Max Schrems champions NGO to fight for GDPR rights

Privacy activist whose legal challenge of Facebook led to the scrapping of the Safe Harbour Agreement says crowdfunding a new type of non-government organisation is essential to deliver privacy rights

The General Data Protection Regulation (GDPR) is widely expected to spark privacy claims after its compliance deadline of 25 May 2018, but Austrian lawyer Max Schrems is doubtful.

Although the GDPR gives citizens of European Union member states unprecedented control over their privacy and new options to claim their privacy rights, few individuals have the knowledge or financial resources required to do so, either in court or through data protection authorities (DPAs), Schrems told Computer Weekly.

Another reason he thinks the GDPR on its own will fail to deliver better data privacy rights enforcement is that even though the GDPR gives new powers to the DPAs of EU member states, they will still lack resources, expertise and initiative to uncover and prosecute legal violations.

Schrems therefore believes that a new type of appropriately resourced non-government organisation (NGO) is key to fulfilling the GDPR’s promise of enhanced privacy rights, especially as the regulation allows collective enforcement by NGOs on behalf of individuals under article 80.

“In my experience, enforcing an individual claim is often much more expensive than what you get out of it,” said Schrems. “In the class action against Facebook, we claimed €500 in damages per person, but bringing an individual €500 claim in Austria would cost a couple of thousand.

“So there is no real way to enforce your rights individually. The only way to do that is to collectivise it through a rights organisation to get things done as we have in the past with consumer rights.”

Schrems and his partners believe that having a single NGO at an EU level with the necessary expertise, experience and connections is far more efficient and efficient than lots of individual ones.

“It makes sense to have a single EU hub to act as a co-ordinator to connect existing resources, ensure actions are effective and strategic, and ensure efforts and resources are not duplicated,” he said.

With the aim of making privacy and data protection a reality, Schrems set a target of reaching long-term commitments totalling at least €250,000 a year through crowdsourcing by 31 January 2018 to establish a non-profit NGO called NYOB (none of your business), which he plans to support as chairman of the board on a pro-bono basis.

Read more about the GDPR

Organisations that have made commitments to annual contributions include privacy-friendly Dutch search engine StartPage, US NGO Epic, and Mozilla.

“Individual supporters are people who are interested in privacy and feel that something should be done to ensure rights are enforced, while institutions tend to be motivated by political reasons and commercial organisations want to show their customers that they take privacy seriously,” said Schrems.

The aim is to get NYOB up and running by the GDPR compliance deadline that will bring consumer privacy cases to court to enforce European data protection laws, but the clock is ticking, with just over three weeks left to raise the €115,000 still needed to reach the target.

The target is the minimum level of annual contributions Schrems and his partners believe NYOB requires to deliver a meaningful service through a sustainably funded core team comprising a lawyer, a technician, and someone in an office.

Ideally, Schrems would like to see funding commitments rise to €500,000 a year to double the number of lawyers and technicians. In addition to the crowdfunding project, NYOB is seeking one-off donations, institutional funding for projects, donations in kind, and IT law volunteers.

“Our primary aim is to get the core team funded, and then to add project funding on to that, which we expect to be a little easier,” said Schrems.

Project could be at risk

Despite a steady stream of commitments since the crowdsourcing project was launched in November 2017, the project could be at risk if there is not an uptick in the pace before the end of this month.

According to Schrems, the proper enforcement of the fundamental rights to privacy and data protection will benefit EU citizens and consumers, existing NGOs and enforcement initiatives, DPAs and industry.

EU citizens and consumers will be the main beneficiaries because their rights are regularly violated by big companies. “We do a lot of talking about privacy rights, but in reality there is very little enforcement of those rights or cases taken to court,” said Schrems.

Existing European and international NGOs in the policy and advocacy field may benefit from solid cases, uncovering violations and generating results under the current law, while existing enforcement initiatives could benefit from a reliable European hub, as well as financial, legal and strategic support.

DPAs could benefit from well-researched complaints by NOYB, which limit the workload and may lead to quicker enforcement actions, additional enforcement pressure, as well as information gathering and sharing.

Many companies currently perceive an imbalance between companies that respect the law and others that gain competitive advantages by violating it, so many traditional competitors could benefit indirectly from limiting unfair competition. According to Schrems, privacy-friendly alternatives could equally benefit from uncovering violations by current actors, enforcement against them and the promotion of alternatives.

Assuming NYOB achieves its crowdsourcing target and is up and running by 25 May 2018, Schrems said the aim will not be to go after every violation of the GDPR, but instead look at companies that deliberately do not follow the law because they believe they can gain a competitive advantage that way.

“It is important for NYOB not to be anti-business or anti-tech, but rather to ensure we can use all the technology without worry that some companies are not following the law,” he said. “As far as possible, we would also like help businesses do what they need to do, but without violating any privacy rights.”

Read more on Privacy and data protection