Early this week, privacy activist group noyb filed 101 complaints in 30 EU and EEA member states against companies that continue to forward visitor’s data to Google and Facebook. Noyb also wants a fine to be imposed on the two tech giants for accepting and processing the data, despite the lack of a legal basis to do so.
No Legal Basis for EU-US Data Transfer
Until recently, data transfers between the EU and the US were governed by a treaty called Privacy Shield. This treaty replaced the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in 2015. One of the purposes of the new treaty was to provide companies on both sides of the Atlantic with a mechanism to easily send and receive personal data.
The new treaty, however, was annulled in mid-July. This was because, according to the European court, the treaty does not provide enough protection. Under the GDPR, companies are only allowed to send data from EU citizens to other legal regions if they receive the same guarantees of protection as in the EU. There is a penalty of € 20 million or 4% of companies’ global turnover if they continue to transfer data without a valid legal instrument.
Despite the ruling, data transfers continue. As currently there is little clarity in this matter, different companies use different arguments to justify data transfers. Facebook, for example, claims that data transfers are still allowed under the so-called Standard Contractual Clauses (SCCs). Google, on the other hand, still relies on the Privacy Shield, a month after it was invalidated. Many EU companies seem willing to accept these arguments.
Privacy Activist Group Takes Companies and Tech Giants to Court
One month after the cancellation of the data treaty between the EU and the US, privacy activist Max Schrems and his Noyb foundation filed 101 complaints against EU and EEA websites. Some complaints were filed with the relevant Lead Supervisory Authority (LSA). Others with the Austrian DPA. Companies affected include the Danske Bank (FI), Koninklijke PostNL (NL), Decathlon (FR), Cyprus Football Association (CY), Airbnb Ireland (MT), Handelsblatt (DE), the University of Luxembourg (LU) and many others.
According to the indictment, said companies still send data belonging to EU citizens to the United States, mostly through services like Google Analytics and Facebook Connect. Noyb conducted a quick search of major websites in each EU member state for code from Facebook and Google.
“These code snippets forward data on each visitor to Google or Facebook”, Noyb explained. “Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now”, said Max Schrems in a statement on the Noyb website.
Further Legal Action Planned
According to Max Schrems, the European Court explicitly stated that companies cannot rely on, for example, the SSC’s when the recipient in the US falls under UW surveillance laws. Under the SCCs, US recipients of the data would have to inform the EU data sender of these laws and warn them. If this is not done, then the US company is liable for any financial damage caused.
Since the ruling, the US and the EU have indicated that they wish to develop an “enhanced” Privacy Shield. They both recognize the vital importance of data protection. “We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades”, the statement said. However, neither the US Department of Commerce nor the European Commission have provided further details on what the new treaty would include or when a draft may be ready.
In their complaint for each of the sites, Noyb indicates which service exports data to the US and why this is illegal. Noyb is planning to gradually increase the pressure on EU and US companies to review their data transfer arrangements. Additionally, Noyb has asked the Irish Privacy Commission, which is responsible for Facebook in the EU, and France’s CNIL to run additional investigations. Both have now confirmed receipt of Noyb’s complaints and confirmed that they will proceed with investigations.