NOYB
NOYB ("None of Your Business") is a Vienna-based, donation-funded non-governmental organization founded in 2017 by Austrian privacy activist and lawyer Max Schrems to enforce European data protection regulations, particularly the General Data Protection Regulation (GDPR) and ePrivacy Directive, through strategic collective complaints and litigation on behalf of individuals.[1][2] The organization, operational since 2018 with a team of over 20 legal and IT experts supported by more than 5,000 members, focuses on high-impact cases against large technology firms for practices such as unauthorized behavioral advertising, deficient cookie consent banners, and unlawful data transfers to third countries.[1] NOYB has filed over 880 GDPR complaints across European data protection authorities, resulting in 44 full wins, 171 partial wins, 62 compliance withdrawals, and contributing to nearly 40% of all GDPR fines imposed to date by highlighting systemic enforcement gaps where authorities resolve only 1.3% of cases with penalties.[3][4] Key achievements include forcing changes in tracking technologies, invalidating consent-or-pay models, and challenging transatlantic data adequacy decisions like Privacy Shield via landmark Court of Justice of the European Union rulings, though prolonged proceedings—often exceeding four years—and occasional dismissals of complaints as abusive underscore tensions with under-resourced regulators.[3][5]Founding and Background
Origins in Schrems' Early Advocacy
Maximilian Schrems, an Austrian lawyer born in 1987, began his privacy advocacy as a law student at the University of Vienna, where his interest in data protection intensified during a semester abroad at Santa Clara University School of Law in California around 2010.[6][7] Upon returning to Europe, Schrems, then approximately 24 years old, requested a copy of his personal data from Facebook after three years of usage, receiving a 1,222-page dossier that revealed extensive tracking and storage practices, including details on friendships, locations, and even deleted content.[8][9] This experience prompted him to publicly critique Facebook's compliance with European privacy standards, highlighting discrepancies between the company's policies and the EU Data Protection Directive (95/46/EC). In late 2011, Schrems filed 22 separate complaints with the Irish Data Protection Commissioner (DPC) against Facebook Ireland Limited, the company's European headquarters, alleging violations such as inadequate data security, unlawful transfers of EU user data to the United States under the Safe Harbor framework, and failure to inform users about processing purposes.[10][11][12] These complaints, grounded in empirical analysis of Facebook's data handling, marked the start of sustained legal pressure on big tech firms and drew attention to systemic gaps in cross-border data flows, particularly post the 2013 Snowden revelations exposing U.S. surveillance practices.[13] By 2013, Schrems formalized his efforts through the "Europe vs. Facebook" campaign, which mobilized public awareness and further complaints across EU member states, amassing evidence of non-compliance with directives on consent, profiling, and third-party sharing.[10][14] Schrems' early advocacy emphasized individual enforcement rights over reliance on regulatory bodies, often critiquing the Irish DPC's perceived leniency toward U.S.-based firms headquartered in Ireland for tax reasons.[15] In 2014, he escalated by coordinating 22 additional cross-jurisdictional complaints, testing the directive's adequacy for the digital age and foreshadowing GDPR's need for stronger tools.[10] This groundwork culminated in the 2015 Schrems I ruling by the Court of Justice of the European Union, which invalidated the Safe Harbor agreement for insufficient protection against U.S. government access, validating Schrems' claims through judicial review rather than accepting self-regulatory assurances.[12][16] His approach—leveraging access requests, complaint filings, and transparency demands—laid the causal foundation for NOYB's later mass-enforcement strategy, demonstrating that persistent, evidence-based individual actions could disrupt inadequate privacy regimes.Establishment as a Non-Profit (2017)
