Europe’s privacy regulators form task force to tackle complaints about Google and Facebook code
Europe’s privacy regulators have formed a special task force to handle a flood of complaints filed last month about European companies’ use of Google and Facebook’s analytics and log-in services on their web pages.
The complaints were filed by NOYB, the data-protection advocacy organization founded by Max Schrems, a young Austrian lawyer whose crusade to protect his Facebook data has reshaped the transatlantic legal landscape.
The complaints followed a bombshell July ruling from the EU’s highest court (in a case launched by Schrems) that demolished the Privacy Shield agreement for the transfer of personal data from the EU to the U.S.—a simple and inexpensive legal tool used by thousands of companies to allow American companies to process Europeans’ personal data.
The ruling, issued by the Court of Justice of the EU in Luxembourg, also called into question the viability in the U.S. context of a more onerous tool used for the same thing: standard contractual clauses (SCCs), based on a European Commission template, that companies can include in their user agreements as a legal basis for personal-data transfers.
SCCs can be used to legalize transfers of personal data from the EU to any country, but the court’s ruling meant privacy regulators could still ban those transfers if the destination country does not provide suitable protection for the data.
Companies such as Google and Facebook rely on SCCs when transferring personal data from the EU to the U.S. But the core problem afflicting Privacy Shield—the fact that U.S. law gives its intelligence services leeway to spy on the communications of foreigners—also comes into play with standard contractual clauses. Google or Facebook may promise in their user agreements that they will protect the personal data of European users, but that won’t stop the likes of the National Security Agency (NSA) from scooping up Big Tech’s EU-derived data if they want to.
Schrems was the litigant who prompted that July ruling, and his organization was quick to pounce after it came through.
In mid-August, NOYB (“None Of Your Business”) flooded the EU’s national data protection authorities with identical complaints about 101 companies across 30 EU and European Economic Area countries, ranging from food-delivery services (Takeaway.com) and accommodation platforms (Airbnb’s European operation) to banks (Danske Bank) and media outlets (Le Huffington Post).
Appropriately, given the tally, the move was announced in a blog post illustrated with dalmatians.
“We have done a quick search on major websites in each EU member state for code from Facebook and Google,” Schrems explained in the August post. “These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the U.S. for processing, where these companies are under a legal obligation to make such data available to U.S. agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these web pages and are services that could have been replaced or at least deactivated by now.”
On Friday, the European Data Protection Board—a body that includes all the EU’s national data protection authorities—announced the creation of a special task force to handle NOYB’s 101 complaints. A separate task force will come up with advice for data “controllers” (European companies handling personal data) and “processors” (the services those companies use to process that data) in the wake of the so-called Schrems II ruling.
Google and Facebook had not responded to requests for comment at the time of writing.
“No quick fix”
“The EDPB is well aware that the Schrems II ruling gives controllers an important responsibility,” said Andrea Jelinek, the board’s chair, in a statement. She warned that there was no “one-size-fits-all, quick fix solution” to the legal problems raised by the ruling, and said “each organization will need to evaluate its own data processing operations and transfers and take appropriate measures.”
Her wording echoed that of the EU’s justice commissioner, Didier Reynders, who on Thursday told members of the European Parliament that “there will be no quick fix” in the search for a replacement for Privacy Shield, the easier-to-use legal mechanism for transatlantic data transfers that was demolished in July’s ruling.
Privacy Shield was itself the replacement for a similar U.S.-EU deal called Safe Harbor, which was scrapped in 2015, again by the Court of Justice of the EU—and again because of Schrems’s data-protection crusade.
The European Commission and the U.S. Department of Commerce say they’re working on a third iteration, but by this point most observers agree that no such agreement will be legally viable in the EU unless the U.S. reforms its own data-protection and intelligence laws.
“What we need are sustainable solutions that deliver legal certainty, in full compliance with the judgment of the court,” Reynders said. “That is also the message that I have clearly passed to my U.S. counterparts.”
Reynders highlighted various obstacles to a sustainable solution, including the unreformed terms of the U.S. Foreign Intelligence Surveillance Act’s (FISA) Section 702, and the looming U.S. election.
He also said the Commission wanted to “modernize” standard contractual clauses and would come up with a proposal later this year. “It’s very important to say that it’s not just possible to use SCCs without any changes,” he said.