The Austrian lawyer whose lawsuit toppled the infamous safe harbour data sharing agreement with the United States has set up an NGO focused on bringing more privacy cases to court.
After his own victory in a 2015 European Court of Justice (ECJ) case over data transfers to the US, Max Schrems wants to start overseeing other consumers’ complaints in time for May 2018 – when the sweeping new EU data protection regulation comes into effect.
Schrems said he will collect complaints from consumers, but he also wants to build cases himself based on the new privacy requirements that will apply across the 28-country bloc starting next year.
“If you have an objective politically, you can build a case backwards,” he told EURACTIV.com at a Brussels launch event for the NGO on Tuesday (28 November).
Schrems said his political objective is “privacy in general and enforcing it”.
The NGO is called NOYB, an acronym that stands for ‘none of your business’, and is based in Vienna. The city government already gave NOYB a grant of €25,000, and Schrems described the Austrian capital as a fitting location for the NGO.
“We don’t have data dealers or people who make money from personal data in Austria,” he said, comparing the country to other EU member states that host tech firms with business models crafted around analysing their users’ data.
His original complaint that brought down the EU-US safe harbour agreement landed in front of the ECJ after an Irish judge referred a lawsuit there that Schrems had filed against Facebook, which has its European headquarters in Ireland.
Since then, Schrems has stayed at the centre of more legal battles over privacy: he submitted another complaint against Facebook’s use of EU rules known as standard contractual clauses to transfer data to the US. An Irish court referred that case to the ECJ in October.
Now, he is already eyeing cases against other big tech firms for NYOB to take on.
Schrems suggested the NGO could “go after Apple and say, ‘There’s no consent here,’” referring to lengthy terms and conditions that consumers must agree to before purchasing certain products.
Privacy advocates said that NOYB could force companies to take the EU’s new data protection rules seriously if they fear lawsuits and hefty penalty fees. Sanctions can reach up to €20 million or 4% of a firm’s global revenue under the regulation.
“We all know that one of the biggest problems with data protection today is that it is very often not respected and not enforced,” said Jan Philipp Albrecht, the German Green MEP who led negotiations on the data protection regulation.
NOYB is set to start its legal work right when the data protection regulation will expand possibilities for consumers to take companies to court.
One measure in the new law makes it possible for an NGO to represent a group of people with privacy complaints, and to seek out a jurisdiction in the EU that might be favourable to the case.
Schrems said collecting complaints from consumers can lower their legal costs.
Even though he became well-known for his legal fight against government surveillance – the 2015 ECJ case stopped the safe harbour agreement on grounds that it could not protect EU citizens’ data from US surveillance – NOYB will focus on consumer rights.
Several other organisations already oversee court cases against government surveillance. But legal help with consumer complaints make up a “more obvious gap for the average guy”, Schrems said.
His own role in NOYB will be managerial. “I don’t want to be in courts for the rest of my life. The idea is to go towards being a board member overseeing things,” Schrems said.
To do that, he wants to staff the NGO with lawyers from different EU countries who will work from its Vienna office.
So far, NOYB received a total of around €50,000 in donations from the American privacy organisation EPIC, StartPage, a Netherlands-based firm that bills itself as “the world’s most private search engine”, and the city of Vienna.
Schrems hopes to raise €500,000 through an online crowdfunding campaign that he recently set up.
He acknowledged that the funding goal is ambitious for NOYB’s May 2018 start. But he wants to be ready when the new EU privacy rules start to apply.
“Instead of investing ten years into building an NGO, the idea is: GDPR [EU data protection regulation] is coming around next year. It’s a very clear target,” Schrems said.