NOYB was formally established on June 12, 2017, as an Austrian Verein—a type of non-profit association under Austrian law—registered in Vienna with the aim of enforcing data protection rights through strategic litigation and complaints.[17][18] Founded by Austrian privacy activist and lawyer Max Schrems, the organization emerged from his prior individual campaigns against large tech firms, seeking to institutionalize collective enforcement efforts ahead of the General Data Protection Regulation (GDPR)'s enforcement phase in May 2018.[18][19] The initiative addressed perceived weaknesses in GDPR implementation, including under-resourced national data protection authorities and the need for individuals to file complaints to trigger enforcement, as associations like NOYB could not directly sue under the regulation at the time.[18] Schrems positioned NOYB as a "European Center for Digital Rights" to coordinate cross-border actions, targeting issues like invalid consent mechanisms and unlawful data transfers, with an initial focus on building a sustainable model through donations rather than reliance on fines or settlements.[18] The board included Schrems as chairman alongside data protection experts such as Christof Tschohl, emphasizing operational independence from corporate or governmental influence.[18] In November 2017, shortly after formal establishment, NOYB publicly launched a crowdfunding appeal to secure long-term funding commitments totaling at least €250,000 annually, raising approximately €60,000 in its first 24 hours to support staffing and case preparation.[20] This early financial push underscored the organization's strategy of relying on public and recurring donations to avoid conflicts of interest, with no acceptance of funds from tech companies or entities potentially subject to its complaints.[21] By design, NOYB remained dormant until early 2018 to align with GDPR's operational timeline, filing its inaugural complaints on May 25, 2018, against major platforms for consent violations.[17]Organizational Structure and Operations
Funding Model and Financials
NOYB operates as a non-profit organization funded primarily through individual donations, membership fees, and institutional grants, emphasizing independence from corporate or governmental influence to support its GDPR enforcement activities.[22] This model relies on recurring contributions from supporting members, who numbered approximately 5,200 in 2024, providing stable funding for ongoing operations.[23] Single donations and project-specific financing from foundations supplement this base, with annual reports detailing all inflows and outflows for transparency.[24] Membership fees constitute a core revenue stream, including both individual supporting members and institutional members such as the City of Vienna (€25,000 annually) and the Austrian Chamber of Labor (€20,000 annually).[23][25] In 2024, supporting member fees generated €489,032, while single donations added €568,857, reflecting broad public support for privacy advocacy.[23] Institutional project funding varies yearly, reaching €874,805 in 2023 from entities including the Open Society Foundations (€323,894) and Luminate (€350,174), which supported specific litigation efforts.[25] Sponsorships and other income, such as speaking fees, remain minor, totaling under €35,000 in recent years.[23] Financials show operational budgets scaling with case volume, with total income rising from €719,696 in 2022 to €1,484,722 in 2023 before stabilizing at €1,297,893 in 2024.[26][25][23] Expenses, dominated by personnel costs (70-80% of totals), fund a team of lawyers and support staff, alongside project-related outlays like court fees and external counsel.[23]| Year | Total Income (€) | Total Expenses (€) | Key Income Breakdown |
|---|---|---|---|
| 2022 | 719,696 | 949,513 | Memberships: 443,127; Project funding: 163,838[26] |
| 2023 | 1,484,722 | 1,109,488 | Project funding: 874,805; Memberships: 458,117; Donations: 79,352[25] |
| 2024 | 1,297,893 | 1,241,858 | Donations: 568,857; Memberships: 489,032; Project funding: 159,399[23] |
Key Personnel and Team
Max Schrems serves as the founder and honorary chairman of NOYB, an Austrian lawyer and privacy activist who established the organization in 2017 to enforce GDPR compliance through strategic litigation.[27] Schrems gained prominence for his legal challenges against transatlantic data transfers, including successful efforts that led the Court of Justice of the European Union to invalidate the EU-US Safe Harbor framework in 2015 and Privacy Shield in 2020 due to inadequate protections against government surveillance.[1] His role at NOYB involves setting strategic direction, particularly in high-profile complaints against tech giants for violations involving consent, tracking, and data exports.[27] The board of directors comprises Schrems alongside Christof Tschohl, a Vienna-based lawyer and data protection expert with prior involvement in Austrian challenges to EU data retention laws, and Dr. Petra Leupold, LL.M. (UCLA), a lawyer focused on consumer rights and managing director of the VKI-Academy, the research arm of the Austrian Consumer Association.