NOYB claims that a quick analysis of the HTML source code of primary EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a significant judgment by the Court of Justice of the European Union (CJEU). And despite both tech giants falling under US surveillance laws, such as FISA.
Neither Facebook nor Google seems to have a legal basis for data transfers. Google stills claims to rely on the “Privacy Shield” a month after it was invalidated by the Court, while Facebook continues to use the “SCCs” despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.
101 Complaints filed, concerning companies in 30 EU and EEA member states. Complaints have been filed against 101 European companies in all 30 EU and EEA member states that still forward data about each visitor to Google and Facebook. The websites were chosen based on the national TLD (like “.fr” for France) and average user traffic. The complaints are also against Google and Facebook in the US, for they continue to accept these data transfers, despite them violating the GDPR.
“We have done a quick search on major websites in each EU member state for code transmitters from Facebook and Google. These transmitters forward data snippets on each visitor onto Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu.
EU and US companies widely ignore the ruling. US companies like Google, Facebook, or Microsoft fall under the obligations to provide the personal data collected of persons in the EU to the US government under laws like FISA 702 or EO 12.333. They are even mentioned in the Snowden documents. Despite the clear ruling by the CJEU, they now claim that data transfers may continue under the so-called Standard Contractual Clauses – and many EU data exports seem more than willing to accept this false claim.
Schrems: “The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs, the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.”
DPAs will have to take action. The GDPR requires that each Data Protection Authority (DPA) in each member state has to enforce the law, especially when receiving a complaint. The Court of Justice has explicitly highlighted this duty of DPAs to take action. This can range from prohibition notices to serious penalties of € 20 Mio or 4% of the worldwide turnover of the sender and recipient of personal data.
noyb provides guidelines for companies. Especially for smaller EU companies that are not certain about US surveillance laws and if their US partner falls under these laws, noyb has provided free guidelines and model requests on its webpage.
Further legal action planned. noyb is planning to gradually increase the pressure on EU and US companies to review their data transfer arrangements and adapt to the clear ruling by the EU’s Supreme Court. Schrems: “While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to ignore Europe’s top Court simply. This is also unfair towards competitors that try to comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish DPC that stays dormant.”
noyb.eu – European Centre for Digital Rights. The non-profit noyb [pronunciation] was founded by data protection activist and lawyer Max Schrems in 2017. Since May 2018, noyb.eu has been bringing cases to enforce European data protection laws. noyb has so far filed more than 25 cases against numerous intentional infringements – including companies such as Google, Apple, Facebook, and Amazon. More than 3,200 supporting members fund the work of noyb.eu.