101 damnations - privacy activists launch fresh challenge to firms conducting 'illegal' data transfers to the US

Profile picture for user slauchlan By Stuart Lauchlan August 19, 2020
Privacy Shield is dead, but there's more denial on view about the validity of some data transfers than you'd find in a Monty Python parrot sketch.


European privacy campaign group noyb (none of your business) has filed complaints against 101 websites that it alleges continue to send EU data to the US via Google Analytics and Facebook Connect integrations in defiance of a court ruling.

Following last month’s ruling by the Court of Justice of the European Union that declared that the controversial Privacy Shield data transfer arrangement to be unsafe and invalid, organizations in the main pointed to their use of Standard Contractual Clauses (SCCs) to provide customers with assurances that their data was safe in their hands

But the same ruling required that SCCs can only be used if the country to which data is being sent is deemed to meet EU standards of data protection - and the US surveillance regime does not. 

Activists at noyb, led by honorary chair Max Shrems, have now filed 101 complaints with data regulators about websites across the EU that are using Google Analytics and Facebook Connect to send data to the US. Shrems said in a statement: 

We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies, like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least de-activated by now.

Among the 101 organizations cited by noyb in its complaint are Airbnb Ireland, Allied Irish Banks, Danske Bank, MTV Internet, Sky Deutschland and Takeaway.com.

US companies are widely ignoring the details of the CJEU ruling, according to noyb, claiming that data transfers to the US have the green light through the use of SCCs. Not so, says Shrems: 

The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.

In denial?

A look at the privacy Ts & Cs on a number of websites makes for interesting reading. Google, for example, states: 

The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, UK or Swiss personal data to the United States and onwards. While the Swiss-US Privacy Shield currently remains valid, in light of the recent Court of Justice of the European Union ruling on data transfers, invalidating the EU-US Privacy Shield, Google will be moving to reliance on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. We are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.

Meanwhile Facebook says: 

As part of a global organization, Facebook operates both within and outside the European Economic Area (the “EEA”) and from time to time we may transfer your data from the EEA for processing in a territory outside the EEA that does not have the same statutory levels of data protection as the EEA. When we do so, we utilize the Standard Contractual Clauses approved by the European Commission in order to ensure that your data has equivalent levels of protection.

And at Microsoft, they still seem to be in denial about the demise of Privacy Shield, promising users that:  

Microsoft adheres to the principles of the EU-US and Swiss-US Privacy Shield frameworks.

This is not in keeping with the European court judgement, says noyb: 

Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the 'Privacy Shield' a month after it was invalidated, while Facebook continues to use the 'SCCs' [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.

Shrems promises more legal trouble ahead: 

While we understand that some things may need some time to re-arrange, it is unacceptable that some players seem to simply ignore Europe’s top court. This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors  that violate the GDPR and against authorities that do not enforce the Court's ruling, like the Irish DPC that stays dormant.”

My take

Denial, while not acceptable, is perhaps hardly surprising given that this condition goes right to the top in the US. The US Department of Commerce website currently tells organizations: 

On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-US Privacy Shield of their obligations under the EU-US Privacy Shield Framework.  

The US Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. 

In other words, ‘we’re not listening!’ to the Europeans on this one - keep calm and carry on regardless. That’s in line with what Secretary of Commerce Wilbur Ross promised on the day Privacy Shield became invalid when he pledged: 

The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

And that’s the lead that’s being followed by US regulators, such as Joe Simons, Chairman of the Federal Trade Commission, who two weeks ago told the US Senate Committee on Commerce, Science, and Transportation:

I also want to mention the recent European Union (“EU”) ruling on the EU-U.S. Privacy Shield and note that we are studying its effects. We stand ready to support the administration’s efforts in this area, but at the same time we will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield.

On the other hand, European regulators immediately emphasised that Privacy Shield was akin to Monty Python’s Norwegian Blue parrot: 

‘E’s passed on! This parrot is no more! He has ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff! Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the perch 'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory! 'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisible!! THIS IS AN EX-PARROT!!

Or in this case, this is an ex-sham of a privacy arrangement! 

Of course the best solution here would be for all parties to get back round the table and come up with a replacement for Privacy Shield, remembering this time to do the job properly and not just throw together a piece of PR flim flam. Discussions began on this last week, as Ross and European Commissioner for Justice Didier Reynders announcing: 

The European Union and the United States recognize the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies. We share a commitment to privacy and the rule of law, and to further deepening our economic relationship, and have collaborated on these matters for several decades. As we face new challenges together, including the recovery of the global economy after the COVID-19 pandemic, our partnership will strengthen data protection and promote greater prosperity for our nearly 800 million citizens on both sides of the Atlantic.

Goodo. There is of course an election looming large on the horizon in the US, so fixing a problem that US politicians aren’t prioritizing isn’t going to be particularly high on anyone’s agenda. In fact, US patience with the Europeans and their damn privacy obsession ran out a long time ago. As former US Ambassador to the EU Gordon Sondland bluntly put it back in 2018:

As we’ve told the Europeans, we really don’t want to discuss this any further.

That still being the case, watch out for more complaints from noyb and others in the coming months.