Five years after Europe enacted sweeping data protection legislation, prominent online privacy activist Max Schrems says he still has a lot of work to do as tech giants keep dodging the rules.
The 35-year-old Austrian lawyer and his Vienna-based privacy campaign group NOYB (None Of Your Business) is currently handling no fewer than 800 complaints in various jurisdictions on behalf of internet users.
"For an average citizen, it's almost impossible right now to enforce your rights", Schrems told AFP.
"For us as an organisation, it's already a lot of work to do that" given the system's complexity due to the regulators' varying requirements, he added.
The 2018 General Data Protection Regulation (GDPR) imposes strict rules on how companies can use and store personal data, with the threat of huge fines for firms breaching them.
While hundreds of millions of euros in fines have been imposed following complaints filed by NOYB, Schrems said the GDPR is hardly ever enforced.
And that's a "big problem", he added.
He said the disregard for fundamental rights such as data privacy is almost comparable to "a dictatorship".
"The difference between reality and the law is just momentous," Schrems added.
'Annoying' cookies
Instead of tackling the problems raised by the GDPR, companies resort to "window dressing" while framing the rules as an "annoying law" full of "crazy cookie banners", according to Schrems.
Under the regulation, companies have been obliged to seek user consent to install "cookies" enabling browsers to save information about a user's online habits to serve up highly targeted ads.
Industry data suggests only 3% of internet users actually approve of cookies, but more than 90% are pressured to consent due to a "deceptive design" which mostly features "accept" buttons.
Stymied by the absence of a simple "yes or no" option and overwhelmed by a deluge of pop-ups, users get so fed up that they simply give up, Schrems said.
Contrary to the law's intent, the burden is being "shifted to the individual consumer, who should figure it out".
Even though society now realises the importance of the right to have private information be forgotten or removed from the internet, real control over personal data is still far-off, the activist said.
But NOYB has been helping those who want to take back control by launching privacy rights campaigns that led companies to adopt "reject" buttons.
Shift of business model
Regulators have imposed big penalties on companies that violated GDPR rules: Facebook owner Meta, whose European headquarters are in Dublin, was hit with fines totalling €390 million in January.
One reason why tech giants like Google or Meta as well as smaller companies choose against playing by the GDPR rules is because circumventing them pays off, Schrems said.
Thriving on the use of private data, tech behemoths make "10 to 20 times more money by violating the law, even if they get slapped with the maximum fine", he added.
Contacted by AFP, both companies said they were working hard to make sure their practices complied with the regulations.
Schrems also accuses national regulators of either being indifferent or lacking the resources to seriously investigate complaints.
"It's a race to the bottom," Schrems said. "Each country has its own way of not getting anything done".
Buoyed by his past legal victories, Schrems looks to what he calls the "bold" EU Court of Justice to bring about change as it "usually is a beacon of hope in all of this".
Meanwhile, the European Commission is considering a procedures regulation to underpin and clarify the GDPR.
In the long-run, however, the situation will only improve once large companies "fundamentally shift their business models".
But that would require companies to stop being "as crazy profitable as they are right now," Schrems said.