NOYB – European Center for Digital Rights (styled as "noyb", from "none of your business") is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general.[1][2] The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members.[3] Currently, NOYB is financed by more than 4,400 supporting members.
While many privacy organisations focus attention on governments, NOYB puts its focus on privacy issues and privacy violations in the private sector. Under Article 80, the GDPR foresees that non-profit organizations can take action or represent users.[4] NOYB is also recognized as a "qualified entity" to bring consumer class actions in Belgium.[5]
The Irish Data Protection Commission (DPC) filed a lawsuit against Schrems and Facebook in 2016, based on a complaint from 2013, which had led to the so-called "Safe Harbor Decision". Back then, the Court of Justice of the European Union (CJEU) had invalidated the Safe Harbor data transfer system with its decision. When the case was referred back to the DPC the Irish regulator found that Facebook had in fact relied on Standard Contact Clauses, not on the invalidated Safe Harbor. The DPC then found that there were "well-founded" concerns by Schrems under these instruments too, but instead of taking action against Facebook, initiated proceedings against Facebook and Schrems before the Irish High Court. The case was ultimately referred to the CJEU in C-311/18 (called "Schrems II"; see Max Schrems#Schrems II). NOYB supported this private case of Schrems.
"Forced consent" complaints (2018)
Within hours after General Data Protection Regulation rules went into effect on 25 May 2018, NOYB filed complaints against Facebook and subsidiaries WhatsApp and Instagram, as well as Google (targeting Android), for allegedly violating Article 7(4) by attempting to completely block use of their services if users decline to accept all data processing consents, in a bundled grant which also includes consents deemed unnecessary to use the service.[6][7][8][9][10] Based on the complaint, the French data protection authority CNIL has issued a €50 million fine against Google.[11] The other cases are still pending.[as of?]
Spotify case (2019)
Since Spotify is based in Sweden, the Swedish data protection authority (IMY) was responsible. However, this authority took its time. For over four years, no decision was made on the complaint against the streaming service. So in 2022, NOYB first filed a complaint for inaction in Sweden. The lawsuit was decided in favor of the privacy activists. The IMY then imposed a GDPR fine of 58 million Swedish kronor (about EUR 5 million) on Spotify.[citation needed]
Apple tracking case (2020)
In mid November 2020, NOYB announced that complaints were filed to both the German and Spanish Data Protection Authorities,[12][13][14] claiming "IDFA (Apple's Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour". In a slight change from their previous legal strategy in other similar cases, NOYB notes that, because the complaint is based on Article5(3) of the ePrivacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without appealing to EU Data Protection Authorities under the GDPR.[15]
Open letter on GDPR cooperation mechanism (2020)
NOYB also focuses on putting pressure on regulators to enforce privacy laws on the books. In an open letter,[16] the NGO has accused the Irish Data Protection Commission of acting too slowly and having 10 meetings with Facebook before the coming into application of the GDPR.[17]
Schrems II – Court of Justice Judgment on Privacy Shield (2020)
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield and decided that Facebook and other companies that fall under US surveillance laws cannot rely on "Standard Contractual Clauses" (SCCs) since US surveillance laws were found to be conflicting EU fundamental rights. This judgement was based on a long lasting case of Max Schrems and NOYB. US companies' foreign customers' data are not protected from the U.S. intelligence services. The CJEU found that this violates the "essence" of certain EU fundamental rights.[18]
The Court has also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that a DPA is "required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence".[19]
Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract.[20]
Mass complaints on EU–US data transfers (2020)
After the Schrems II judgment, B filed 101 complaints against EU/EEA companies against controllers using Google Analytics or Facebook Connect and thereby transferring data to the US despite the Court finding (link to Privacy Shield) that US surveillance laws violate the essence of EU fundamental rights. The organization thereby wanted to point out the lack of enforcement of Schrems II.[21][22] These model complaints led to the creation of a special taskforce by the European Data Protection Board (EDPB) which is tasked to coordinate the complaints and to prepare recommendations for controllers and processors.[23] On January 12, 2022, the Austrian Data Protection Authority (DSB) reached a partial decision in favour of NOYB, stating that the continuous use of Google Analytics violates the GDPR.[24] This decision affects most websites in the European Union since Google Analytics is the most common traffic analysis tool.[25]
Google Advertising ID tracking (2021)
On April 7, 2021, NOYB filed a complaint in France charging that Android users were being tracked by Google without giving consent.[26][27]
"Google's software creates the AAID without the user's knowledge or consent. The identification number functions like a license plate that uniquely identifies the phone of a user and can be shared among companies. After its creation, Google and third parties (e.g. applications providers and advertisers) can access the AAID to track users' behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU "Cookie Law" (Article 5(3) of the e-Privacy Directive) and requires the users' informed and unambiguous consent."[28][29]
Facebook and DPC complaint (2021)
NOYB filed a complaint against the Irish Data Protection Commissioner (DPC) for corruption and possible bribery in 2021 under Austrian law for an affair concerning Facebook.[30][31][32]
Administrative fine for Grindr over illegal sharing of user data (2021)
Together with the Norwegian Consumer Council, NOYB filed three strategic complaints against the dating app Grindr and several adtech companies over illegal sharing of users' data in January 2020. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.[33] These complaints are based on the report "Out of Control" by the Norwegian Consumer Council.[34]
One year after the complaint was filed, the Norwegian Data Protection Authority upheld the complaint against Grindr, confirming that Grindr did not receive valid consent from users in an advance notification. The Authority imposed a fine of 100 million NOK (€9.63 million) on Grindr,[35] which was then reduced to 65 million NOK (€6.5 million) in the final decision since Grindr's actual revenue was lower than previously assumed and the company undertook measures to remedy deficiencies in their previous consent management platform.[36]
Action against the use of dark patterns in cookie banners (2021)
On August 10, 2021, NOYB filed 422 complaints against companies using deceptive cookie banners on their website. This wave of complaints was the outcome of a "Legal Tech" initiative by the organization in the course of which thousands of websites in Europe had been automatically checked for violations with a tool that was developed specifically for this purpose.[37][38] In response to those complaints an EDPB task force was set up to exchange views on legal analysis and possible infringements and to streamline communication.[39] In its effort to overcome the necessity of cookie banners, NOYB has also co-developed Advanced Data Protection Control together with the Sustainable Computing Lab of the Vienna University of Economics. The ADPC browser signal poses a feasible alternative to cookie banners through its automated mechanism for the communication of users' privacy decisions and data controllers' responses.[40][41]
Austrian Court: Google Analytics illegal in Europe (2022)
In early 2022, an Austrian court ruled that the use of Google Analytics on European websites was illegal. The case in question was filed in August 2020, from a Google user accessing an Austrian website for health related issues. The website used Google Analytics, and data about the user was transmitted to Google. The Google user complained to the Austrian data protection authority alongside NOYB. The issue at hand has a direct reference to Article 44 under GDPR, since the user cannot be afforded the correct level of protections established, thus making it a clear violation of GDPR.[42] France's data watchdog CNIL concurred with the Austrian ruling in mid February 2022.[43] Schrems duly commented:
This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.
Furthermore, in mid 2022, the Austrian DPA also ruled that Google's anonymization was insufficient in protecting user privacy, and that Article 44 of GDPR does not allow for a risk-based approach that Google had argued for.[44]