Data Transfers

Data Transfers
In 2013, Edward Snowden publicly disclosed that US Intelligence Agencies have access to the personal data of European users via surveillance programs such as PRISM or Upstream. These disclosed documents also listed a number of companies that are providing data to the US government for surveillance programs, including Apple, Microsoft, Facebook, Google and Yahoo. Following the Snowden disclosures, Max Schrems filed a complaint against Facebook Ireland Ltd before the Irish Data Protection Commissioner (DPC), arguing that Facebook may not transfer his personal data to the US anymore, given that Facebook USA has to provide that data to the US secret services without adequate protection.

After lengthy back and forth between the DPC, Facebook and Max Schrems, the case was referenced to the Court of Justice of the European Union (CJEU). In a groundbreaking judgment in 2015 the CJEU declared the first legal instrument (“Safe Harbor”) invalid. In 2019, the CJEU also declared “Privacy Shield” (the successor of Safe Harbor) invalid and highlighted that Facebook may also not use “Standard Contractual Clauses”, which was another type of transfer mechanism.

At its core, there is a fundamental conflict between US surveillance laws (which demand surveillance of non-US persons) and European data protection laws (which requires privacy protections), that can only be overcome by a common standard for privacy protections, no matter the citizenship. Until such time, it is unlikely that the matter will be resolved.

More information on EU-US Data Transfers

In this project, noyb

  • filed 101 model complaints against companies that are still transferring data to the US after invalidation of Privacy Shield in July 2020,
  • is providing information for EU companies on how to comply with the ruling and informing users about their options to stop data transfers to the US,
  • is prompting the Irish Data Protection Commissioner, the responsible authority for Facebook, to enforce the judgment and stop Facebook’s data transfers to the US,
  • is actively preparing to challenge any upcoming new EU-US data transfer deal that is not based on any substantial change of US laws and practices and
  • advocates for a long-term solution, based on an agreement among democratic countries, which limits surveillance of private individuals (no matter the citizenship), unless common thresholds (such as probable cause and a judicial approval) are met.

Case Controller DPA Status Duration
C029-1 Preisvergleich Internet Services AG DSB (Austria) Partly Won Filed:
Closed:
(2 lata 7 miesięcy)
C029-10 Dagens industri IMY (Sweden), DSB (Austria) Won Filed:
(3 lata 1 miesiąc ago)
C029-100 Société Saint-Paul Luxembourg S.A CNPD (Luxembourg) Other Outcome Filed:
Closed:
(1 rok 7 miesięcy)
C029-101 Onet-RAS Polska Group UODO (Poland) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-11 Tele2 Sverige AB IMY (Sweden), DSB (Austria) Won Filed:
(3 lata 1 miesiąc ago)
C029-12 Wamos Benelux NV APD/GBA (Belgium) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-13 bpost SA APD/GBA (Belgium) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-14 Concept Multimedia Belgium sa - IPM APD/GBA (Belgium) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-15 Roularta Media Group N.V. APD/GBA (Belgium) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-16 Good Game AS DSB (Austria), Datatilsynet (Norway) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-17 Sbanken DSB (Austria), Datatilsynet (Norway) Other Outcome Filed:
Closed:
(2 lata 3 miesiące)
C029-18 Telenor Group DSB (Austria), Datatilsynet (Norway) Won Filed:
(3 lata 1 miesiąc ago)
C029-19 Elisa Eesti AS AKI (Estonia), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-2 MTV Internet Tietosuojavaltuutetun toimisto (Finland), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-20 Allepal OÜ AKI (Estonia), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-21 SIA TV NET AKI (Estonia), DSB (Austria), DVI (Latvia) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-22 SIA "Education systems, E-klase DSB (Austria), DVI (Latvia) Other Outcome Filed:
Closed:
(2 lata 2 miesiące)
C029-23 Maxima LT UAB ADA (Lithuania), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-24 UAB Diginet LTU ADA (Lithuania), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)
C029-25 UAB Nordecum, SMSPinigai.lt ADA (Lithuania), DSB (Austria) Pending (3 - 4 years) Filed:
(3 lata 1 miesiąc ago)

Relevant articles

Recent articles