Max Schrems is the Austrian lawyer who famously filed a privacy complaint against Facebook in 2013. Arguably this complaint led to the EU’s decision to invalidate the Safe Harbor Agreement. And now he has a new privacy venture in mind…
My personal data is ‘None of Your Business’ (NYOB)
Schrems has recently announced plans for his latest venture in privacy protection. The proposal is to establish a not-for-profit organisation known as ‘None of Your Business’ (NOYB). The mandate of this organisation will be to assist consumers or data subjects in taking court action against organisations who have infringed privacy legislation when processing personal data during the course of their business.
How will they be able to do this
NYOB will be seeking to use a provision found in Article 80 of the General Data Protection Regulation (GDPR). Article 80 is entitled the “Representation of data subjects”. It gives data subjects the ‘right to mandate a not-for-profit body, organisation or which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.’
Data subject rights under the GDPR
The GDPR grants a raft of new rights to data subjects. Particularly relevant to NYOB are data subject’s specific rights under Articles 77,78,79 and 82:
- Article 77: right to lodge a complaint with a supervisory authority
- Article 78: right to an effective judicial remedy against a supervisory authority
- Article 79: right to an effective judicial remedy against a controller or processor
- Article 82: right to compensation and liability
How might this alter the current privacy landscape
The resources of data protection authorities are arguably going to be under considerable strain following the 25th May 2018 when GDPR becomes enforceable. The type of organisation Schrems is seeking to establish will be independent from government influence, and most likely seek to target organisations such as large tech firms, where court cases will generate publicity and shake up practice within the industry. We are also likely to see plans for start-ups of organisations similar to NYOB, as the date of the new data protection regulation approaches. Businesses should arm themselves appropriately by ensuring their policies, procedures and practices are appropriately documented and GDPR compliant.