NOYB

{{further|Max Schrems#Schrems I}}

The Irish Data Protection Commission (DPC) filed a lawsuit against Schrems and Facebook in 2016, based on a complaint from 2013, which had led to the so-called "Safe Harbor Decision". Back then, the Court of Justice of the European Union (CJEU) had invalidated the Safe Harbor data transfer system with its decision. When the case was referred back to the DPC the Irish regulator found that Facebook had in fact relied on Standard Contact Clauses, not on the invalidated Safe Harbor. The DPC then found that there were "well-founded" concerns by Schrems under these instruments too, but instead of taking action against Facebook, initiated proceedings against Facebook and Schrems before the Irish High Court. The case was ultimately referred to the CJEU in C-311/18 (called "Schrems II"; see Max Schrems#Schrems II). NOYB supported this private case of Schrems.

Within hours after General Data Protection Regulation rules went into effect on 25 May 2018, NOYB filed complaints against Facebook and subsidiaries WhatsApp and Instagram, as well as Google (targeting Android), for allegedly violating Article 7(4) by attempting to completely block use of their services if users decline to accept all data processing consents, in a bundled grant which also includes consents deemed unnecessary to use the service.{{Cite web |date=25 May 2018 |title=GDPR: noyb.eu filed four complaints over 'forced consent' against Google, Instagram, WhatsApp and Facebook |url=https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf |url-status=live |archive-url=https://web.archive.org/web/20180525211528/https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf |archive-date=25 May 2018 |access-date=26 May 2018 |publisher=NOYB}}{{Cite news|url=https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe|title=Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR|work=The Verge|access-date=26 May 2018|archive-url=https://web.archive.org/web/20180525235251/https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe|archive-date=25 May 2018|url-status=live}}{{Cite news|url=https://www.irishtimes.com/business/technology/max-schrems-files-first-cases-under-gdpr-against-facebook-and-google-1.3508177|title=Max Schrems files first cases under GDPR against Facebook and Google|newspaper=The Irish Times|access-date=26 May 2018|language=en-US|archive-url=https://web.archive.org/web/20180525201624/https://www.irishtimes.com/business/technology/max-schrems-files-first-cases-under-gdpr-against-facebook-and-google-1.3508177|archive-date=25 May 2018|url-status=live}}{{Cite web|url=https://techcrunch.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/|title=Facebook, Google face first GDPR complaints over 'forced consent'|website=TechCrunch|date=25 May 2018 |access-date=26 May 2018|archive-url=https://web.archive.org/web/20180526030448/https://techcrunch.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/|archive-date=26 May 2018|url-status=live}}{{Cite news|url=https://www.zdnet.com/article/google-facebook-hit-with-serious-gdpr-complaints-others-will-be-soon/|title=Google, Facebook hit with serious GDPR complaints: Others will be soon|last=Meyer|first=David|publisher=ZDNet|access-date=26 May 2018|language=en|archive-url=https://web.archive.org/web/20180528090334/https://www.zdnet.com/article/google-facebook-hit-with-serious-gdpr-complaints-others-will-be-soon/|archive-date=28 May 2018|url-status=live}} Based on the complaint, the French data protection authority CNIL has issued a €50 million fine against Google.{{Cite web |title=The CNIL's restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC |url=https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc |access-date=2020-06-08 |publisher=CNIL}} The other cases are still pending.{{As of?|date=August 2024}}

Since Spotify is based in Sweden, the Swedish data protection authority (IMY) was responsible. However, this authority took its time. For over four years, no decision was made on the complaint against the streaming service. So in 2022, NOYB first filed a complaint for inaction in Sweden. The lawsuit was decided in favor of the privacy activists. The IMY then imposed a GDPR fine of 58 million Swedish kronor (about EUR 5 million) on Spotify.{{Citation needed|date=August 2024}}

