Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Tech giants are ignoring questions over the legality of their EU-US data transfers

A survey of responses from more than 30 companies to questions about how they’re approaching EU-US data transfers in the wake of a landmark ruling (aka Schrems II) by Europe’s top court in July, which struck down the flagship Privacy Shield over US surveillance overreach, suggests most are doing the equivalent of burying their head in the sand and hoping the legal nightmare goes away.

European privacy rights group, noyb, has done most of the groundwork here — rounding up in this 45-page report responses (some in English, others in German) from EU entities of 33 companies to a set of questions about personal data transfers.

It sums up the answers to the questions about companies’ legal basis for transferring EU citizens’ data over the pond post-Schrems II as “astonishing” or AWOL — given some failed to send a response at all.

Tech companies polled on the issue run the alphabetic gamut from Apple to Zoom. While Airbnb, Netflix and WhatsApp are among the companies that noyb says failed to respond about their EU-US data transfers.

Responses provided by companies that did respond appear to raise many more questions than they answer — with lots of question-dodging ‘boilerplate responses’ in evidence and/or pointing to existing privacy policies in the hope that will make the questioner go away (hi Facebook!).

Facebook also made repeat claims that sought for info falls outside the scope of the EU’s data protection framework…

noyb also highlights a response by Slack which said it does not “voluntarily” provide governments with access to data — which, as the privacy rights group points out, “does not answer the question of whether they are compelled to do so under surveillance laws such as FISA702”.

A similar issue affects Microsoft. So while the tech giant did at least respond specifically to each question it was asked, saying it’s relying on Standard Contractual Clauses (SCCs) for EU-US data transfers, again it’s one of the companies subject to US surveillance law — or as noyb notes: “explicitly named by the documents disclosed by Edward Snowden and publicly numbering the FISA702 requests by the US government it received and answered”.

That, in turn, raises questions about how Microsoft can claim to (legally) use SCCs if users’ data cannot be adequately protected from US mass surveillance… 

The Court of Justice of the EU made it clear that use of SCCs to take data outside the EU is contingent on a case by case assessment of whether the data will in fact be safe. If it is not the data controller is legally required to suspend the transfer. EU regulators also have a clear duty to act to suspend transfers where data is at risk.

“Overall, we were astonished by how many companies were unable to provide little more than a boilerplate answer. It seems that most of the industry still does not have a plan as to how to move forward,” noyb adds.

In August the group filed 101 complaints against websites it had identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations — with, again, both tech giants clearly subject to US surveillance laws, such as FISA 702.

noyb founder Max Schrems — whose surname has become synonymous with questions over EU-US data transfers — also continues to push the Irish Data Protection Commission (DPC) to take enforcement action over Facebook’s use of SCCs in a case that dates back some seven years.

Earlier this month it emerged the DPC had written to Facebook — issuing a preliminary order to suspend transfers. However Facebook filed an appeal for a judicial review in the Irish courts and was granted a stay.

In an affidavit filed to the court the tech giant appeared to claim it could shut down its service in Europe if the suspension order is enforced. But last week Facebook’s global VP and former UK deputy PM, Nick Clegg, denied it could shut down in Europe over the issue. Though he warned of “profound effects” on scores of digital businesses if a way is not found by lawmakers on both sides of the pond to resolve the legal uncertainty around U.S. data transfers. (A Privacy Shield 2 has been mooted but the European Commission has warned there’s no quick fix, suggesting reform of US surveillance law will be required.)

For his part Schrems has suggested the solution for Facebook at least is to federate its service — splitting its infrastructure in two. But Thierry Breton, EU commissioner for the internal market, has also called for “European data…[to] be stored and processed in Europe” — arguing earlier this month this data “belong in Europe” and “there is nothing protectionist about this”, in a discussion that flowed from US president Trump’s concerns about TikTok.

Back in Ireland, Facebook has complained to the courts that regulatory action over its EU-EU data transfers is being rushed (despite the complaint dating back to 2013); and also that it’s being unfairly singled out.

But now with data transfer complaints filed by noyb against scores of companies on the desk of every EU data supervisor, and regulators under explicit ECJ instruction they have a duty to step in a lot of pressure is being exerted to actually enforce the law and uphold Europeans’ data rights.

The European Data Protection Board’s guidance on Schrems II — which Facebook had also claimed to be waiting for — also specifies that the ability to (legally) use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data. So Facebook et al would do well to lobby the US government on reform of FISA. 

Legal clouds gather over US cloud services, after CJEU ruling

Comments

Post a Comment

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio
Post a Comment
Read more

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line
Post a Comment
Read more

ProtonMail logged IP address of French activist after order by Swiss authorities

ProtonMail , a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying prem
Post a Comment
Read more