How noyb is Challenging the Privacy Practices of US Tech Giants in Europe
A look at noyb's recent complaints against Meta, Microsoft, and OpenAI.
Max Schrems’ non-profit privacy group, noyb ( “none of your business”) is doing the work of a saint in Europe to hold BigTech accountable for dubious privacy practices.
Schrems became famous (in privacy expert circles that is) for successfully and singlehandedly imposing GDPR’s privacy standards on Facebook while he was still a young law student in Austria. In light of the Snowden revelations - that exposed how the US National Security Agency (NSA) could access all user data about foreigners through backdoor encryption on social media platforms - Schrems grew concerned with Facebook’s processing of his data. He acted on these concerns by filing a complaint to the Irish Data Protection Commissioner in 2013.
Schrems’ courtroom activism eventually changed not only Facebook’s privacy practices but how data was transferred from European companies to US cloud service providers and other US-based data processors. Not once, but twice through the court cases known as Schrems I and Schrems II, the legal basis for data transfers between the EU and the US was overturned by the Court of Justice of the European Union (CJEU), requiring EU companies to make tedious “Transfer Impact Assessment” (TIAs) for each instance of a personal data transfer to the US.
Now, the European Commission has made a new data transfer agreement with the US, the Data Privacy Framework. The new agreement is not much different from the previous data transfer frameworks - “the Safe Harbor” agreement and “Privacy Shield” - which were both invalidated by CJEU in Schrems I and Schrems II respectively. Data Privacy Framework does not change the extensive surveillance laws in the US and these laws remain fundamentally incompatible with the strong privacy protection granted to EU citizens by the GDPR.
The world of business and privacy is anxiously awaiting a pending Schrems III judgement and when it arrives, we will likely have to go through the same tedious exercise again of documenting, carefully risk assessing, and security optimizing each transfer of personal data to the US.
Noyb’s insistence on upholding the legal right to privacy is both annoying and impractical, specifically if you are a US tech company serving the EU market, or if you are a European company relying on US data processors. On the other hand, the stubborn insistence on maintaining privacy rights in the digital age is a worthy cause. In the long run, the work of noyb is supporting Europe’s process of seeking digital independence from the all-encompassing grips of US tech giants - companies with un-European views on privacy rights.
In this post, I will go through three of noyb’s most recent complaints against US tech companies:
Meta’s abuse of personal data for AI training – June 06, 2024 (link)
Microsoft’s violation of children’s privacy rights - June 04, 2024 (link)
ChatGPT’s wrong information about people – April 29, 2024 (link)
Meta’s abuse of personal data for AI training
Last Thursday, noyb announced that they had filed a complaint against Meta in eleven countries: Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland and Spain. These complaints take a stab at the very heart of the AI frenzy by questioning the legitimacy of training AI models with publicly available, personal data on the web.
Keep reading with a 7-day free trial
Subscribe to Futuristic Lawyer to keep reading this post and get 7 days of free access to the full post archives.