101 Complaints on EU-US transfers filed

Aug 17, 2020

A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) - despite both companies clearly falling under US surveillance laws, such as FISA 702. Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the “Privacy Shield” a month after it was invalidated, while Facebook continues to use the "SCCs", despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.

101 Complaints filed, concerning companies in 30 EU and EEA member states. Complaints have been filed in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. The complaints are also brought against Google and Facebook in the US, for continuing to accept these data transfers, despite them being in violation of the GDPR. The websites where chosen based on the Member State's TLD (like ".fr" for France), two specific codes snippets and the traffic of the page.

We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu.

EU and US companies widely ignore ruling. US companies like Google, Facebook or Microsoft clearly fall under the obligations to provide personal data of persons in the EU to the US government under laws like FISA 702 or EO 12.333. They are even mentioned in the Snowden documents. Despite the clear ruling by the CJEU they now claim that data transfers may continue under the so-called Standard Contractual Clauses – and many EU data exports seem more than willing to accept this false claim.

Schrems: “The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.

DPAs will have to take action. The GDPR requires that each Data Protection Authority (DPA) in each member state enforced the law, especially when receiving a complaint. The Court of Justice has explicitly highlighted the duty of DPAs to take action. This can range from prohibition notices to serious penalties of € 20 Mio or 4% of the worldwide turnover of the EU sender and US recipient of personal data.

noyb provides guidelines for companies. Especially for smaller EU companies that are not certain about US surveillance laws and if their US partner falls under these laws, noyb has provided free guidelines and model requests on its webpage.

Further legal action planned. noyb is planning to gradually increase the pressure on EU and US companies to review their data transfer arrangements and adapt to the clear ruling by the EU’s supreme court. Schrems: “While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court. This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors  that violate the GDPR and against authorities that do not enforce the Court's ruling, like the Irish DPC that stays dormant.”