Perhaps one of the greatest misconceptions surrounding Max Schrems, the man who took down Safe Harbor, is that he’s some kind of passionate privacy advocate who’s found his life’s calling.
“I don’t know what I’ll do in the long run,” he opines, on the phone to the IAPP offices from his home in Austria. “As soon as I understand something, then I’m getting bored with it and I need something else after a while. Privacy is something where, as a subject matter, that peak is already gone. Peak interest was probably five years ago. But, then, you have to continue the cases.”
Privacy “is very important,” he makes clear. “But you can push that agenda being on the board and doing talks every once in a while. It doesn’t have to be manning every phone yourself anymore.”
The “board” he refers to is that of NOYB, the new non-profit organization Schrems has created. Or, well, may create.
While many have reported on the new venture — which aims to help Europeans understand and utilize their privacy rights under the EU General Data Protection Regulation — as something of a fait accompli, there is a significant caveat in the organization’s founding concept: “If the target of €250,000 is not reached within the relevant timeframe, the NGO will not come into existence.”
That’s right. If, by the end of January the organization doesn’t reach its funding mark, the whole thing shuts down and Schrems walks off into the sunset.
Well, after we see what happens with Schrems 2.0 and model clauses. You have to continue the cases.
“My approach to that,” he reasons, “is that if we don’t have a nucleus of having two to three paid people, it doesn’t make sense to start it at all. There are so many NGOs around that can’t afford to pay their people, so they leave after a year, and they work 60 hours a week, and they get burned out, and all of that is probably okay if you do policy work or work as an activist, but if you want to win in court against big corporations, that’s probably not the way to go.
As of this writing, on Dec. 20, NOYB sits at 39 percent of Schrems’ goal of raising 250,000 euros. NOYB just crested 100,000 euros.
“If we can’t even finance this core team,” he says, “we’d rather just not do it at all, rather than sit around in a basement with half a volunteer. Two-hundred-fifty-thousand euro is not a lot of money, so if we can’t make that, then, okay, someone else should do it.”
On Dec. 17, NOYB reached 500 members, people who have committed to an annual pledge of at least some money. As of this writing, on Dec. 20, NOYB sits at 39 percent of Schrems’ goal of raising 250,000 euros. NOYB just crested 100,000 euros. One of the issues, Schrems notes, is that he’s looking for members, for annual contributions, not simply one-off gifts. He knows the fundraising would be easier without the “member” component, but he feels the ongoing commitment is important to show potential staff there’s a future for the organization.
“In the long run, we’re not going to enforce privacy with students working for free,” he says. “That’s not a long-term solution. That’s fun for me, but in the long run we need something from the consumer rights organizations. That’s for me the idea, to put my knowledge and networks into NOYB. But only be there on the board in a volunteer position.”
He notes, specifically, that none of the donations will be coming his way. He doesn’t intend to take a salary from NOYB. It’s easier, he says, to ask for money that will pay other people’s rents. And he thinks there’s a lot of untapped donations out there. He may be right. NOYB has a Facebook page with 7,500 likes already. The Twitter account has more than 1,600 followers.
And he’s had a couple of bigger hits: 25,000 euros from Viennese start-up funder Stadt Wien, 20,000 from privacy-emphasizing search engine StartPage, and 5,000 from U.S. non-profit advocacy organization EPIC.
Schrems thinks he needs at least 100,000 euros from individual donors to make a real go of it. One-off contributions from large donors are harder to replicate in the long run.
Once NOYB is off the ground, though, Schrems thinks the model is sustainable. As an early entrant into a brand-new field of organizations that might represent consumer interests under the GDPR’s Article 80 provisions, he expects to take relatively small percentages of large judgments for Europe’s version of “class actions,” along with settlements from organizations that don’t want to test the court system.
Although settlements should be less common in the EU than in the U.S. That’s because the EU doesn’t have a mechanism where, if a company settles, anyone with a claim gets just that one bite at the apple. In the EU, each member of the class would have to individually assign rights to NOYB. If a company settled, it would open itself up to yet another group of people assigning rights and trying the case again.
“On the EU level,” he says, “we all talk about the penalties [in the GDPR], but we don’t talk about other enforcement options. We want to start NOYB now because there’s a window of opportunity to figure this out, and to have an NGO do this and not just lawyers who want to make a shitload of money.”