[27] [28] All board members contribute pro bono, overseeing long-term goals, operations review, and election by NOYB's general assembly of expert and institutional members to maintain independence from corporate influence.[28] NOYB's operational team consists of a pan-European group of lawyers, developers, and specialists in privacy, consumer rights, and technology, handling complaint filings, research, and enforcement projects.[28] Key operational roles include Monika Riegler as operations director and Mickey Manakas as PR manager, supporting the organization's complaint-driven model with expertise in GDPR implementation gaps.[28] The team emphasizes practical enforcement over advocacy, drawing on members' legal backgrounds to initiate mass complaints and litigation across EU member states.[1]Mission and Strategic Approach
Emphasis on GDPR Enforcement Gaps
NOYB identifies key enforcement gaps in the GDPR, primarily stemming from inconsistent application by national data protection authorities (DPAs), which results in only 1.3% of investigated cases leading to fines across the EU.[4] This low rate, according to NOYB's analysis of DPA reports, reflects a broader "culture of non-compliance" where companies exploit weak oversight, with nearly 40% of total GDPR fines originating from NOYB-initiated complaints.[4] Max Schrems, NOYB's founder, has stated that national authorities have failed to foster an "enforcement culture," allowing aggressive firms to test boundaries without deterrent consequences five years after the GDPR's implementation on May 25, 2018.[29] A NOYB survey of 74 privacy professionals revealed that 74% observe "relevant violations" in most companies, yet 70% attribute persistent non-compliance to DPAs' reluctance to issue clear decisions or impose meaningful penalties.[30] These gaps are exacerbated by fragmented cross-border cooperation under the GDPR's one-stop-shop mechanism, where lead authorities often delay or dilute investigations, leading to procedural inefficiencies.[31] NOYB criticizes proposed reforms, such as the 2025 Procedure Regulation, for introducing longer deadlines and complex steps that could further hinder enforcement, potentially rendering the framework "unworkable" and violating EU Charter rights to effective remedies.[32][33] To address these deficiencies, NOYB employs strategic mass complaints to compel DPAs into action, arguing that without NGO pressure, individual rights under Articles 15–22 remain theoretical due to resource constraints and political influences favoring industry interests.[34] This approach underscores NOYB's view that the GDPR's substantive rules are robust but undermined by execution failures, as evidenced by their role in prompting over €2 billion in fines by highlighting systemic inaction.[4]Tactics: Individual and Mass Complaints
NOYB primarily enforces GDPR compliance through formal complaints lodged with national data protection authorities (DPAs) under Article 77, which permits data subjects or their representatives to report suspected violations. This approach leverages the GDPR's decentralized enforcement structure, where complaints trigger investigations that can lead to fines or corrective measures, bypassing direct litigation in many cases. NOYB coordinates complaints strategically, often assisting affected individuals or using staff and volunteers as data subjects to establish standing, focusing on violations that regulators have overlooked.[35] Individual complaints target specific, precedent-setting issues, typically filed by single data subjects to test legal boundaries or address unique non-compliance. For instance, in January 2019, NOYB filed eight strategic complaints against streaming services like Netflix and Amazon Prime for denying users' right to access under Article 15, revealing structural failures in providing complete data disclosures. Similarly, in November 2023, NOYB submitted an individual complaint against Meta in Austria over its "pay or okay" model, arguing it coerced consent for behavioral advertising in violation of Articles 6 and 7. These actions aim to clarify ambiguous GDPR provisions through DPA rulings or subsequent appeals, with NOYB selecting cases based on high-impact potential rather than volume.