Published On: Tue, Aug 18th, 2020

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II remoteness complaints

A month after Europe’s tip justice struck down a flagship information send arrangement between a EU and a US as unsafe, European remoteness debate group, noyb, has filed complaints conflicting 101 websites with informal operators that it’s identified as still promulgation information to a US around Google Analytics and/or Facebook Connect integrations.

Among a entities listed in a censure are ecommerce companies, publishers broadcasters, telcos ISPs, banks and universities — including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to name a few.

“A discerning research of a HTML source formula of vital EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a vital visualisation by a Court of Justice of a European Union (CJEU) — notwithstanding both companies clearly descending underneath US notice laws, such as FISA 702,” a debate organisation writes on a website.

“Neither Facebook nor Google seem to have a authorised basement for a information transfers. Google still claims to rest on a ‘Privacy Shield’ a month after it was invalidated, while Facebook continues to use a ‘SCCs’ [Standard Contractual Clauses], notwithstanding a Court anticipating that US notice laws violate a hint of EU elemental rights.”

We’ve reached out to Facebook and Google with questions about their authorised bases for such transfers — and will refurbish this news with any response. Update: A Facebook orator pronounced a association is not commenting on particular cases though forked to a blog post from yesterday in that it writes that it “has relied on Privacy Shield as a information send resource for a ads and dimensions products”. “In light of a CJEU ruling, we are operative to quit to SCCs for these products. We will refurbish a particular terms to simulate this, and some-more information will follow,” it adds, though naming either it has carried out an comment of a legality of regulating SCCs given a miss of an endowment agreement between a EU and a US.

Privacy watchers will know that noyb’s founder, Max Schrems, was obliged for a strange authorised plea that took down an maiden EU-US information arrangement, Safe Harbor, all a approach behind in 2015. His updated censure finished adult holding down a EU-US Privacy Shield final month — nonetheless he’d indeed targeted Facebook’s use of a apart information send resource (SCCs), propelling a information supervisor, Ireland’s DPC, to step in and postpone a use of that tool.

The regulator chose to go to justice instead, lifting wider concerns about a legality of EU-US information send arrangements — that resulted in a CJEU final that a Commission should not have postulated a US a supposed ‘adequacy agreement’, so pulling a carpet out from underneath Privacy Shield.

The preference means a US is now what’s deliberate a ‘third country’ in information insurance terms, with no special arrangement to capacitate it to routine EU users’ information.

More than that, a court’s statute also finished it transparent EU information watchdogs have a shortcoming to meddle where they think there are risks to EU people’s information if it’s being eliminated to a third nation around SCCs.

European information watchdogs quickly warned there would be no beauty duration for entities still illegally relying on Privacy Shield — so anyone listed in a above censure that’s still referencing a gone resource in their remoteness process won’t even have a self-evident figleaf to censor their authorised blushes.

noyb’s row with this latest purchase of complaints is that nothing of a aforementioned 101 websites has a current authorised basement to keep transferring caller information to a US around a embedded Google Analytics and/or Facebook Connect integrations.

“We have finished a discerning hunt on vital websites in any EU member state for formula from Facebook and Google. These formula snippets brazen information on any caller to Google or Facebook. Both companies acknowledge that they send information of Europeans to a US for processing, where these companies are underneath a authorised requirement to make such information accessible to US agencies like a NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been transposed or during slightest deactivated by now,” pronounced Schrems, titular chair of noyb.eu, in a statement.

Since a CJEU’s Schrems II ruling, and indeed given a Safe Harbor strike down, a US Department of Commerce and European Commission have stranded their heads in a silt — signalling they intend to try cobbling together another information agreement to reinstate a gone Privacy Shield (which transposed a blasted-to-smithereens (un)Safe Harbor. So, er… ).

Yet though root-and-branch remodel of US notice law, any third cocktail by particular lawmakers during papering over a authorised breach of US inhabitant confidence priorities vs EU remoteness rights is usually as certainly cursed to fail.

The some-more asocial among we competence contend a high turn executive manoeuvers around this subject are, in fact, simply dictated to buy some-more time — for a information to keep issuing and ‘business as usual’ to continue.

But there is now estimable authorised risk trustworthy to a plan of perplexing to fake US notice law doesn’t exist.

