A month after Europe's top court struck down a flagship data transfer arrangement between the EU and the US as unsafe, European privacy campaign group, noyb, has filed complaints against 101 websites with regional operators which it's identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations.
Among the entities listed in its complaint are ecommerce companies, publishers & broadcasters, telcos & ISPs, banks and universities -- including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to name a few.
"A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) -- despite both companies clearly falling under US surveillance laws, such as FISA 702," the campaign group writes on its website.
"Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the 'Privacy Shield' a month after it was invalidated, while Facebook continues to use the 'SCCs' [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights."
We've reached out to Facebook and Google with questions about their legal bases for such transfers -- and will update this report with any response. Update: A Facebook spokesman said the company is not commenting on individual cases but pointed to a blog post from yesterday in which it writes that it "has relied upon Privacy Shield as the data transfer mechanism for our ads and measurement products". "In light of the CJEU ruling, we are working to migrate to SCCs for these products. We will update the respective terms to reflect this, and more information will follow," it adds, without specifying whether it has carried out an assessment of the legality of using SCCs given the lack of an adequacy agreement between the EU and the US.
Privacy watchers will know that noyb's founder, Max Schrems, was responsible for the original legal challenge that took down an anterior EU-US data arrangement, Safe Harbor, all the way back in 2015. His updated complaint ended up taking down the EU-US Privacy Shield last month -- although he'd actually targeted Facebook's use of a separate data transfer mechanism (SCCs), urging its data supervisor, Ireland's DPC, to step in and suspend its use of that tool.
The regulator chose to go to court instead, raising wider concerns about the legality of EU-US data transfer arrangements -- which resulted in the CJEU concluding that the Commission should not have granted the US a so-called 'adequacy agreement', thus pulling the rug out from under Privacy Shield.
The decision means the US is now what's considered a 'third country' in data protection terms, with no special arrangement to enable it to process EU users' information.
More than that, the court's ruling also made it clear EU data watchdogs have a responsibility to intervene where they suspect there are risks to EU people's data if it's being transferred to a third country via SCCs.
noyb's contention with this latest clutch of complaints is that none of the aforementioned 101 websites has a valid legal basis to keep transferring visitor data to the US via the embedded Google Analytics and/or Facebook Connect integrations.
“We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now,” said Schrems, honorary chair of noyb.eu, in a statement.
Since the CJEU's Schrems II ruling, and indeed since the Safe Harbor strike down, the US Department of Commerce and European Commission have stuck their heads in the sand -- signalling they intend to try cobbling together another data pact to replace the defunct Privacy Shield (which replaced the blasted-to-smithereens (un)Safe Harbor. So, er... ).
Yet without root-and-branch reform of US surveillance law, any third pop by respective lawmakers at papering over the legal schism of US national security priorities vs EU privacy rights is just as surely doomed to fail.
The more cynical among you might say the high level administrative manoeuvers around this topic are, in fact, simply intended to buy more time -- for the data to keep flowing and 'business as usual' to continue.
But there is now substantial legal risk attached to a strategy of trying to pretend US surveillance law doesn't exist.
Here's Schrems again, on last month's CJEU ruling, suggesting that Facebook and Google could be in the frame for legal liability if they don't proactively warn EU customers of their data responsibilities: "The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused."
And as noyb's press release notes, GDPR's penalties regime can scale as high as 4% of the worldwide turnover of the EU sender and the US recipient of personal data. So, again, hi Facebook, hi Google...
The crowdfunded campaign group has pledged to continue dialling up the pressure on EU regulators to act and on EU data processors to review any US data transfer arrangements -- and "adapt to the clear ruling by the EU’s supreme court", as it puts it.
Other types of legal action are also starting to draw on Europe's General Data Protection Regulation (GDPR) framework -- and, importantly, attract funding -- such as two class action style suits filed against Oracle and Salesforce's use of tracking cookies earlier this month. (As we said when GDPR came into force back in 2018, the lawsuits are coming.)
Now, with two clear strikes from the CJEU on the issue of US surveillance law vs EU data protection, it looks like it'll be diminishing returns for US tech giants hoping to pretend everything's okay on the data processing front.
noyb is also putting its money where its mouth is -- offering free guidelines and model requests for EU entities to use to help them get their data affairs in prompt legal order.
“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court," Schrems added, in further comments on the latest flotilla of complaints. "This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court's ruling, like the Irish DPC that stays dormant.”
We've reached out to Ireland's Data Protection Commission to ask what steps it will be taking in light of the latest noyb complaints, a number of which target websites that appear to be operated by an Ireland-based legal entity.
Schrems original 2013 complaint against Facebook's use of SCCs also ended up in Ireland, where the tech giant -- and many others -- locates its EU HQ. Schrems' request that the DPC order Facebook to suspend its use of SCCs still hasn't been fulfilled, some seven years and five complaints later. And the regulator continues to face accusations of inaction, given the growing backlog of cross-border GDPR complaints against tech giants like Facebook and Google.
Ireland's DPC has still yet to issue a single final decision on any of these major GDPR complaints. But the legal pressure for it and all EU regulators to get a move on and enforce the bloc's law will only increase, even as class action style lawsuits are filed to try to do what regulators have failed to.
Earlier this summer the Commission acknowledged a lack of uniformly "vigorous" enforcement of GDPR in a review of the mechanism's first two years of operation.
“The European Data Protection Board [EDPB] and the data protection authorities have to step up their work to create a truly common European culture — providing more coherent and more practical guidance, and work on vigorous but uniform enforcement," said Věra Jourová, Commission VP for values and transparency then, giving the Commission's first public assessment of whether GDPR is working.
We've also reached out to France's CNIL to ask what action it will be taking in light of the noyb complaints.
Following the judgement in July the French regulator said it was "conducting a precise analysis", along with the EDPB, with a view to "drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States".
Since then the EDPB guidance has come out -- inking the obvious: That transfers on the basis of Privacy Shield "are illegal". And while the CJEU ruling did not invalidate the use of SCCs it gave only a very qualified green light to continued use.
As we reported last month, the ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.
“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place," the EDPB added.
Update: Both the Irish DPC and France's CNIL have now confirmed receipt of several noyb complaints apiece, saying they will proceed to investigate.
In further comments to TechCrunch, the CNIL also emphasized the need for a common approach by regulators to applying the CJEU decision.
"The question of the consequences to be drawn from the recent decision of the CJEU cannot be settled in isolation by a single European authority. The approach must be common and coherent at European level. We are working with the other authorities within the EDPS to achieve this," it said.
"The issues at stake are systemic and require a reflection with all stakeholders, including data controllers, to secure the processing of data of European citizens."