[36][37] Mass complaints, by contrast, address systemic violations affecting broad user bases, involving coordinated filings from numerous data subjects to pressure DPAs into coordinated action and amplify enforcement. NOYB scans websites or services for patterns, issues pre-filing warnings, and, if unresolved, mobilizes hundreds of complaints across multiple jurisdictions to prevent dismissal in lenient authorities. A prominent example is the 2020-2021 campaign post-Schrems II, where NOYB filed 101 complaints against EU companies transferring data to the US via invalid mechanisms like Privacy Shield, prompting the European Data Protection Board to form a task force for uniform handling. Cookie banner enforcement exemplifies this tactic: in August 2021, NOYB lodged 422 complaints across ten DPAs against "nerve-wrecking" designs lacking easy rejection options, resulting in 42% of targeted sites fixing violations pre-investigation; a 2022 follow-up added 226 complaints against non-compliant holdouts. This volume-driven strategy has drawn criticism from some DPAs, such as Belgium's in 2025, which dismissed complaints as "artificial" due to standardized templates and staff involvement, though it underscores NOYB's reliance on scale to overcome regulatory inertia.[35][38][39][40]Major Legal Actions
EU-US Data Transfer Challenges (2013-2020)
Max Schrems, founder of NOYB, initiated legal challenges against EU-US data transfer mechanisms following Edward Snowden's 2013 disclosures of US intelligence surveillance programs accessing European personal data.[41] In December 2013, Schrems filed a complaint with the Irish Data Protection Commissioner (DPC) against Facebook Ireland Ltd., alleging that data transfers to the US under the Safe Harbor framework violated EU privacy rights due to inadequate protections against US government access.[42] This action highlighted conflicts between EU data protection standards and US laws permitting bulk surveillance, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA).[41] The Irish DPC referred the case to the CJEU, resulting in the October 6, 2015, Schrems I judgment (Case C-362/14), which invalidated the Safe Harbor decision for failing to ensure an adequate level of protection equivalent to EU standards.[43] In response, the EU and US adopted the Privacy Shield framework on July 12, 2016, as a replacement adequacy decision.[44] Schrems reformulated his complaint in 2015 to challenge Facebook's use of Standard Contractual Clauses (SCCs) for transfers, arguing they could not compensate for systemic deficiencies in US surveillance practices.[42] NOYB, established in 2017 with Schrems as chairman, supported ongoing litigation through advocacy and strategic complaints, emphasizing enforcement gaps in GDPR Article 46 for third-country transfers.[41] The case escalated to the CJEU as Schrems II (Case C-311/18), culminating in the July 16, 2020, ruling that invalidated Privacy Shield due to US laws enabling indiscriminate access to EU data without sufficient redress mechanisms for non-US persons, while upholding SCCs in principle but requiring case-by-case assessments and potential suspension if protections proved inadequate.[45] The judgment underscored that EU controllers must verify third-country safeguards, effectively halting many transatlantic flows reliant on the framework.[46] Immediately following Schrems II, NOYB filed 101 standardized complaints on August 17, 2020, across all 30 EU and EEA data protection authorities against European companies continuing to transfer visitor data to US-based Google and Facebook services without valid legal bases or supplementary measures.[47] These actions targeted websites embedding tracking tools like Google Analytics and Facebook Pixel, arguing post-invalidation transfers breached GDPR Articles 44-46 and exposed data to unchecked surveillance under Executive Order 12333 and FISA.[47] The complaints prompted the European Data Protection Board (EDPB) to form a task force in September 2020 for coordinated handling, marking NOYB's shift to mass enforcement to pressure compliance amid regulatory delays.[48]Consent Manipulation and Cookie Banners (2018-2022)
