Companies can't say how they comply with CJEU ruling

Data Transfers
 /  25 September 2020

Opening Pandora’s Box: Companies can't say how they comply with CJEU ruling

Following the Court’s judgment in Case-C-311/18 (“Schrems II”) on the Privacy Shield and Standard Contractual Clauses, the noyb team and some of our members reached out to 33 companies and services that they use on a personal basis to ask them how they were approaching international data transfers. The responses that we received ranged across the spectrum: from good, to bad, to shocking. We’ve now compiled a report for the public that details these responses.

  • Scroll through the collected responses from companies in this 45-page report (PDF) spanning from Airbnb to Zoom
  • Check out the press release (PDF)

After the CJEU ruled on EU-US data transfers for the second time (after the end of "Safe Harbor" in 2015), we were wondering if companies are now better equipped to deal with the GDPR's rules on international data transfers. Users have a right to get detailed information, where their data was sent. Accordingly the following text was submitted to each company between July and September 2020:

Dear Sir/Madam,

I am one of your customers. In accordance with Articles 12, 13, 14 and 15 of the GDPR, I make the following requests:

  • Do you transfer data outside of the EU? If yes, to which countries?
  • What is the legal basis relied on for each transfer (e.g. adequacy decision, SCCs, BCRs, derogations...)? If you used SCCs or BCRs, please provide a copy of the SCCs or BCRs used for each transfer.
  • If you send personal data to the US, do any of your partners fall under 50 USC §1881a (“FISA 702”) or provide data to the US government under EO 12.333?
  • If you send personal data to the US, which technical measures are you taking so that my personal data is not exposed to interception by the US government in transit?

Please reply within one week as the GDPR requires you to reply ‘without undue delay’. This is a simple request that does not require extensive analysis. Further identification beyond my email does not seem necessary given that I do not demand a copy of my personal data. Should you require any further information, please do not hesitate to contact me.

Regards, Name”

Astonishing answers - or no answer at all. The answers were overall astonishing. Some companies like Airbnb, Netflix, and WhatsApp didn’t reply to our requests for information at all, while other companies simply redirected us to their privacy policies, which lacked more detailed explanation.

Others provided information that does not really lead to more certainty: For example, Slack (a very popular software for internal communication in businesses) stated that they did not “voluntarily” provide governments with access to data, which does not answer the question of whether they are compelled to do so under surveillance laws such as FISA702.

Other companies fared better with their replies, such as Microsoft, who provided an answer to every question asked, or Virgin Media, who sent us a copy of their Standard Contractual Clauses. At the same time, Microsoft still claims that they may transfer personal data to the US (link to Microsoft's blog), despite being one of the companies explicitly named by the documents disclosed by Edward Snowden and publicly numbering the FISA702 requests by the US government it received and answered.

Overall, we were astonished by how many companies were unable to provide little more than a boilerplate answer. It seems that most of the industry still does not have a plan as to how to move forward.

Would you like to submit a similar request to the companies and services that you interact with? Feel free to use one of our templates on this page here!