In mid November 2020, NOYB announced that complaints were filed to both the German and Spanish Data Protection Authorities,{{Cite web |title=SPANISH COMPLAINT UNDER ARTICLE 22(2) LEY 34/2002 |url=https://noyb.eu/sites/default/files/2020-11/IDFA_ES_DEF_Redacted.pdf |publisher=NOYB}}{{Cite web |title=GERMAN COMPLAINT |url=https://noyb.eu/sites/default/files/2020-11/IDFA_Germany_DEF_Redacted.pdf |publisher=NOYB}}{{Cite news |date=2020-11-16 |title=Apple tracks iPhone users without consent, claims activist Max Schrems |work=Financial Times |url=https://www.ft.com/content/aa43188a-0624-48b2-bc18-96b1e78df836 |access-date=2020-11-16}} claiming "IDFA (Apple's Identifier for Advertisers) allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour". In a slight change from their previous legal strategy in other similar cases, NOYB notes that, because the complaint is based on Article5(3) of the ePrivacy Directive and not the GDPR, the Spanish and German authorities can directly fine Apple, without appealing to EU Data Protection Authorities under the GDPR.{{Cite web |date=16 November 2020 |title=noyb files complaints against Apple's tracking code 'IDFA' |url=https://noyb.eu/en/noyb-files-complaints-against-apples-tracking-code-idfa |publisher=NOYB}}

NOYB also focuses on putting pressure on regulators to enforce privacy laws on the books. In an open letter,{{Cite web |title=Open Letter on "confidential" dealings in Facebook case |url=https://noyb.eu/en/open-letter |access-date=2020-06-08 |publisher=NOYB |language=en}} the NGO has accused the Irish Data Protection Commission of acting too slowly and having 10 meetings with Facebook before the coming into application of the GDPR.{{Cite web |last= |first= |date=2021-06-24 |title=NOYB Annual Report 2020 |url=https://noyb.eu/sites/default/files/2021-06/ANNUAL%20REPORT%202021_smallsize.pdf |url-status=live |archive-url=https://web.archive.org/web/20191228111507/https://www.politico.eu/article/we-have-a-huge-problem-european-regulator-despairs-over-lack-of-enforcement/ |archive-date=2019-12-28 |access-date=2022-02-01 |publisher=NOYB}}

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Privacy Shield and decided that Facebook and other companies that fall under US surveillance laws cannot rely on "Standard Contractual Clauses" (SCCs) since US surveillance laws were found to be conflicting EU fundamental rights. This judgement was based on a long lasting case of Max Schrems and NOYB. US companies' foreign customers' data are not protected from the U.S. intelligence services. The CJEU found that this violates the "essence" of certain EU fundamental rights.{{Cite web |date=2021-06-24 |title=NOYB Annual Report 2020 |url=https://noyb.eu/sites/default/files/2021-06/ANNUAL%20REPORT%202021_smallsize.pdf |access-date=2022-02-01 |publisher=NOYB}}

The Court has also clarified that EU data protection authorities (DPAs) have a duty to take action. The Court highlighted that a DPA is "required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence".{{Cite web|date=2020-07-16|title=JUDGMENT OF THE COURT (Grand Chamber)|url=https://curia.europa.eu/juris/document/document.jsf?docid=228677&doclang=EN|access-date=2022-02-01|website=CURIA}}

Despite the invalidations made by the judgment, absolutely "necessary" data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is "necessary" to fulfil a contract.{{Cite web |date=2020-06-24 |title=CJEU Statement – First Statement |url=https://noyb.eu/en/cjeu |publisher=NOYB}}

After the Schrems II judgment, NOYB filed 101 complaints against EU/EEA companies against controllers using Google Analytics or Facebook Connect and thereby transferring data to the US despite the Court finding (link to Privacy Shield) that US surveillance laws violate the essence of EU fundamental rights. The organization thereby wanted to point out the lack of enforcement of Schrems II.{{Cite web |date=2020-08-17 |title=101 Complaints on EU–US Transfers filed |url=https://noyb.eu/en/101-complaints-eu-us-transfers-filed |access-date=2022-02-01 |publisher=NOYB}}{{Cite news|date=2020-08-26|title=Max Schrems on the EU court ruling that could cut Facebook in two|work=TechCrunch|url=https://techcrunch.com/2020/08/25/max-schrems-on-the-eu-court-ruling-that-could-cut-facebook-in-two/?guccounter=1|access-date=2020-02-01}} These model complaints led to the creation of a special taskforce by the European Data Protection Board (EDPB) which is tasked to coordinate the complaints and to prepare recommendations for controllers and processors.{{Cite web |date=2020-09-04 |title=European Data Protection Board – Thirty-seventh Plenary session |url=https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en |access-date=2022-02-01 |publisher=NOYB}} On January 12, 2022, the Austrian Data Protection Authority (DSB) reached a partial decision in favour of NOYB, stating that the continuous use of Google Analytics violates the GDPR.{{Cite web |date=2022-01-13 |title=Partial Decision of the Austrian DSB |url=https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_EN_bk.pdf |access-date=2022-02-01 |publisher=NOYB}} This decision affects most websites in the European Union since Google Analytics is the most common traffic analysis tool.{{Cite web|date=2019-02-27|title=Usage statistics of traffic analysis tools for websites|url=https://w3techs.com/technologies/overview/traffic_analysis|access-date=2022-02-01|website=W3Techs}}

