Tag: noyb

noyb filed complaints against the cookie paywalls of seven major news websites in Austria and Germany

25. August 2021

Privacy Activist Max Schrems’ data protection organization noyb (an acronym for “none of your business”) announced on August 13th, 2021, they filed complaints against the cookie paywalls of seven major German and Austrian news websites. In the statement, they question whether consent can be “voluntarily” given if you have to pay to keep your data.

An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

With these paywalls, the user must decide whether to agree to the use of his or her own data for advertising purposes or to enter into a paid subscription with the respective publisher. However, personal data may only be processed if there is a legal basis for doing so. Such a legal basis may arise, for example, from Article 6 (1) (a) of the GDPR, if the data subject has given his or her consent to this processing. Such consent must be “freely given”. According to Rectical 42, sentence 5, “consent is not regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” noyb is of the opinion that the paywall solution lacks the necessary voluntariness for consent and thus also lacks a legal basis according to Art. 6 (1) a) DSGVO.

Art. 7 (4) GDPR demands, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

In contrast, in a decision on November 30th, 2018, the Austrian data protection authority did not see a violation of the GDPR in a paywall system, as the data subject receives a recognizable benefit, and expressed that the decision was thus voluntary after all.

Accordingly, users’ personal data could be considered a “means of payment” with which they pay for a paid subscription instead of a monetary benefit. Consent to data processing would thus be necessary for fulfillment, as it represents the quid pro quo the data subject, in other words, the purchase price. How the responsible data protection authorities will ultimately decide remains to be seen.

These complaints by noyb represent the organization’s second major campaign this month. On August 10, they have already filed 422 formal complaints with 10 European regulators based on inadequate cookie banners.

Privacy Activist Schrems unleashes 101 Complaints

21. September 2020

Lawyer and privacy activist Maximilian Schrems has become known for his legal actions leading to the invalidation of “Safe Harbor” in 2015 and of the “EU-U.S. Privacy Shield” this year (we reported). Following the landmark court decision on the “EU-U.S. Privacy Shield”, Schrems recently announced on the website of his NGO “noyb” (non-of-your-business) that he has filed 101 complaints against 101 European companies in 30 different EU and EEA countries with the responsible Data Protection Authorities. Schrems exercised the right to lodge a complaint with the supervisory authority that every data subject has if he or she considers that the processing of personal data relating to him or her infringes the Regulation, pursuant to Art. 77 GDPR.

The complaints concern the companies’ continued use of Google Analytics and Facebook Connect that transfer personal data about each website visitor (at least IP-address and Cookie data) to Google and Facebook which reside in the United States and fall under U.S. surveillance laws, such as FISA 702. Schrems also published a list of the 101 companies which include Sky Deutschland, the University of Luxembourg and the Cyprus Football Association. With his symbolic action against 101 companies, Schrems wanted to point to the widespread inactivity among many companies that still do not take the data protection rights of individuals seriously despite the recent ruling by the Court of Justice of the European Union.

In response, the European Data Protection Board (“EDPB”) has set up a “task force” to handle complaints against European companies using Google Analytics and Facebook services. The taskforce shall analyse the matter and ensure a close cooperation among the members of the Board which consists of all European supervisory authorities as well as the European Data Protection Supervisor.