Update on noyb’s 101 complaints on EU-US data transfers – only one country shines

Data Transfers
 /  22 September 2020
update

Just over a month ago, noyb filed 101 complaints against several companies based in the EU/EEA because they continue to use Google Analytics and Facebook Connect on their websites – thereby transferring personal data to Google and Facebook in the US. According to the CJEU judgement of 16 July 2020, such data transfers are illegal because Google and Facebook are subject to US surveillance laws and must disclose data of European users to US intelligence services.

Hardly any reaction from the companies concerned – despite the threat of a € 20 million fine

While it is politically clear that there will be no new "Privacy Shield" or "Safe Harbor" in the near future, many companies seem to continue to bury their heads in the sand.

Even many lawyers and "experts" ignore the clear statements of the CJEU and claim that everything is fine as long as one enters into Standard Contractual Clauses ("SCCs") with the data recipient – a complete misjudgement of the situation, which can cost companies dearly.

The CJEU has clearly stated that SCCs cannot be used if the recipient in the US is subject to US surveillance laws (such as FISA 702). The data protection authorities can impose fines of up to € 20 million or 4% of annual turnover for a violation of the GDPR rules on data transfer. This is in addition to possible claims for damages by affected users.

The 101 complaints lodged by noyb were therefore intended as a wake-up call: the ruling of the highest Court of the EU must be respected; both data exporters in the EU and data importers in the USA have to inspect critical data transfers and, if necessary, stop them. If they do not do so voluntarily, the CJEU has explicitly placed the European Data Protection Authorities under an obligation to prohibit such data transfers.

This seems to have been largely ignored by the website operators against which noyb lodged the 101 complaints. As of 22.09.2020, only two companies and one university have contacted noyb – all of them based in Liechtenstein. They were able to prove that they had removed the code elements for Google Analytics or Facebook Connect from their websites. noyb subsequently withdrew the complaints concerned before the Liechtenstein data protection authority.

"So far, only website operators from Liechtenstein have surprised us positively. They reacted quickly and correctly and stopped the data transfers that were violating the GDPR. We have subsequently withdrawn the complaints. Unfortunately, we have not heard from website operators from other Member States. The longer these companies wait, the more likely they are to be sanctioned by the data protection authorities". – Marco Blocher, data protection lawyer at noyb.

Google and Facebook also maintain their silence

In addition to the website operators, the 101 complaints are also directed against the data importers Google and Facebook in the US, which can also be held responsible for data transfers in violation of the GDPR. Facebook has so far not made any substantive comments on the 101 complaints; Google has only provided empty words, saying that they are "committed to ensure that under the applicable SCCs provided by Google the required privacy protections are maintained regardless of the location of the data".  The Silicon Valley giant, however, has no answer as to how it intends to avoid being subject to US surveillance laws.

"So far, large US data companies are repeating like a mantra that they are evaluating the situation and ensuring that user data is protected on the basis of SCCs. These empty phrases do not change the fact that US surveillance laws give authorities such as the NSA the right to access vast amounts of data that are transferred to the US. So far, there is nothing but silence on this conflict between contracts with EU customers and US laws".  – Marco Blocher

European Data Protection Board has set up Task Force on noyb‘s complaints

There is one positive development at EU level. The European Data Protection Board ("EDPB", an EU body composed of representatives of the European data protection authorities) has set up a special task force to deal with the 101 complaints. This task force is to investigate the facts underlying the complaints and ensure close cooperation among the members of the board. The EDPB will also "prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries".

"We are very pleased that the EDPB has taken an active role in this matter and is committed to working towards a consistent treatment of our complaints. We hope that this coordination will lead to complaints being dealt with equally effectively and promptly in all EU/EEA countries. So far, our experience shows that some data protection authorities are very productive, while others seem keen to nip any procedure in the bud. A pan-European approach is therefore in any case welcome. The 101 complaints are not complex in substance and are almost identical. If the authority in Member State A manages to deal with a complaint in a timely manner, the authority in Member State B has no excuse why it cannot do so". – Marco Blocher

noyb continues to monitor the situation on each complaint to ensure that decisions of the CJEU also protect the rights of every citizen in their daily lives.