On April 7, 2021, NOYB filed a complaint in France charging that Android users were being tracked by Google without giving consent.Boland, Hannah. (7 April 2021). "Google accused of tracking Android users without their consent". [https://www.telegraph.co.uk/technology/2021/04/07/google-accused-tracking-android-users-without-consent/ The Telegraph website] Retrieved 9 April 2021.{{Cite web |title=Complaint filed to the Data Protection Authority of France |url=https://noyb.eu/sites/default/files/2021-04/AAIDcomplaint_Redacted.pdf |access-date=2021-04-09 |publisher=NOYB}}

"Google's software creates the AAID without the user's knowledge or consent. The identification number functions like a license plate that uniquely identifies the phone of a user and can be shared among companies. After its creation, Google and third parties (e.g. applications providers and advertisers) can access the AAID to track users' behaviour, elaborate consumption preferences and provide personalised advertising. Such tracking is strictly regulated by the EU "Cookie Law" (Article 5(3) of the e-Privacy Directive) and requires the users' informed and unambiguous consent."{{Cite web |title=Buy a phone, get a tracker: unauthorized tracking code illegally installed on Android phones |url=https://noyb.eu/en/buy-phone-get-tracker-unauthorized-tracking-code-illegally-installed-android-phones |access-date=2021-04-09 |publisher=NOYB}}{{Cite news|date=2021-06-04|title=Max Schrems accuses Google of illegally tracking Android users|work=Financial Times|url=https://www.ft.com/content/4617cc99-3ed2-49e1-b97f-db4f1b45b5db|access-date=2022-02-01}}

NOYB filed a complaint against the Irish Data Protection Commissioner (DPC) for corruption and possible bribery in 2021 under Austrian law for an affair concerning Facebook.{{Cite web|title=Facebook's lead EU privacy watchdog accused of corruption|url=https://techcrunch.com/2021/11/22/facebooks-lead-eu-privacy-supervisor-hit-with-corruption-complaint/|access-date=2022-01-03|website=TechCrunch|date=23 November 2021 |language=en-US}}{{Cite web |title=Irish DPC removes noyb from GDPR procedure – Criminal report filed |url=https://noyb.eu/en/irish-dpc-removes-noyb-gdpr-procedure-criminal-report-filed |access-date=2022-01-03 |publisher=NOYB |language=en}}{{Cite web |title=First noyb "Advent Reading" from Facebook/DPC Documents |url=https://noyb.eu/en/first-noyb-advent-reading-facebookdpc-documents |access-date=2022-01-03 |publisher=NOYB |language=en}}

Together with the Norwegian Consumer Council, NOYB filed three strategic complaints against the dating app Grindr and several adtech companies over illegal sharing of users' data in January 2020. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr. Users could be identified through the data shared, and the recipients could potentially further share the data.{{Cite web |date=2020-01-14 |title=Three GDPR Complaints filed against Grindr, Twitter and the AdTech companies Smaato, OpenX, AdColony and AT&T's AppNexus |url=https://noyb.eu/en/three-gdpr-complaints-filed-against-grindr-twitter-and-adtech-companies-smaato-openx-adcolony-and |access-date=2022-02-01 |publisher=NOYB}} These complaints are based on the report "Out of Control" by the Norwegian Consumer Council.{{Cite web |date=2020-01-14 |title=Report: Out of control |url=https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/report-out-of-control/ |access-date=2022-02-01 |website=Forbrukerrådet}}

One year after the complaint was filed, the Norwegian Data Protection Authority upheld the complaint against Grindr, confirming that Grindr did not receive valid consent from users in an advance notification. The Authority imposed a fine of 100 million NOK (€9.63 million) on Grindr,{{cite web|title=The NO DPA imposes fine against Grindr LLC|periodical=|publisher=|url=https://www.datatilsynet.no/en/regulations-and-tools/regulations/avgjorelser-fra-datatilsynet/2021/gebyr-til-grindr/|format=|access-date=2022-02-24|last=|date=|year=|language=en|pages=|quote=}} which was then reduced to 65 million NOK (€6.5 million) in the final decision since Grindr's actual revenue was lower than previously assumed and the company undertook measures to remedy deficiencies in their previous consent management platform.{{Cite web|date=2021-12-13|title=Norwegian DPA imposes fine against Grindr LLC|url=https://edpb.europa.eu/news/national-news/2021/norwegian-dpa-imposes-fine-against-grindr-llc_en|access-date=2022-02-01|website=European Data Protection Board}}