In 2018, NOYB initiated complaints against specific websites employing manipulative cookie banners that undermined GDPR's requirement for freely given, informed consent under Articles 4(11) and 6(1)(a). Early cases targeted entities like Webedia and Conde Nast for using pre-selected checkboxes and unclear opt-out mechanisms, which NOYB argued constituted invalid consent by defaulting users to tracking without granular choice.[49] These actions highlighted "dark patterns"—interface designs nudging users toward acceptance, such as prominent "Accept All" buttons contrasted against subdued "Reject" options—prevalent in over 90% of scanned banners, where empirical user studies showed only about 3% voluntarily opting for non-essential cookies.[49] By 2020, NOYB expanded scrutiny to "cookie paywalls," where sites conditioned access on either consenting to tracking or paying fees equivalent to 10-100 times the ad revenue from cookies, deeming this coercive and non-freely given under GDPR. Complaints against platforms like Booking.com (case C037-10038) challenged such models, resulting in partial wins where authorities mandated consent withdrawal options, though many cases remained pending or led to voluntary compliance and withdrawal.[50] NOYB's mass scanning tools revealed consent rates exceeding 99% under pay-or-consent schemes, attributing this to psychological manipulation rather than genuine preference.[49] The organization's strategy intensified in March 2021 with a Europe-wide scan identifying illegal banners, culminating in over 700 complaints filed across multiple data protection authorities (DPAs).[51] On May 31, 2021, NOYB issued more than 500 draft complaints to companies, the largest GDPR enforcement wave to date, targeting "cookie banner terror" via dark patterns like absent or hidden rejection buttons.[52] This prompted widespread site adjustments, with a follow-up scan showing increased "Reject All" visibility. Formal filings followed on August 10, 2021, with 422 complaints to ten DPAs against persistent violators using misleading designs.[38] In 2022, NOYB pursued hold-outs with a second wave in March, sending 270 draft complaints for non-compliant banners lacking easy consent revocation.[53] By August 9, 226 formal complaints reached 18 DPAs, focusing on deceptive practices like bundled consents for non-essential trackers, where companies ignored prior warnings.[54] These efforts yielded mixed outcomes by year's end: some DPAs, like Austria's DSB, ruled in NOYB's favor on manipulation (e.g., case C020), enforcing balanced choices, while delays in decisions persisted, reflecting enforcement gaps NOYB criticized as enabling ongoing violations.[55] Overall, the campaigns drove behavioral shifts, with reject buttons appearing on millions of sites, though NOYB noted incomplete fixes in paywall and tracking persistence issues.[51]Tracking and Advertising ID Cases (2019-2021)
In 2021, NOYB escalated its enforcement against mobile tracking technologies by targeting advertising identifiers embedded in operating systems and apps, which enable persistent user profiling across devices and services without explicit consent. These identifiers, including Google's Android Advertising ID (AAID) and Apple's Identifier for Advertisers (IDFA), serve as quasi-permanent "license plates" for devices, allowing providers and third parties to link online and app-based behaviors for targeted advertising.[56] NOYB argued that such tracking violates Article 5(3) of the ePrivacy Directive, which mandates prior opt-in consent for accessing or storing information on user terminals, and contravenes GDPR requirements for lawful processing of personal data.[56] A flagship case, filed on April 6, 2021, with the French data protection authority (CNIL), accused Google Ireland Limited of facilitating illegal tracking via the AAID, pre-installed on Android devices and accessible by apps for cross-service monitoring.[57] The complaint, supported by NOYB and affecting an estimated 306 million EU Android users, contended that Google's system bypasses consent by defaulting to tracking unless users manually reset or opt out the ID, while enabling data sharing with advertisers without verifying upstream consent.[58][59] Similar allegations targeted Apple's IDFA in a parallel complaint (C033), claiming iOS transmits the identifier to trackers absent valid user approval, with responsibility shifting improperly to app developers rather than platform providers.[56] NOYB extended these efforts through coordinated filings in multiple jurisdictions, including Austria's DSB and France's CNIL, against OS vendors like Microsoft and apps such as Pinterest, Bumble, MyFitnessPal, and Ubisoft for transmitting advertising IDs to third-party trackers without granular consent.[56] By mid-2021, the organization had initiated or supported at least 12 such complaints across DPAs in Austria, France, Spain, and Germany, focusing on the IDs' role in evading web-cookie consent rules and enabling unauthorized behavioral data aggregation.[56] These actions complemented broader tracking scrutiny but emphasized mobile-specific vectors, where IDs persist despite user privacy settings like App Tracking Transparency introduced by Apple in iOS 14.5.[56] During 2019–2021, investigations remained in early stages, with no fines issued by the period's end, though NOYB pressed for remedies including ID deletion, bans on non-consensual sharing, and DPA coordination to address the pan-EU scale of violations.[56] The complaints highlighted systemic gaps in enforcing consent for non-cookie trackers, arguing that platform defaults prioritize ad revenue over user autonomy, potentially affecting billions of data points annually.[58]AI Training and Emerging Tech Violations (2023-2025)
