23 years of illegal data transfers due to inactive DPAs and new EU-US deals
In two landmark rulings in 2015 and 2020, the Court of Justice of the European Union (CJEU) declared EU-US data transfers illegal. These decisions are retroactive, which means there was no legal basis for said transfers between the year 2000 and 2023. Nevertheless, most EU companies kept using services like Google Analytics or tracking tools by Meta which entail unlawful data transfers to the USA. A new analysis of noyb's 101 complaints on that matter now shows how a combination of inactive data protection authorities and new deals by the European Commission have lead to 23 years of privacy violations.
23 years of illegal transfers. The highest European court sent a strong message for better data privacy, when it invalidated the data transfer deals "Safe Harbor" and "Privacy Shield" in 2015 and 2020 respectively. The logical consequence of this decision was that almost all transfers between the European Union and United States since the year 2000 were illegal. In reality, companies didn’t stop the practice though. This was largely made possible by to the inaction of European data protection authorities (DPAs), which mostly failed to implement the CJEU’s rulings. In combination with new (and void) deals, we are therefore lookig back on 23 years of illegal data transfers.
Marco Blocher, Data Protection Lawyer at noyb: “We are witnessing a certain collapse of the rule of law. Europe’s highest court declared the data transfers of the past 23 years illegal, but the authorities largely looked the other way."
Gathering dust in a drawer. To ensure enforcement, noyb had filed 101 complaints after the CJEU invalidated the adequacy decision "Privacy Shield" in 2020. Although this ruling took away the legal basis for data transfers, a lot of well-visited websites continued to forward data about their visitors to Google and Meta servers in the United States. Despite explicit complaints and the fact that the continued transfers constituted a clear violation of the GDPR, the competent data protection authorities still haven’t reached a decision in more than 70 percent of noyb’s complaints until today. 18 August marks the third anniversary of the complaints.
Endless waiting game. The CJEU ruling has in fact ensured a clear legal situation for DPAs to make a relatively quick decision in cases about data transfers. noyb’s newest analysis shows, however, that 20 of 32 concerned authorities (62,5%) haven’t issued a decision for a single complaint that was filed with them. Even the more active authorities took much more time than foreseen by law. The first of currently 13 decisions came from Austria’s DSB. It took almost 1.5 years to reach a decision on noyb’s complaint, despite the simple facts of the case and the clear legal situation.
Marco Blocher, Data Protection Lawyer at noyb: “About two thirds of all DPAs we filed with did not reach a single decision in three years. Some are even impossible to reach and provide no updates on the status of the complaints. It is absurd taht in some member states, even such simple cases are not enforced."
A bad example. What makes it even worse is that the Irish Data Protection Commission (DPC) – so the supervisory authority for Google and Meta – is one of the 20 DPAs that have not yet lifted a finger. All six noyb complaints brought before the DPC are still pending. But the authority is not alone in this. Among others, the same goes for the Belgian, Dutch, Greek, Polish, Slovakian and Czech DPA. The full analysis is linked above.
No one dares to issue a fine. To date, a total of 73 cases are pending. noyb won nine cases, won three partially and lost one. But even the positive news is sobering. Only in one case did the competent authority (in Sweden) impose a fine for unlawfully using Google Analytics: The telecommunications provider Tele2 had to pay one million euros, the online retailer CDON 25,000 euros. That’s only two fines in 101 cases.
Marco Blocher, Data Protection Lawyer at noyb: “Only the Swedish authority issued a fine, all other authorities did not issue a fine for an obvious GDPR violation.”
EU Commission overtook the DPAs. For many of the remaining complaints, three years after filing, it is still unclear whether the competent DPAs will ever reach a decision or just try to sit out the issue. In the meanwhile, the EU Commission and the USA have gone to work. In mid-July this year, they agreed on a “new” Trans-Atlantic Data Privacy Framework (“TADPF”) which is largely a copy of its predecessor. EU citizens still don’t have constitutional rights in the United States which allows intelligence agencies like the NSA to use their data for surveillance purposes. At the same time, the new Framework gives DPAs the opportunity to suspend active proceedings to wait and see if the CJEU will invalidate the adequacy decision for the third time.
Marco Blocher, Data Protection Lawyer at noyb: “We basically have 23 years of back-to-back illegal transfer deals or non-enforcement. It is amazing that every normal person gets a fine if they violate the law, just when it comes to the GDPR there is simply no consequence – even after two CJEU judgments.”
Possible measures have all come to nothing. After noyb filed it 101 complaints, it briefly looked as if there was hope for a timely resolution. The EDPB even set up an informal “taskforce” in order to avoid a fragmentation of decision-making practice. Unfortunately, it didn't lead to a uniform approach to finally stop unlawful data transfers. The underlying problem of companies that don’t comply with European data protection law still persists. The final report of the taskforce only contains high level, obvious statements.
Third time's a charm? Just like "Safe Harbor" and "Privacy Shield", the new "TADPF" will sooner or later be challenged before the CJEU which will then assess its validity under EU law. As the fundamental problems with US surveillance law still persists, there is a high chance that it will suffer the fate of its predecessors - and will be declared void with retroactive effect. The ball will then again be in the DPAs' court. In the end, they will have to enforce the CJEU's ruling. Given their performance so far, the outlook is dire. noyb is prepared to exploit all legal possibilites to ensure a decision for pending complaints and - if necessary - to file new complaints to make sure that future CJEU rulings will be respected.