On August 10, 2021, NOYB filed 422 complaints against companies using deceptive cookie banners on their website. This wave of complaints was the outcome of a "Legal Tech" initiative by the organization in the course of which thousands of websites in Europe had been automatically checked for violations with a tool that was developed specifically for this purpose.{{Cite web |date=2021-08-10 |title=noyb files 422 formal GDPR complaints on nerve-wrecking "Cookie Banners" |url=https://noyb.eu/en/noyb-files-422-formal-gdpr-complaints-nerve-wrecking-cookie-banners |access-date=2022-02-01 |publisher=NOYB}}{{Cite web|date=2021-07-02|title=noyb Takes Aim at "Cookie Banner Terror" While CNIL Enforces Cookie Guidelines|url=https://www.jdsupra.com/legalnews/noyb-takes-aim-at-cookie-banner-terror-8264041/|access-date=2022-02-01|website=JD SUPRA}} In response to those complaints an EDPB task force was set up to exchange views on legal analysis and possible infringements and to streamline communication.{{Cite web|date=2021-09-27|title=EDPB establishes cookie banner taskforce|url=https://edpb.europa.eu/news/news/2021/edpb-establishes-cookie-banner-taskforce_en|access-date=2022-02-01|website=EDPB}} In its effort to overcome the necessity of cookie banners, NOYB has also co-developed Advanced Data Protection Control together with the Sustainable Computing Lab of the Vienna University of Economics. The ADPC browser signal poses a feasible alternative to cookie banners through its automated mechanism for the communication of users' privacy decisions and data controllers' responses.{{Cite web|title=Advanced Data Protection Control (ADPC)|url=https://www.dataprotectioncontrol.org/|access-date=2022-02-01|website=ADPC}}{{Cite journal|date=2021-09-13|title=Advanced Data Protection Control (ADPC)|url=https://epub.wu.ac.at/8280/|access-date=2022-02-01|website=Vienna University of Economics and Business|series=Sustainable Computing Reports and Specifications |last1=Human |first1=Soheil |last2=Schrems |first2=Max |last3=Toner |first3=Alan |last4=Gerben |last5=Wagner |first5=Ben }}

In early 2022, an Austrian court ruled that the use of Google Analytics on European websites was illegal. The case in question was filed in August 2020, from a Google user accessing an Austrian website for health related issues. The website used Google Analytics, and data about the user was transmitted to Google. The Google user complained to the Austrian data protection authority alongside NOYB. The issue at hand has a direct reference to Article 44 under GDPR, since the user cannot be afforded the correct level of protections established, thus making it a clear violation of GDPR.

{{cite web

| author = Hanna

| title = Google Analytics declared illegal in the EU

| date = 19 January 2022

| work = Tutanota

| location = Hanover, Germany

| url = https://tutanota.com/blog/posts/google-analytics

| access-date = 2022-02-16

}}

France's data watchdog CNIL concurred with the Austrian ruling in mid February 2022.{{cite web | author = Mathieu Pollet | title = France joins Austria in finding Google Analytics illegal |date=2 February 2022| work = Euractiv | url = https://www.euractiv.com/section/data-protection/news/france-joins-austria-says-google-analytics-data-not-protected-in-us/ | access-date = 2022-02-16}} Schrems duly commented:

{{quote|This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5{{nbsp}}years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.}}

Furthermore, in mid 2022, the Austrian DPA also ruled that Google's anonymization was insufficient in protecting user privacy, and that Article 44 of GDPR does not allow for a risk-based approach that Google had argued for.

{{cite web |date=2022-05-02 |title=UPDATE on 101 complaints: Austrian DPA rejects "risk based approach" for data transfers to third countries |url=https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschw%C3%A4rzt%20EN.pdf |access-date=2022-05-03 |publisher=NOYB}}

{{reflist}}

• {{Official}}

{{Privacy}}

{{Portal bar|Austria|European Union|Law}}

Category:2017 establishments in Austria

Category:Information privacy

Category:Information technology organisations based in Austria

Category:Internet privacy organizations

Category:Data protection

Category:Cross-European advocacy groups

Category:Privacy organizations