Privacy campaign group NOYB has filed complaints against 101 websites with European operators that it says are still sending data to the United States via Google Analytics and/or Facebook Connect integrations—potentially in breach of the European Union’s strict data privacy rules.
Banks, financial services firms, ecommerce companies, publishers, broadcasters, telecoms firms, and universities are among the organizations that are included on the list compiled by NOYB, the group headed by Max Schrems whose campaigns have sunk both of the EU’s and United States’ previous joint efforts to transfer data securely, namely Safe Harbour in 2015 and the Privacy Shield last month.
Allied Irish Banks, Danske Bank, and Norway’s Sbanken are some of the financial services firms whose websites are sharing data with the tech firms, while MTV Internet, Sky Deutschland, and the French website of The Huffington Post are among the list of broadcasters and media firms named. Universities that are at risk of transferring EU citizens’ personal data to the United States via Google and Facebook include the universities of Luxembourg and Liechtenstein.
Ecommerce firm Airbnb Ireland is named in four complaints to different European data protection authorities (Spain, Malta, Italy, and Denmark).
According to NOYB, analysis of the HTML source code of major EU company websites shows that many organizations still use Google Analytics or Facebook Connect one month after the Court of Justice of the European Union (CJEU), Europe’s highest court, ruled that data transfers between the European Union and United States (as well as other third countries) were potentially unsafe, and that the Privacy Shield was therefore immediately invalid as a mechanism.
The judgment also poured cold water on other long-standing methods used by companies to send data across the Atlantic, namely binding corporate rules (BCRs) and standard contractual clauses (SCCs), because the strength of U.S. surveillance laws (in particular, Section 702 of the Foreign Intelligence Services Act) means that companies, notably tech and telecom firms, can be forced to hand over EU citizens’ data for homeland security purposes as part of “compelled assistance.”
The European Data Protection Board, the EU’s regulator for the General Data Protection Regulation (GDPR), has said SCCs and BCRs can only be relied upon if companies themselves can provide assurance the data will not be accessed by authorities in third countries. Otherwise, they are at risk of being hit with a maximum fine of 4 percent of global turnover for non-compliance.
However, NOYB says neither Facebook nor Google have a legal basis for data transfers because “Google still claims to rely on the Privacy Shield a month after it was invalidated, while Facebook continues to use SCCs, despite the Court finding that U.S. surveillance laws violate the essence of EU fundamental rights.”
“The CJEU was explicit that you cannot use the SCCs when the recipient in the U.S. falls under these mass surveillance laws,” said Schrems in a statement. “It seems U.S. companies are still trying to convince their EU customers of the opposite. This is more than shady.”
Facebook declined to comment, but in a blog published this week, the company said: “To date, Facebook has relied on the Privacy Shield as the data transfer mechanism for our ads and measurement products, as well as for our workplace customers. In light of the CJEU ruling, we are working to migrate to SCCs for these products.”
Google did not respond to a request for comment.
NOYB plans to increase pressure on EU and U.S. companies to review their data transfer arrangements and adapt to the CJEU’s “clear ruling.” Schrems also wants EU data protection authorities to take action to enforce the GDPR properly—a point also raised by the CJEU in its judgment.
“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court,” said Schrems.
“This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish Data Protection Commission that stays dormant.”