Here’s Schrems again, on final month’s CJEU ruling, suggesting that Facebook and Google could be in a support for authorised guilt if they don’t proactively advise EU business of their information responsibilities: “The Court was pithy that we can't use a SCCs when a aim in a US falls underneath these mass notice laws. It seems US companies are still perplexing to remonstrate their EU business of a opposite. This is some-more than shady. Under a SCCs a US information importer would instead have to surprise a EU information sender of these laws and advise them. If this is not done, afterwards these US companies are indeed probable for any financial repairs caused.”

And as noyb’s press recover notes, GDPR’s penalties regime can scale as high as 4% of a worldwide turnover of a EU sender and a US aim of personal data. So, again, hi Facebook, hi Google…

The crowdfunded debate organisation has affianced to continue dialling adult a vigour on EU regulators to act and on EU information processors to examination any US information send arrangements — and “adapt to a transparent statute by a EU’s autarchic court”, as it puts it.

Other forms of authorised movement are also starting to pull on Europe’s General Data Protection Regulation (GDPR) horizon — and, importantly, attract appropriation — such as dual category movement character suits filed conflicting Oracle and Salesforce’s use of tracking cookies progressing this month. (As we pronounced when GDPR came into force behind in 2018, a lawsuits are coming.)

Now, with dual transparent strikes from a CJEU on a emanate of US notice law vs EU information protection, it looks like it’ll be abating earnings for US tech giants anticipating to fake everything’s fine on a information estimate front.

noyb is also putting a income where a mouth is — charity giveaway discipline and indication requests for EU entities to use to assistance them get their information affairs in prompt authorised order. 

“While we know that some things might need some time to rearrange, it is unsuitable that some players seem to simply omit Europe’s tip court,” Schrems added, in serve comments on a latest squadron of complaints. “This is also astray towards competitors that approve with these rules. We will gradually take stairs conflicting controllers and processors that violate a GDPR and conflicting authorities that do not make a Court’s ruling, like a Irish DPC that stays dormant.”

We’ve reached out to Ireland’s Data Protection Commission to ask what stairs it will be holding in light of a latest noyb complaints, a series of that aim websites that seem to be operated by an Ireland-based authorised entity.

Schrems strange 2013 censure conflicting Facebook’s use of SCCs also finished adult in Ireland, where a tech hulk — and many others — locates a EU EQ. Schrem’s ask that a DPC sequence Facebook to postpone a use of SCCs still hasn’t been fulfilled, some 7 years and 5 complaints later. And a regulator continues to face accusations of inaction, given a flourishing reserve of cross-border GDPR complaints conflicting tech giants like Facebook and Google.

Ireland’s DPC has still nonetheless to emanate a singular final preference on any of these vital GDPR complaints. But a authorised vigour for it and all EU regulators to get a pierce on and make a bloc’s law will usually increase, even as category movement character lawsuits are filed to try to do what regulators have unsuccessful to.

Earlier this summer a Commission concurred a miss of regularly “vigorous” coercion of GDPR in a examination of a mechanism’s initial dual years of operation.

“The European Data Protection Board [EDPB] and a information insurance authorities have to step adult their work to emanate a truly common European enlightenment — providing some-more awake and some-more unsentimental guidance, and work on powerful though uniform enforcement,” pronounced Věra Jourová, Commission VP for values and clarity then, giving a Commission’s initial open comment of either GDPR is working.

We’ve also reached out to France’s CNIL to ask what movement it will be holding in light of a noyb complaints.

Following a settlement in Jul a French regulator pronounced it was “conducting a accurate analysis”, along with a EDPB, with a perspective to “drawing conclusions as shortly as probable on a consequences of a statute for information transfers from a European Union to a United States”.

Since afterwards a EDPB superintendence has come out — inking a obvious: That transfers on a basement of Privacy Shield “are illegal”. And while a CJEU statute did not nullify a use of SCCs it gave usually a really competent immature light to continued use.

As we reported final month, a ability to use SCCs to send information to a U.S. hinges on a information controller being means to offer a authorised guarantee that “U.S. law does not strike on a adequate turn of protection” for a eliminated data.

“Whether or not we can send personal information on a basement of SCCs will count on a outcome of your assessment, holding into comment a resources of a transfers, and extra measures we could put in place,” a EDPB added.

About the Author