Max Schrems files 101 complaints across 30 European countries to turbocharge GDPR’s impact – and he’s not the only one

Posted on Aug 19, 2020 by Glyn Moody

Last month, Privacy News Online discussed another major win for the privacy activist Max Schrems. The Court of Justice of the European Union (CJEU), the EU’s top court, agreed with Schrems that the Privacy Shield framework, one of the two main ways of sending personal data about EU citizens across the Atlantic, was invalid. The judges also ruled that the other main method of transferring data, standard contractual clauses (SCCs), could only be used where there was no risk that EU citizens’ personal data might be compromised once in the US.

Such judgments are important, but have little value if they are not enforced. To that end Schrems and his NOYB organization have announced that they have filed 101 GDPR complaints in 30 European countries, alleging that companies are not complying with the CJEU ruling:

A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) – despite both companies clearly falling under US surveillance laws, such as FISA. Neither Facebook nor Google seem to have a legal basis for the data transfers. Google stills claims to rely on the “Privacy Shield” a month after it was invalidated, while Facebook continues the to use the “SCCs”, despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.

The complaints are against Google, Facebook, and major Web sites in European countries that use Google Analytics or Facebook Connect to track visitors to their sites. These systems send data about EU citizens to Google and Facebook, which then forward data to the US, thus contravening the GDPR in the light of last month’s CJEU ruling.

As this blog pointed out back then, there is another important element of the CJEU judgment. The data protection authorities in EU countries now have a “duty to act”. That is, it is not optional whether they pursue companies that are violating the GDPR: the court says they must. That’s a crucial change from the present situation, where the authorities in some countries have decided to let things carry on despite evident GDPR infringements. In his latest legal action, Schrems has said that he will be putting pressure not just on companies, but also directly on the national data protection authorities that fail to act: “We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish [Data Protection Commission] that stays dormant.”

This is a major escalation of NOYB’s fight to protect the personal data of EU citizens, but it is not the only one. As this blog has noted a couple of times in the past, one of the most problematic aspects of today’s online world is the use of real-time bidding for ad space on Web sites. During the few milliseconds that it takes for a Web page to load, information about the person who will view the page and its ads is sent to multiple advertisers or their agents so that they can calculate how much to bid in the automated real-time auction for the ad space on that page. That personal information is sent to tens, possibly hundreds of companies, without explicit permission, something that the GDPR forbids.

Legal moves to stop personal data being shared in this way are increasing. For example, the human rights organization Liberties has filed complaints across Europe, asking national data protection offices to investigate real-time bidding. Not much has happened as a result, and now there’s a new campaign from The Privacy Collective, which “pursues and/or supports claims in selected jurisdictions for compensation arising out of the misuse of personal data on behalf of, and for the benefit of, the general public collectively (as a class) – referred to below as the ‘class’ of claimants.” The use of this kind of class action for a GDPR action is unusual, as is the way the complaints are funded:

All costs and expenses of the claims (including any court fees, lawyers and experts) will be funded by a litigation funder in return for a commission, which is based on a percentage of the compensation awarded in favour of the class of claimants. If the claim is successful, the litigation funder will be entitled to recover the costs and expenses funded by it and the commission, out of the damages awarded to the class. If the claim is unsuccessful, the litigation funder will bear all of the costs and expenses.

If successful, The Privacy Collective believes the compensation could be around 500 euros (about $600) per person. Anyone who has been the subject of tracking cookies and resident in the jurisdiction where the claims are being filed – essentially everyone who uses the Internet there – will be eligible to claim. The first two cases are being brought against Oracle and Salesforce, filed respectively in the UK and the Netherlands.

Although these two initiatives are very different, they have in common the use of the GDPR to bring claims that, if successful, will have important effects on Internet companies operating in the EU, and probably beyond. It’s interesting that these are actions by privacy activists, rather than the national data protection authorities. This reflects a growing frustration that in some countries, notably Ireland, official bodies have been reluctant to bring in appropriate fines for what seem obvious infringements of the GDPR on a massive scale.

Featured image by