noyb became operational on May 25th 2018. We are currently starting with the first projects, many of which are exploring enforcement options. Below you can find a list of projects we are currently working on. Some are work in progress and, as such, details need to remain confidential for the time being.
Current Enforcement Projects
Forced Consent (DPAs in Austria, Belgium, France, Germany and Ireland)
When relying on consent as a legal basis to process personal data, companies need to comply with the stringent requirements contained in the GDPR. In May 2018, noyb filed four complaints; in France against Google, in Austria against Facebook, in Belgium against Instagram and in Germany against Whatsapp. The reason was that these major companies adopted a “take it or leave it” approach, forcing their users to consent to both their privacy policies and terms in full in order to keep using their services.
In January 2019, following our complaint the French supervisory authority (CNIL) imposed a 50 million euro fine on Google over the company’s invalid consent mechanisms. The sanction was appealed and a hearing date before the French Conseil d’Etat is yet to be set. All three other complaints (Facebook, Instagram and WhatsApp) triggered the European cooperation mechanism and are still being investigated today. We are carefully monitoring the cooperation between the Irish DPC and its counterparts and are hoping to hear back from our latest submissions in the near future.
In 2018, data subjects represented by noyb submitted requests to access information about their data with eight streaming services. Article 15 GDPR grants users the “right to access” – a right to get a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed and others. noyb observed that, when addressed, the responses to access requests were often incomplete or non-user specific. In eight out of eight cases, noyb filed complaints with the relevant Data Protection Authorities (DPAs) in January 2019. All of the complaints are still open, with current investigations ongoing before the DPAs in the Netherlands, the UK, Ireland, Luxembourg, Austria, Sweden and Berlin. Find more information about the complaints here.
Credit scoring is the practice of giving individuals a credit worthiness score in order to determine whether to lend money or extend a post-paid service (such as an electricity contract) to the individual. Consequently, a poor credit score makes it more difficult for an individual to participate in society. Credit scoring is handled very differently throughout the EU. This project seeks to strengthen individuals’ rights surrounding accurate and inaccurate credit scores.
Soft opt-in (details not available to public)
‘Soft opt-in’ implies your consent to receive marketing communication about similar products or services already ordered from a company. While an active opt-in (eg ticking the ‘yes’ box) remains the standard for direct marketing in electronic form, Article 13(2) of the ePrivacy Directive allows for an exemption to that rule in a form of the ‘soft opt-in’ where three conditions are met. First, customers’ email addresses must be obtained ‘in the context of the sale or purchase of a product or a service’. Second, only the organisation that initially collected the email address can benefit from the ‘soft op-in’ solution, and it can only use the email to advertise its ‘own’, ‘similar’ products or services. Third, a company can only rely on Article 13(2) of the ePrivacy Directive provided that end-users ‘are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use’. noyb is currently examining the cases of abuse of the ‘soft opt-in’ solution and will file complaints as soon as all the findings are ready.
We all use smart-phones. With them we surf the Internet, make searches, download and use apps. What we don’t know is that our activities are tracked by means of built-in unique identifiers that allow various subjects to know our actions and take advantage of our preferences. This project looks into the matter and argue for the possibility of the user to have these trackers permanently deleted.
Certain platforms process personal data (photos, contact details, etc) which do not belong exclusively to their users, for example when other users upload a photo of someone other than themselves. This information is processed with no consent from – or contract with – the affected person. In such cases, it appears that no legal basis under Article 6 GDPR may reasonably justify the processing.
The value and descriptive force of metadata is being increasingly recognized. According to some analysts, this data can be used for tracking users’ connections and preferences. Information provided by major players in the data economy about their processing of metadata is very generic and does not clarify how metadata is used. With this project we are trying to shed light on a very important topic.
While quite recent in Europe, the private testing of individuals’ DNA is becoming increasingly pervasive every year. Companies promise their customers to help them discover who their ancestors are or what diseases they might develop in the future by selling them inexpensive genetic testing kits. The reason these kits became affordable is linked to the secondary use of the data. Once a customer is informed of their ancestry, companies keep using their genetic information for research purposes. This is quite concerning considering how sensitive genetic data is. noyb is investigating how the booming industry of DNA testing is handling data subjects’ personal data and whether the processes involved are in line with the GDPR.
