and member support, noyb is establishing best practices for enforcing privacy rights efficiently and effectively.

noyb has brought forth a number of model cases in the hope of making privacy a reality for everyone in Europe. On May 25, 2018, noyb filed four similar complaints alleging that Google, Instagram, WhatsApp, and Facebook essentially forced users to agree to new privacy policies. The organization argued that the actions violated the GDPR, which prohibits bundling services with the requirement to provide consent.

“Most of these companies were forcing users to consent without providing them enough clarification, with some threatening that users would be blocked from their accounts,” Ioannis said. “In our view, that constitutes forced consent to the use of personal data.”

Each case was filed with data protection authorities in different countries: The Facebook complaint in Austria, the Google complaint in France, the WhatsApp compliant in Germany, and the Instagram complaint in Belgium. If successful, Ioannis said the charges would put a stop to inescapable consent pop-ups. This year, the French data protection agency, CNIL, became the first to act as a result of noyb’s effort, imposing a financial penalty of 50 million euros against Google for failing to obtain valid consent.

“Following the introduction of GDPR, we have found that large corporations such as Google simply interpret the law differently and have often only superficially adapted their products,” Max Schrems said in an official statement after the announcement. “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

In January, noyb also began representing a customer of an Austrian bank who was denied access to his bank account details.

Ioannis said that noyb amassed a minimal funding goal of 250,000 euros through a January 2018 Kickstarter-like campaign but is still seeking to reach its funding goal of 500,000 euros through member support. These funds are crucial for procuring lawyers, staff members, and other resources.

Interested individuals can join noyb as a Gold Supporting Member at the rate of 100 euros per year or more, a Silver Supporting Member at the price of more than 50 euros per year, or a Basic Supporting Member for 50 euros a year. All plans may be canceled anytime with a 14-day money-back guarantee.

Silver and Gold Supporting Members receive a membership card, welcome box, initial consultation in private data protection cases, information about noyb’s collective enforcement cases, and free goodies. Basic Supporting Members receive a welcome email and information about noyb’s collective enforcement cases. “We’re trying to make people aware that they have rights, and we’re trying to ensure that those rights are enforced,” Ioannis said.

Of course, noyb also performs specific services based on member feedback. “Often, our members bring quite interesting issues to our attention,” Ioannis said. “Our job is to provide information, advice, and support to our members when it comes to their own data protection issues or a specific case. Sometimes, we pursue them free of charge.”

Ioannis said noyb is a member-driven organization at its core. “Our more than 3,200 members are everything to us,” he said. “We’re quite thankful for their active support, whether through donations or providing key information and insights.”

noyb’s hard work has shed light on factors that complicate the complaint filing and resolution process. Problems may arise because there are different procedural requirements for individuals in each member state to file complaints before their national data protection authorities.

“On one hand, GDPR is pretty clear on the deadline that data protection authorities have to respond to an investigation,” Ioannis said. “However, different data protection authorities have to cooperate when it comes to complaints that are international or cross-border in character, and this makes things more complicated than we thought.”

For example, if a data subject/user who is located in country A wants to file a complaint against a company whose main, European establishment is in country B, they can also lodge a complaint with the data protection authority in country A. The cross-border cooperation mechanism established by the GDPR would then require cooperation from the data protection authorities in both countries.

Ioannis said a procedure to streamline these cross-border scenarios is yet to be developed, but some of the complaints noyb has filed — including the Facebook complaint in Austria, the WhatsApp compliant in Germany, and the Instagram complaint in Belgium, will require cross-border cooperation.

“To be honest, I don’t think the data protection authorities currently have a lot of insight into how to address this,” Ioannis said. “I think that our complaints will at least shed some light on the details of the process, or spur a conversation on how data protection authorities can effectively cooperate.”

In January, noyb brought ten complaints against eights streaming services. “We filed in Austria against companies that were, for the most part, located in other European countries, so the cross-border mechanism was once again triggered,” Ioannis said.

As issues like these unfold, procedural standards and best practices will start to emerge.

The organization’s ultimate goal is to focus on strategic enforcement and litigation, rather than lobbying or policy work. Ioannis said the group is mainly focused on narrowing the gap between the GDPR and reality through Article 80 of the regulation.

“This enables us to bring a complaint on behalf of one of our members against a controller, highlight the issues we think that our problematic, and bring our case before a data protection authority or even a court,” Ioannis said.

GDPR is still quite new, and noyb hasn’t observed a lot of enforcement taking place. “The CNIL decision against Google was the very first one,” Ioannis said. “It’s hard to tell whether companies will comply, as it appears there is still a lot of infringement going on.”

And that’s precisely why noyb, as the perfect complement to the GDPR, must keep pushing on to protect individuals’ rights.