“Is it Schrems-proof?” MEP Sophie In’t Veld asked her fellow lawmakers in the European Parliament earlier this year. By this time next year, businesses may be asking “is it NOYB-proof?"

The famous, maybe infamous, Max Schrems, responsible for bringing down the EU-U.S. Safe Harbor agreement, is launching his own non-governmental organization called NOYB — the common abbreviation “for none of your business.”

With the GDPR coming into force in May next year, the coast is clear for a host of lawsuits as citizens rights are consolidated. But getting those rights enforced under the current directive has always been seen as an uphill struggle, meaning that only dedicated activist groups generally mobilize to take on the task. 

Schrems aims to change that with his new organization.

“In practice many individual users are not willing to file legal actions against obvious privacy violations, because of (often rather trivial) costs if a case is lost. This leads to almost no litigation in privacy cases, even if costs are low,” Schrems told The Privacy Advisor.

Although some digital rights groups, notably EDRi in Europe and EPIC in the U.S., do take on privacy-related cases, they tend to focus on government-surveillance infractions. NOYB, however, will focus on commercial privacy violations. 

To date, NOYB has raised 55,316 euros; its goal is 500,000. Its largest donors include Stadt Wien, with a 25,000 euro donation, StartPage, which donated 20,000 euros, and EPIC, with a 5,000 donation. 

“We might have really good laws saying they protect our privacy in Europe – but in reality, if large parts of the tech industry don’t respect these, and there is no meaningful redress, do we really have enforceable rights?” asks Schrems.

He believes this state of affairs not only hurts consumers, but also those companies that do comply with the rules, because they are at an unfair disadvantage compared to companies who ride roughshod over the law, or only bother with compliance when it hurts their bottom line. Schrems said that, in the past, it has been almost more economically viable not to comply with the law. 

He hopes NOYB will stop that. 

Article 80 of the GDPR will allow NOYB to bring “group actions” or “collective complaints” to data protection authorities or the courts. It also allows Schrems to shop around for the most favorable jurisdiction. 

And finding the best jurisdiction will be important.

Schrems plans to fund collective actions through procedure-financing companies, which fund all costs of the procedure in exchange for a percentage of the recovered damages. It’s therefore crucial to select the most “promising or relevant cases on a European level with a high chance of winning.”

One problem that would-be complainants face in prosecuting privacy violations is that many cases only impact an individual on a micro level. The scale of the problem can only been seen when one takes into account how many thousands of people are affected. “In reality, private citizens are not set up organizationally or financially to bring these kind of cases,” said Schrems. 

But he does believe that people will be interested in contributing to the bigger picture. “With Europe v Facebook we did that. Actually we had an app, and initially I thought 'It’s going to be a couple thousand people after a year or so.' In reality, 25,000 people signed up after just six days. We had to shut it down because so many people were signing up. It took them 15 minutes on average, and around two-thirds dropped out halfway through the process, and yet we still have 25,000 people joining," he said.

Another big problem facing complainants is the “black box” nature of much of the software in digital products and IT systems. Schrems intends NOYB to work closely with universities, researchers, and hacker and digital rights organizations that are already researching, hacking and testing systems today. “Mystery shoppers” and whistleblowers could also help with information gathering, and an automated tool that would allow consumers to and share such information with the enforcement organization is planned.

So will he take on Facebook again?

“I think Facebook wasn't good from a PR perspective. But typically with Facebook, you get this argument that [using the service is] voluntary and you don't really have to use it— which I think is one of the most absurd arguments. You can’t have privacy responsibility shifting to a user who doesn't have any clue about the IT systems." 

He added, "Purely from a PR perspective, Facebook was probably not the best target.”

Although NOYB will be active primarily in the EU, Schrems hopes it will have a global impact. “The European Union is one of the largest markets in the world. Pretty much all big international companies have a headquarters in an EU member state, so all the major players are subject to EU law because it sees privacy and data protection as a human right, applicable to any person, anywhere. This means that enforcement in Europe can set standards that will affect the whole world.”

May 25th 2018? Not just d-day for the GDPR, but also the day businesses need to worry about being “NOYBed."

photo credit: chrisheidenreich Immer noch heiß geliebt.... via photopin (license)