Does 500,000,000 euros get people’s attention the way “4 percent of global turnover” does?
Schrems wonders how the GDPR’s new mechanism will interact with different member state law on damages and collective action, but that’s part of what’s interesting to him. Which jurisdiction would allow for the most in damages? Could he get a large portion of those affected by a data breach to all assign rights, leaving NOYB to represent, say, 500,000 people, who each get even just 1,000 euros in damages?
Does 500,000,000 euros get people’s attention the way “4 percent of global turnover” does?
He notes an Austrian just won 750 euros in damages for the emotional harm of a company having incorrect information about him in a database. What if the information was wrong about thousands of people? Where it used to be difficult to quickly round up such folks and have them assign rights via pen and paper, the internet opens up massive new opportunities, like the class action Schrems has organized against Facebook in Austria. All it takes is a decently built web site or app and the individual rights can be collected quickly and easily.
“It would be interesting to combine Article 80 with emotional damages,” Schrems says. “We hear about a breach, and word goes out that if you’re subject to that data breach we’ll represent you in court. And then, independent of national class action laws, you could mass represent 20 or 30 thousand people. We saw it blow through the roof with Facebook, even though that was much more complicated than it would have been with an NGO [like NOYB].”
“It used to be very complicated,” he says, “but now it’s a couple of clicks.”
But who will he go after? He can’t attack every breach or bad actor.
“The idea for us is focusing on obvious, willful violations of the law,” he says. “Where people calculated that it’s easier to violate the law than not.”
He thinks many companies will encourage him. Those who’ve made the investment in privacy and data protection would like it to be a marketing help, a differentiator in the market, Schrems argues. Therefore, it’s in their interest to see those who aren’t spending money on compliance suffer for it.
So, really just those with a total disregard for the law? Schrems laughs.
“With the Irish DPC, I might have a different definition of what total disregard for the law is, but the basic idea is right,” he says. “Right now there’s so much disregard of the law out there. There’s so much low-hanging fruit there’s no reason to go for the top of the tree. Even from a purely strategic point of view, it’s obvious that you should go after the people who totally ignore it. There’s got to be so much fundamental disregard that we won’t even get into the area of anyone who has a privacy officer.”
In fact, Schrems thinks he’s the privacy professional’s best friend, going forward. “This should boost their function in the company,” he reasons, “because there’s a consequence. If you’re in charge of fire protection, and no one really asks about whether the fire hydrant is in the right place, then it’s just harder to do your job.
Really? Not very many organizations have more privacy officers than Facebook, Google, Microsoft, and many others who’ve been the targets of Schrems and EU regulators.
“I take that back,” he says. “There are certainly companies with privacy officers not doing their job.”
In fact, Schrems thinks he’s the privacy professional’s best friend, going forward. “This should boost their function in the company,” he reasons, “because there’s a consequence. If you’re in charge of fire protection, and no one really asks about whether the fire hydrant is in the right place, then it’s just harder to do your job. There are things we’ll disagree about, but I think fundamentally that the more the topic is pushed, the more important it gets. Even if you’re on different sides of the bubble, raising the bubble up higher makes everyone on the bubble more important.”
Schrems also thinks privacy pros will benefit from the litigation NOYB engages in, as it will help bring legal certainty to many parts of the GDPR that are open to interpretation.
“One thing we’ll really want to stress,” he says, “and it’s a American approach, is thinking about which cases to bring in which courts in which situation and to really craft cases and pick up cases that are relevant and will have a big impact for a lot of people and clarify certain issues where we don’t really know what they really mean.”
“It’s not going to be just plugging at anyone that’s around,” he emphasizes, “but thinking about which cases matter. … We’ll have to pick up stuff that will push the bar in a pro privacy way, but it’s also good to just generate legal certainty.”
Some companies might hope they’re not made an example of. Some might agree it’s good to let an NGO do the dirty work of sharpening the GDPR’s edges. Some might hope Schrems just goes away.
Well, if he doesn’t get the 250,000 euros, that just might happen.
Photo courtesy of NOYB fundraising video.
If you want to comment on this post, you need to login.