NOYB is perhaps one of the most known non-profit privacy organizations in the world, if not the most known. In August 2022, I met Romain Robert from NOYB together with a lot of people from the community. During the conversation, Romain shared information about the organization and in this article, I have summarized some of the key takeaways from the conversation.
During the session, Romain Robert told about NOYB. Here are some facts about the organization:
According to Romain, NOYB is filling the gap between the GDPR and the practice of the law. NOYB isn’t seeing a lot of enforcement within the GDPR area and that is what they are trying to do and change.
NOYB normally focuses on two types of cases:
As many know, NOYB filed 101 against Google Analytics and Facebook Connect.
They decided to challenge the basic transfer of personal data on an everyday basis on the internet. The way they did that was to look at Google Analytics and Facebook Connect as personal data was tracked by these services.
The 101 complaints were filed with the data protection authorities (“DPAs”) around the EU against the websites (i.e. the data controllers) using Google Analytics and Facebook Connect.
They filed complaints in 30 European states (27 EU member states + 3) and so far they have received decisions or outcomes from the Austrian DPA, the Italian DPA, and the French CNIL.
So the complaints were filed with with every single DPA in the EU related to Google Analytics and Facebook Connect:
During the talk with Romain, I never found out if it was 51 complaints Facebook Connect or Google Analytics but they did file 101 complaints and for that reason, NOYB calls the 101 complaints “the dalmation complaints”.
Due to the one stop shop principle in the GDPR, the EDPB (the European Data Protection Board) decided to establish a task force to look into the Google Analytics and Facebook Connect complaints. They wanted to aim on a common decision and standpoint on these complaints.
After 6 months, NOYB got the first decision from the Austrian DPA regarding Google Analytics. The decision is from January 2022 and found Google Analytics was in violation with the GDPR.
Then came a stand from the CNIL regarding Google Analytics. Another decision was afterwards issued by the Austrian DPA regarding Google Analytics and in July 2022 a decision was issued by the Italian DPA.
The Luxembourg DPA also sent a response to a complaint noticing that the website had stopped using Google Analytics and therefore they didn't do anything further.
According to Romain, NOYB has seen around 12 outcomes (out of the 101 complaints) so they are waiting for 90 outcomes. Romain expects more to come soon with a similar outcome, i.e. that Google Analytics is illegal to use due to GDPR issues.
They haven't heard anything about Facebook Connect. However, they expect that it is being handled by the EDPB task force.
When Romain was asked by the audience about the next enforcement area, Romain couldn't share a lot of information. However, Romain did mention that NOYB will be focusing on the following two upcoming areas:
1. SDKs and apps
2. Collective redress
Area 1: They want to go after SDKs and apps and file mass complaints like they did with cookies. The reason is that SDK and apps track as much personal data as websites, if not even more.
Area 2: They want to start a collective action, meaning group proceedings, and they have joined forces with the organization Privacy First in the Netherlands and established a foundation there.
According to Romain, we will not see a widespread ban against Google in the EU. NOYB didn't file complaints against Google. They filed complaints against the websites using Google Analytics. However, this doesn't mean that it makes it legal but according to Romain the DPAs can’t entail a widespread ban across the EU.
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.
.png)
