noyb became operational on May 25th 2018. We are currently starting with the first projects, many of which are exploring enforcement options. Below you can find a list of projects we are currently working on. Some are work in progress and, as such, details need to remain confidential for the time being.
Current Enforcement Projects
Forced Consent (DPAs in Austria, Belgium, France, Germany and Ireland)
When relying on consent as a legal basis to process personal data, companies need to comply with the stringent requirements contained in the GDPR. In May 2018, noyb filed four complaints; in France against Google, in Austria against Facebook, in Belgium against Instagram and in Germany against Whatsapp. The reason was that these major companies adopted a “take it or leave it” approach, forcing their users to consent to both their privacy policies and terms in full in order to keep using their services.
In January 2019, following our complaint the French supervisory authority (CNIL) imposed a 50 million euro fine on Google over the company’s invalid consent mechanisms. The sanction was appealed and a hearing date before the French Conseil d’Etat is yet to be set. All three other complaints (Facebook, Instagram and WhatsApp) triggered the European cooperation mechanism and are still being investigated today. We are carefully monitoring the cooperation between the Irish DPC and its counterparts and are hoping to hear back from our latest submissions in the near future.
Many companies take advantage of the digitalisation of their services and collect much more data about their customers than necessary. Very often it is impossible to complete a transaction online without being forced to register an account with the service provider. noyb decided to investigate selected business models and their practices in light of the GDPR ‘data minimisation’ principle, which provides that controllers should not have more personal data than they need to achieve their purpose. With this project we aim to change the “forced accounts” culture in selected industry sectors and put an end to the excessive data processing.
Encryption - Privacy by Design
Our emails always contain personal data. During their route toward the recipient such communications are handled by different entities, nodes and service providers which may intercept, manipulate and unlawfully use their content. For reducing these risks, Article 32 of the GDPR requires the controllers to implement appropriate security measures. In case they don’t, the confidentiality and integrity of our communications are violated. This project aims at enforcing the GDPR’s security requirements against a multinational internet company.
EU-US Data Transfers (Court of Justice of the European Union)
In 2013, Edward Snowden disclosed that the US Intelligence Agencies have access to the personal data of European Facebook users with the aid of surveillance programs such as “PRISM”. Mr Schrems’s complaint seeks to stop Facebook EU-US data transfers based on both Privacy Shield and Standard Contractual Clauses.
After several procedural steps, the Irish High Court recognized the existence of US government mass surveillance programs and referred eleven interpretive questions to the CJEU, which examined the matter on July 9th 2019. During the hearing the parties argued on the main aspects of the proceeding such as the violation of the fundamental right to privacy, the legitimacy of international data transfers in case of ongoing mass surveillance programs and the duties of the involved Data Protection Authorities.
After the judgment of the CJEU, expected in Q1 2020, the DPC would finally have to decide on the complaint for the first time. The decision could again be subject to appeals by Facebook or Mr. Schrems.
Right to Access (Austrian Federal Administrative Court)
noyb represents a customer of an Austrian bank, who wanted access to his bank account details – but was denied access. The Austrian DPA has decided in favor of the customer, but the bank appealed to the Federal Administrative Court (BVwG). noyb made submissions on behalf of the customer under Art 80 GDPR.
Ambigous Consent (details not public)
After filing a first round of complaints on “forced consent” we are currently preparing complaints on “ambiguous consent” (e.g. “opt-out” or consent by “using a service” and alike). As soon as we are ready to file these cases, we will be able to share the details here.
Legitimate Interest (details not public)
noyb is currently researching the exact meaning for Art 6(1)(f) GDPR, which allows processing for “legitimate interests”. As soon as we finalized our research, we should be able to turn this research into enforcement actions.
Access Requests / Policy Review (details not public)
Together with a partner, noyb works on a review of privacy policies and also filed access requests in a specific industry sector. The project will roughly last until the end of 2018. As soon as we finalized our final report, we will be able to publish all details.
Current Research Projects
National Administrative Procedure
noyb is currently reviewing the national administrative procedures before DPAs, as they are often fundamentally different (e.g. access to documents, right to apply for certain actions by the DPAs). It is crucial for strategic litigation to ensure that we have a full overview of national procedural options.
National Implementation of GDPR
Current Outreach Projects
National Data Protection Organizations
noyb is currently reaching out to all other NGOs in the privacy area and specific players in the consumer rights and hacker sphere to better coordinate and collaborate.