Cookie banners are regulated under the ePrivacy directive. In order for a company to legally set a cookie or another tracking technology on a user’s device, it first needs to obtain valid consent. As recently clarified by the CJEU in its Planet49 decision, such consent can only be valid if it meets the stringent requirements of consent as defined under the GDPR. Together with a research institute, noyb is investigating the way cookie banners are implemented online and whether the choices users make are respected in practice.
Dating apps process important amounts of personal data, including sensitive data, such as users’ location, sexual orientation, age, photos, date of birth and more. What happens when data subjects stop using these apps and pause their accounts? Who is the data being shared with? Do these sharing practices meet the requirements of the GDPR? How long are the companies storing personal data? noyb started investigating a number of dating apps companies.
Many companies take advantage of the digitalisation of their services and collect far more data about their customers than necessary. Very often it is impossible to complete a transaction online without being forced to register an account with the service provider. noyb decided to investigate selected business models and their practices in light of the GDPR ‘data minimisation’ principle, which provides that controllers should not have more personal data than they need to achieve their purpose. With this project we aim to change the “forced accounts” culture in selected industry sectors and put an end to the excessive data processing.
Encryption - Privacy by Design
Our emails always contain personal data. During their route toward the recipient such communications are handled by different entities, nodes and service providers which may intercept, manipulate and unlawfully use their content. In order to reduce these risks, Article 32 of the GDPR requires the controllers to implement appropriate security measures. If such standards are not met, the confidentiality and integrity of our communications are violated. This project aims at enforcing the GDPR’s security requirements against a multinational internet company.
EU-US Data Transfers (Court of Justice of the European Union)
In 2013, Edward Snowden disclosed that the US Intelligence Agencies have access to the personal data of European Facebook users with the aid of surveillance programs such as “PRISM”. Mr Schrems’s complaint seeks to stop Facebook EU-US data transfers based on both Privacy Shield and Standard Contractual Clauses.
After several procedural steps, the Irish High Court recognized the existence of US government mass surveillance programs and referred eleven interpretive questions to the CJEU, which examined the matter on July 9th 2019. During the hearing the parties argued on the main aspects of the proceeding such as the violation of the fundamental right to privacy, the legitimacy of international data transfers in case of ongoing mass surveillance programs and the duties of the involved Data Protection Authorities.
After the judgment of the CJEU, expected in Q1 2020, the DPC would finally have to decide on the complaint for the first time. The decision could again be subject to appeals by Facebook or Mr. Schrems.
Regardless of the purpose, processing of personal data must be based on a lawful basis. Article 6 GDPR sets out different lawful bases for processing. Apart from consent or contract, the processing may also be justified by the ‘legitimate interests’ pursued by the controller (6(1)(f) GDPR). Although the purpose of the provision was to afford controllers a certain degree of flexibility, experience has shown that ‘legitimate interests’ may be abused by controllers when no other legal basis is suitable to justify the processing. noyb undertook to clarify the exact meaning of the ‘legitimate interests’ and the necessary conditions that must be fulfilled in order to rely on them. noyb is preparing to turn this research into enforcement actions.
Current Research Projects
Online tracking is only a part of the problem. Imagine if advertisers could see what you do and buy in physical stores. Apparently a big tech corporation is buying “anonymized” data-sets from credit card service providers to improve the quality of its online advertising campaigns. Theoretically it would be fine because anonymous data is not personal. However, we are not sure these data are actually anonymous.
National Administrative Procedure
noyb is currently reviewing the national procedures before Data Protection Authorities (DPAs), as they are often fundamentally different (e.g. access to documents, right to apply for certain actions by the DPAs). It is crucial for strategic litigation to ensure that we have a full overview of national procedural options.
National Implementation of GDPR
The General Data Protection Regulation (“GDPR”) became directly applicable throughout the EU on 25 May 2018. As a regulation, it does not need to be implemented by the EU Member States, but there are more than 30 GDPR provisions, where Member States have freedom to adapt their laws as they see appropriate. Such adaptations as, for instance, restrictions of an individual’s rights or national deviations for the processing of employment data are included in national data protection laws of the Member States. To date, 27 Member States adopted or updated a national implementing law on data protection. noyb has been mapping the different national adaptations of the GDPR and will publish an overview.
Current Outreach Projects
Access Requests / Policy Review
The companies investigated were: Amazon Prime (music and video), Apple Music (music), DAZN (video), Flimmit (video), Netflix (video), SoundCloud (music), Spotify (music), and YouTube (video). The Report will be published.