How we work

noyb follows the idea of targeted and strategic litigation in order to strengthen the right to privacy: In practice, we pursue this goal by thoroughly analyzing and prioritizing privacy violations, identifying the legal weak spots of these cases and litigating them with the best possible strategy and the most effective method to achieve maximum impact. noyb either files complaints against companies with the responsible data protection authority (DPA) or brings cases directly to courts. In our litigation strategy, we differentiate between standard setting cases and enforcement actions.

Standard Setting Cases: The GDPR is a rather new law, therefore many elements are still unclear or disputed. By developing complex cases targeting those uncertain aspects, noyb aims to achieve a decision by the highest courts or privacy bodies in the European Union (CJEU or EDPB) that then will set a standard for the future interpretation of the GDPR. 

Enforcement Actions: In some cases, the law is very straightforward, but companies simply don’t comply. Therefore, noyb’s enforcement actions don’t aim to achieve a decision by the CJEU or EDPB, but at ensuring that national data protection authorities enforce the law on the ground to stop unlawful activities by companies. For an even bigger impact, noyb often launches mass proceedings and files cases in multiple countries. Two examples for such enforcement actions are noyb’s 101 complaints on unlawful data transfers to the US or our mass complaints against deceptive cookie banners.

We also make use of PR and media initiatives to support the right to privacy without having to go to court. Furthermore, we promote a common understanding of the GDPR and provide an information platform called GDPRhub, which summarizes GDPR decisions and legal literature. Last but not least, noyb is joining forces with other organisations to maximize the impact of GDPR, all while avoiding parallel structures.

On the one hand, noyb receives hints on privacy violations by our supporting members, by the general public or whistleblowers, on the other hand noyb’s legal team identifies potential projects based on the following factors: 

• High and Direct Impact: A case or project should directly impact as many people as possible, e.g. because they aim at a whole industry or a common practice across different industry sectors and member states. In addition, we aim to upscale our projects to further amplify the impact and elicit compliance in general due to the so-called spill-over effect.   
• High Chances of Success: As a donation-funded organisation, noyb has to allocate funds to projects that have a high chance of success. Lost cases can backfire on the overarching goal of promoting privacy and data protection. Although we aim to initiate cases with a high possibility of success (e.g. because the violation is obvious and the law is clear, which is true for our “enforcement actions”), there are cases that need clarification but are worth the risk (“standard setting cases”). 
• High Input/Output Ratio: We only engage in cases or projects that have a high input/output ratio in order to maximise the use of our funds. Therefore, we target the biggest players and privacy issues. 
• Strategic: Strategic litigation is based on considering all elements that may affect the case or project and making informed decisions about them. For each case, the timing, jurisdiction, costs, fact patterns, complainants, and controllers should be individually assessed. noyb also monitors the activities of DPAs and courts to make use of the most favorable conditions (court fees, average processing time, expertise and alike) for our complaints.

Complaints are filed with a national data protection authority (DPA) and are a cost-efficient way to enforce the GDPR. When receiving a complaint, the authority has to investigate and issue a decisionwithin a reasonable period of time (e.g. in Austria within half a year). Oftentimes, different DPAs have to cooperate to come to a decision under the GDPR, e.g. if the concerned user and the involved company are not located in the same country. If the DPA does not decide before the given deadline or if the data subject does not agree with the legal reasoning, the decision can be appealed with the competent courts.

There are two types of lawsuits. The first are lawsuits aimed directly at a company. These lawsuits typically cost more than complaints, but are oftentimes an even more powerful tool. One advantage is that lawsuits are not subject to a cross-border procedure, as would be the case with a complaint against a company located in a different member state. For example, a cross-border procedure would apply if a complainant lives in Austria, but the targeted company was based in Ireland.

Another type of lawsuit is in the appeal process of a complaint. This type of legal action is aimed at the decision of the authority. The court can refer a case to the next instance, up to the Court of Justice which then has to decide on fundamental questions of legal interpretations.