A month after Europe’s high court docket struck down a flagship knowledge switch association between the EU and the US as unsafe, European privateness marketing campaign group, noyb, has filed complaints towards 101 web sites with regional operators which it’s recognized as nonetheless sending knowledge to the US through Google Analytics and/or Facebook Connect integrations.
Among the entities listed in its grievance are ecommerce firms, publishers & broadcasters, telcos & ISPs, banks and universities — together with Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to call a number of.
“A fast evaluation of the HTML supply code of main EU webpages exhibits that many firms nonetheless use Google Analytics or Facebook Connect one month after a serious judgment by the Court of Justice of the European Union (CJEU) — regardless of each firms clearly falling beneath US surveillance legal guidelines, equivalent to FISA 702,” the marketing campaign group writes on its web site.
“Neither Facebook nor Google appear to have a authorized foundation for the info transfers. Google nonetheless claims to depend on the ‘Privacy Shield’ a month after it was invalidated, whereas Facebook continues to make use of the ‘SCCs’ [Standard Contractual Clauses], regardless of the Court discovering that US surveillance legal guidelines violate the essence of EU basic rights.”
We’ve reached out to Facebook and Google with questions on their authorized bases for such transfers — and can replace this report with any response.
Privacy watchers will know that noyb’s founder, Max Schrems, was liable for the unique authorized problem that took down an anterior EU-US knowledge association, Safe Harbor, all the way in which again in 2015. His up to date grievance ended up taking down the EU-US Privacy Shield final month — though he’d really focused Facebook’s use of a separate knowledge switch mechanism (SCCs), urging its knowledge supervisor, Ireland’s DPC, to step in and droop its use of that instrument.
The regulator selected to go to court docket as an alternative, elevating wider issues in regards to the legality of EU-US knowledge switch preparations — which resulted within the CJEU concluding that the Commission mustn’t have granted the US a so-called ‘adequacy settlement’, thus pulling the rug out from beneath Privacy Shield.
The choice means the US is now what’s thought of a ‘third nation’ in knowledge safety phrases, with no particular association to allow it to course of EU customers’ info.
More than that, the court docket’s ruling additionally made it clear EU knowledge watchdogs have a duty to intervene the place they think there are dangers to EU folks’s knowledge if it’s being transferred to a 3rd nation through SCCs.
European knowledge watchdogs swiftly warned there could be no grace interval for entities nonetheless illegally counting on Privacy Shield — so anybody listed within the above grievance that’s nonetheless referencing the defunct mechanism of their privateness coverage received’t also have a proverbial figleaf to cover their authorized blushes.
noyb’s competition with this newest clutch of complaints is that not one of the aforementioned 101 web sites has a sound authorized foundation to maintain transferring customer knowledge to the US through the embedded Google Analytics and/or Facebook Connect integrations.
“We have finished a fast search on main web sites in every EU member state for code from Facebook and Google. These code snippets ahead knowledge on every customer to Google or Facebook. Both firms admit that they switch knowledge of Europeans to the US for processing, the place these firms are beneath a authorized obligation to make such knowledge accessible to US businesses just like the NSA. Neither Google Analytics nor Facebook Connect are important to run these webpages and are companies that might have been changed or at the least deactivated by now,” stated Schrems, honorary chair of noyb.eu, in a press release.
Since the CJEU’s Schrems II ruling, and certainly for the reason that Safe Harbor strike down, the US Department of Commerce and European Commission have caught their heads within the sand — signalling they intend to strive cobbling collectively one other knowledge pact to interchange the defunct Privacy Shield (which changed the blasted-to-smithereens (un)Safe Harbor. So, er… ).
Yet with out root-and-branch reform of US surveillance regulation, any third pop by respective lawmakers at papering over the authorized schism of US nationwide safety priorities vs EU privateness rights is simply as absolutely doomed to fail.
The extra cynical amongst you would possibly say the excessive degree administrative manoeuvers round this matter are, actually, merely supposed to purchase extra time — for the info to maintain flowing and ‘enterprise as typical’ to proceed.
But there’s now substantial authorized danger connected to a technique of attempting to faux US surveillance regulation doesn’t exist.
