In the wake of the recent decision of the European Court of Justice (CJEU) in which it struck down the Privacy Shield data transfer arrangement – commonly referred to as the Schrems case after the Austrian activist, Max Schrems, who brought the action – the practices of companies moving data from the European Union to the United States are now under scrutiny. The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s General Data Protection Regulation.
In bringing its legal complaints, nyob focused its attention on organizations that span a range of industry sectors – ecommerce, publishers and broadcasters, telecommunications and internet service providers, financial services institutions and universities. They include Airbnb Ireland, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, and Takeaway.com. nyob alleges that many companies continue to use Google Analytics or Facebook Connect, despite the fact that both companies fall under U.S. surveillance laws such as Section 702 of the Foreign Intelligence Surveillance Act. The inability to protect EU residents from U.S. national security agencies’ access to their data formed the basis of the European Court of Justice’s decision to invalidate the U.S.-EU Privacy Shield in the Schrems case.
In the complaints filed, noyb contends that none of the aforementioned 101 websites has a valid legal basis to continue to move website visitor data to the US via the embedded Google Analytics and/or Facebook Connect integrations. The organization states on its website that “Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield” a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.” Facebook responded by stating that it is migrating to SCCs to transfer ad and measurement data.
The cases brought by noyb highlight the vulnerability of companies moving data between the EU and the U.S. without the benefit of the now-defunct Privacy Shield. Without the Privacy Shield, the U.S. now has no arrangement to enable it to lawfully process EU users’ information, particularly as the European Data Protection Board has stated that there would be no grace period for entities relying on it. The court’s ruling also called into question the sufficiency of standard contractual clauses as a mechanism to transfer data to the U.S. Recent guidance from data protection authorities – European Data Protection Board FAQ on Schrems II – has stated that standard contractual clauses can support lawful transfer of data from the EU to the U.S., but only after analysis of whether that transfer raises privacy risks to data subjects and implementation of measures to mitigate that risk.
Given the Schrems decision, Achieved Compliance can assist you in:
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.