Europe’s privacy regulators have formed a special task force to handle a barrage of complaints filed last month about European companies’ use of Google and Facebook login and analytics services on their web pages.
The complaints were filed by NOYB, the data protection advocacy organization founded by Max Schrems, a young Austrian lawyer whose crusade to protect his Facebook data has reshaped the transatlantic legal landscape.
The complaints followed a failed July EU Supreme Court ruling (in a case started by Schrems) that demolished the Privacy Shield agreement for the transfer of personal data from the EU to the US, a simple tool. . legal. and inexpensive used by thousands of businesses. to allow US companies to process the personal data of Europeans.
The ruling, issued by the EU Court of Justice in Luxembourg, also questioned the viability in the US context of a more onerous tool used for this: standard contractual clauses (SCC), based on a template from the European Commission, which companies can include. in their user agreements as a legal basis for transfers of personal data.
SCCs can be used to legalize transfers of personal data from the EU to any country, but the court’s ruling meant that privacy regulators could still ban those transfers if the destination country does not provide adequate protection for the data.
Companies like Google and Facebook trust SCCs when transferring personal data from the EU to the US But the core issue affecting Privacy Shield, the fact that US law gives its intelligence services a margin Maneuvering to spy on alien communications also comes into play. play with standard contractual clauses. Google or Facebook may promise in their user agreements that they will protect the personal data of European users, but that won’t stop companies like the National Security Agency (NSA) from obtaining the EU-derived data from Big Tech if they choose to.
Schrems was the litigator who lobbied for that July ruling, and his organization was quick to intervene after it passed.
“We have done a quick search of the main websites of each EU member state looking for code from Facebook and Google,” Schrems explained in the August post. Both companies admit that they transfer data from Europeans to the US for processing, where these companies have a legal obligation to make such data available to US agencies such as the NSA. Neither Google Analytics nor Facebook Connect are essential to run these web pages and are services that could have been replaced or at least disabled for now. “
On Friday, the European Data Protection Board, a body that includes all national data protection authorities in the EU, announced the creation of a special working group to handle NOYB’s 101 complaints. An independent working group will provide advice to data “controllers” (European companies that handle personal data) and “processors” (the services those companies use to process that data) in the wake of the so-called Schrems II judgment.
Google and Facebook had not responded to requests for comment as of this writing.
No quick fix
“The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility,” Andrea Jelinek, Chairman of the Board, said in a statement. He warned that there is no “one size fits all” solution to the legal problems raised by the ruling, and said that “each organization will need to assess its own data processing and transfer operations and take appropriate action.”
Its wording echoed that of EU Justice Commissioner Didier Reynders, who on Thursday told members of the European Parliament that “there will be no quick fix” in the search for a replacement for the Privacy Shield, the most legal . easy to use for transatlantic data transfers that was demolished in the July ruling.
Privacy Shield was itself the replacement for a similar agreement between the US and the EU called Safe Harbor, which was scrapped in 2015, again by the EU Court of Justice, and again due to the protection crusade of data by Schrems.
The European Commission and the US Department of Commerce say they are working on a third version, but at this point most observers agree that no such deal will be legally viable in the EU unless USA Reform your own data protection and intelligence laws.