In 2023 and 2024, NOYB escalated its enforcement efforts against AI companies for GDPR violations related to data processing in model training, focusing on lack of transparency, consent, and accuracy in handling personal data. The organization argued that scraping and using EU users' data without explicit opt-in consent or the ability to exercise rights like rectification contravenes Articles 5, 6, 12-22, and 25 of the GDPR. These complaints targeted opaque training practices where personal data from public sources or user interactions was fed into large language models without verifiable lawful basis or safeguards against inaccuracies.[60][61] A prominent case involved OpenAI's ChatGPT. On April 29, 2024, NOYB filed a complaint with the Austrian Data Protection Authority (DPA) alleging violations of the right of access (Article 15) and data accuracy (Article 5(1)(d)), as ChatGPT generated false personal information about individuals—such as incorrect details on Max Schrems—and OpenAI admitted it could not reliably correct or delete such outputs due to the model's architecture.[62][63] The complaint highlighted OpenAI's inability to identify data sources or origins, preventing users from exercising GDPR rights effectively. In March 2025, NOYB submitted another complaint to the Norwegian DPA after ChatGPT hallucinated defamatory content, fabricating a scenario of a user as a child murderer, which NOYB claimed breached accuracy principles by design, as the model prioritizes fluency over verifiability.[64][65] NOYB also challenged social media platforms' AI initiatives. In June 2024, it lodged complaints with DPAs in 11 EU countries against Meta for using public posts and interactions from Facebook and Instagram users—estimated at hundreds of millions of EU profiles—for training its Llama models without prior notice or opt-in consent, relying instead on a contested "legitimate interest" basis invalidated by prior CJEU rulings like Schrems II.[60] Meta temporarily paused EU data training in response, but NOYB issued a cease-and-desist letter on May 14, 2025, demanding permanent halt to similar plans announced for May 27, 2025, arguing no valid legal basis existed post-CJEU jurisprudence.[66][67] Similarly, on August 12, 2024, NOYB filed nine additional GDPR complaints across Europe against X (formerly Twitter) for irreversibly feeding EU users' posts into its Grok AI starting May 2024, without informing users or obtaining consent, in violation of transparency (Article 13-14) and purpose limitation (Article 5(1)(b)) requirements.[68] Extending to other emerging applications, NOYB targeted AI-integrated services. On June 27, 2025, it complained to the Italian DPA about Bumble's Deception Detector feature, which processes user photos and messages via AI to detect catfishing, alleging unlawful processing under Articles 6 and 9 without explicit consent for sensitive biometric inferences or sufficient transparency on training data sources.[69] These actions underscored NOYB's position that AI training often exploits public data dumps without accountability, prompting DPA investigations but yielding limited fines by late 2025 due to enforcement delays.[4] Max Schrems emphasized that such practices treat EU data as a "free-for-all" resource, ignoring GDPR's risk-based assessments for high-risk processing like AI.[64]Data Transfers to Non-EU Countries (2021-2025)
Following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union (CJEU) in the Schrems II ruling on July 16, 2020, NOYB initiated 101 model complaints against entities transferring personal data to the United States without adequate safeguards, with enforcement proceedings extending into 2021-2025.[41] These complaints targeted major platforms reliant on standard contractual clauses (SCCs), arguing that US surveillance laws—such as Section 702 of the Foreign Intelligence Surveillance Act—enabled bulk access incompatible with GDPR requirements under Article 46, necessitating supplementary measures that complainants contended were insufficient or absent.