Here’s Schrems once more, on final month’s CJEU ruling, suggesting that Facebook and Google could possibly be within the body for authorized legal responsibility in the event that they don’t proactively warn EU prospects of their knowledge tasks: “The Court was express that you simply can not use the SCCs when the recipient within the US falls beneath these mass surveillance legal guidelines. It appears US firms are nonetheless attempting to persuade their EU prospects of the other. This is greater than shady. Under the SCCs the US knowledge importer would as an alternative have to tell the EU knowledge sender of those legal guidelines and warn them. If this isn’t finished, then these US firms are literally responsible for any monetary harm triggered.”
And as noyb’s press launch notes, GDPR’s penalties regime can scale as excessive as 4% of the worldwide turnover of the EU sender and the US recipient of private knowledge. So, once more, hello Facebook, hello Google…
The crowdfunded marketing campaign group has pledged to proceed dialling up the strain on EU regulators to behave and on EU knowledge processors to overview any US knowledge switch preparations — and “adapt to the clear ruling by the EU’s supreme court docket”, because it places it.
Other varieties of authorized motion are additionally beginning to attract on Europe’s General Data Protection Regulation (GDPR) framework — and, importantly, appeal to funding — equivalent to two class motion fashion fits filed towards Oracle and Salesforce’s use of monitoring cookies earlier this month. (As we stated when GDPR got here into power again in 2018, the lawsuits are coming.)
Now, with two clear strikes from the CJEU on the problem of US surveillance regulation vs EU knowledge safety, it appears to be like prefer it’ll be diminishing returns for US tech giants hoping to faux all the pieces’s okay on the info processing entrance.
noyb can also be placing its cash the place its mouth is — providing free tips and mannequin requests for EU entities to make use of to assist them get their knowledge affairs in immediate authorized order.
“While we perceive that some issues may have a while to rearrange, it’s unacceptable that some gamers appear to easily ignore Europe’s high court docket,” Schrems added, in additional feedback on the newest flotilla of complaints. “This can also be unfair in direction of opponents that adjust to these guidelines. We will steadily take steps towards controllers and processors that violate the GDPR and towards authorities that don’t implement the Court’s ruling, just like the Irish DPC that stays dormant.”
We’ve reached out to Ireland’s Data Protection Commission to ask what steps will probably be taking in gentle of the newest noyb complaints, a lot of which goal web sites that look like operated by an Ireland-based authorized entity.
Schrems authentic 2013 grievance towards Facebook’s use of SCCs additionally ended up in Ireland, the place the tech large — and plenty of others — locates its EU EQ. Schrem’s request that the DPC order Facebook to droop its use of SCCs nonetheless hasn’t been fulfilled, some seven years and 5 complaints later. And the regulator continues to face accusations of inaction, given the rising backlog of cross-border GDPR complaints towards tech giants like Facebook and Google.
Ireland’s DPC has nonetheless but to difficulty a single last choice on any of those main GDPR complaints. But the authorized strain for it and all EU regulators to get a transfer on and implement the bloc’s regulation will solely improve, at the same time as class motion fashion lawsuits are filed to attempt to do what regulators have did not.
Earlier this summer time the Commission acknowledged a scarcity of uniformly “vigorous” enforcement of GDPR in a overview of the mechanism’s first two years of operation.
“The European Data Protection Board [EDPB] and the info safety authorities should step up their work to create a really frequent European tradition — offering extra coherent and extra sensible steering, and work on vigorous however uniform enforcement,” stated Věra Jourová, Commission VP for values and transparency then, giving the Commission’s first public evaluation of whether or not GDPR is working.
We’ve additionally reached out to France’s CNIL to ask what motion will probably be taking in gentle of the noyb complaints.
Following the judgement in July the French regulator stated it was “conducting a exact evaluation”, together with the EDPB, with a view to “drawing conclusions as quickly as potential on the results of the ruling for knowledge transfers from the European Union to the United States”.
Since then the EDPB steering has come out — inking the plain: That transfers on the idea of Privacy Shield “are unlawful”. And whereas the CJEU ruling didn’t invalidate the usage of SCCs it gave solely a really certified inexperienced gentle to continued use.
As we reported final month, the power to make use of SCCs to switch knowledge to the U.S. hinges on an information controller with the ability to supply a authorized assure that “U.S. regulation doesn’t impinge on the enough degree of safety” for the transferred knowledge.
“Whether or not you possibly can switch private knowledge on the idea of SCCs will rely on the results of your evaluation, considering the circumstances of the transfers, and supplementary measures you may put in place,” the EDPB added.