The European data privacy organization behind the recent invalidation of the EU-US Privacy Shield framework has wasted no time in flexing its newfound muscle. Max Schrems, plaintiff and chairperson of noyb, has directed his organization to file over 100 privacy complaints against major businesses engaging in data transfers with the US via Google Analytics and/or Facebook Connect integrations.
Noyb appears to be focusing on major publishers, ISPs, ecommerce sites and banks, but has also levied complaints against several universities. The Schrems II decision mandates that the relevant national data protection authorities for each company investigate these complaints, but a backlog of cases in tech centers such as Ireland means that action on them may not be immediate.
EU-US data transfers hobbled by unexpected ruling
The Schrems II ruling on international data transfers was a surprise to most observers given that it fundamentally cripples the ability of companies to send EU resident personal data to the US.
The central issue was the court’s decision to side with the view of the plaintiff that the leaked information revealing the scope of the US government’s surveillance of private companies (particularly the materials from the 2013 Edward Snowden leaks) meant that EU residents are having their privacy violated simply by sending their data across US borders. The prior Privacy Shield agreement had taken some measures to address this concern, including the formation of individual Standard Contractual Clauses (SCCs) that spell out data protection terms and the appointing of a US-based liaison assigned to address EU citizen privacy concerns. The Schrems II decision stipulates that SCCs will have to be reviewed on an individual basis, but there appears to be little flexibility to negate the belief that anything passing through US data centers is subject to monitoring by the US government.
Many companies have already ceased operations to comply with the new rules, but noyb has focused in on protected data transfers that continue to take place via Facebook and Google services. The privacy complaints allege that targeted marketing tool Google Analytics and multiplatform authentication service Facebook Connect are passing protected information internationally in violation of the court ruling.
Some of the biggest names included among the privacy complaints include Airbnb’s Ireland division, Sky Deutschland, Tele2, Takeaway.com and Fastweb.
Both Google and Facebook have responded to the privacy complaints by indicating that they are still either abiding by SCCs arranged under the previous Privacy Shield terms or are attempting to arrange new ones that comply with the current terms. The Schrems II ruling did not forbid existing SCCs that govern data transfers, but did require any company that has them in place to submit them to the relevant DPA for review if there is any question about compliance.
Privacy complaints and processing problems
At this point, many of these privacy complaints will flow into a bottleneck in which they could be stuck for a substantial amount of time.
The prior Schrems case that similarly struck down Privacy Shield’s predecessor (Safe Harbor) was followed by a grace period for data transfers granted by the EU Commission. This period of several months gave companies time to square away compliance requirements and forge new agreements. The current ruling provides for no such period, and has left companies scrambling for answers as well as creating a flood of new work for DPAs.
Perhaps the most beleaguered of the DPCs is that of Ireland, where much of the EU’s tech industry is headquartered. The country’s supervisory authority was already backed up with cases and investigations prior to the surprise Schrems II ruling, to the point that noyb brought separate complaints against it in July alleging that the review process is excessively slow. Some of the major cases of recent years, such as the rulings against Facebook and WhatsApp, have only progressed through the initial steps at this point and are estimated to take several more years to resolve.
The US Department of Commerce and European Commission recently announced that they were working together to come up with a new agreement to replace Privacy Shield. The difficulty there is that as long as Europe’s highest court views the current government surveillance situation in the US as being essentially omnipresent, the door is open for yet another challenge by Schrems or other parties that stands a good chance of ultimately being successful. The current effort may be a delaying tactic due to lack of other feasible options, under the assumption that any new legal challenge to a new agreement on data transfers would take several years to be ruled on (as was the case with both prior agreements) while data flows freely in the interim. Major revision of US surveillance laws would appear to be the only sure way to resolve the situation, but that is not presently on the table.
Given that the Schrems ruling views these data transfers as a violation of the General Data Protection Regulation (GDPR), the potential consequence of the privacy complaints is the same fine structure that allows for up to 4% of a company’s annual global turnover to be taken depending on the number and severity of violations. US companies can also potentially be held liable for damages related to the transfer of personal data. Noyb has published guidance as to what will trigger privacy complaints from the group.