[41] The European Data Protection Board (EDPB) established a task force in September 2020 to ensure consistent handling across EEA data protection authorities (DPAs), resulting in varied outcomes: some cases resolved in NOYB's favor (e.g., suspensions or fines), others pending for over five years as of 2025, with the Irish Data Protection Commission (DPC) facing judicial review in the Irish High Court for delays in addressing transfers by companies like Meta.[48][41] In response to the European Commission's adoption of the EU-US Data Privacy Framework (DPF) adequacy decision on July 10, 2023—intended as a successor mechanism with commitments to limit US intelligence access—NOYB announced plans to challenge it before the CJEU, criticizing the framework as substantively unchanged from prior invalidated arrangements and failing to resolve core conflicts between US law and EU data protection standards.[70] A prior statement in December 2022 had highlighted deficiencies in the draft, including inadequate limitations on executive-branch surveillance.[71] The DPF faced its first judicial test in the Latombe case, where the EU General Court dismissed a challenge by French MEP Philippe Latombe on September 3, 2025, upholding the framework's validity; NOYB responded by signaling potential further litigation, with founder Max Schrems indicating a "Schrems III" challenge could proceed within months if new evidence of US surveillance practices emerged.[72][73] Shifting focus to other non-EU destinations, NOYB escalated actions against transfers to China in 2025, filing six GDPR complaints on January 16 against TikTok (ByteDance), AliExpress (Alibaba), SHEIN, Temu (PDD Holdings), WeChat (Tencent), and Xiaomi, lodged with DPAs in Austria, Belgium, France, Germany, and Spain.[74] These complaints alleged unlawful exports of EU user data—such as behavioral profiles, purchase histories, and device information—via SCCs without effective supplementary protections, citing Chinese national security and intelligence laws (e.g., the 2017 National Intelligence Law) that mandate corporate cooperation with state access requests, rendering safeguards illusory as evidenced by Xiaomi's transparency reports documenting thousands of annual compliance instances.[74][75] NOYB requested immediate suspension of transfers under Article 58(2)(j) GDPR, full GDPR compliance, and fines up to 4% of global turnover (potentially exceeding €1.35 billion for Temu alone), arguing that China's authoritarian governance precludes adequacy akin to democratic jurisdictions.[74] As of late 2025, these cases remained under investigation, with NOYB advocating for DPA bans to preempt risks of data exploitation by Chinese authorities.[76] Throughout the period, NOYB's strategy emphasized empirical scrutiny of third-country laws over reliance on Commission adequacy findings, issuing guidance for EU entities to audit transfer tools and for users to withdraw consent where possible, while avoiding unsubstantiated claims of equivalence in jurisdictions lacking robust judicial redress.[41] No major NOYB-led complaints targeted transfers to Russia, India, or Brazil in this timeframe, though broader GDPR enforcement gaps in emerging markets were noted in their advocacy.[41]Impact and Outcomes
Resulting Fines and Policy Changes
NOYB's strategic complaints under the GDPR have resulted in fines exceeding €1.6 billion imposed by European data protection authorities (DPAs) as of September 2025, with nearly 40% of all GDPR fines attributable to their actions according to the organization's analysis.[77][4] These penalties primarily target violations in data transfers, consent mechanisms, and advertising practices, often stemming from coordinated mass filings that pressure DPAs to investigate systemic issues.| Company | Fine Amount | Date | Reason |
|---|---|---|---|
| Meta (Facebook) | €1.2 billion | December 2023 | Unlawful EU-US data transfers using standard contractual clauses post-Schrems II, with orders to suspend transfers and delete affected data.[78][79] |
| Meta (Facebook, Instagram, WhatsApp) | €395 million | January 2023 | Combining personal data across services for behavioral advertising without valid consent.[80] |
| €50 million | June 2019 | Lack of valid consent in privacy policies for Android users.[81] | |
| Criteo | €40 million | June 2023 | Inadequate consent and transparency in targeted advertising tracking.[82] |
| Grindr | €5.8 million | September 2023 | Sharing user data with advertisers without proper consent banners.[77] |
| Spotify | €5 million | June 2023 | Delays and incompleteness in responding to data access requests.[77] |
| Netflix | €4.75 million | December 2024 | Inadequate handling of data access requests.[77] |