Ireland probes TikTok’s handling of kids’ data and transfers to China

Ireland’s Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe to add to its pile: The regulator said yesterday it has opened two investigations into video sharing platform TikTok.

The first covers how TikTok handles children’s data, and whether it complies with Europe’s General Data Protection Regulation.

The DPC also said it will examine TikTok’s transfers of personal data to China, where its parent entity is based — looking to see if the company meets requirements set out in the regulation covering personal data transfers to third countries.

TikTok was contacted for comment on the DPC’s investigation.

A spokesperson told us:

“The privacy and safety of the TikTok community, particularly our youngest members, is a top priority. We’ve implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clauses. We intend to fully cooperate with the DPC.”

The Irish regulator’s announcement of two “own volition” enquiries follows pressure from other EU data protection authorities and consumers protection groups which have raised concerns about how TikTok handles’ user data generally and children’s information specifically.

In Italy this January, TikTok was ordered to recheck the age of every user in the country after the data protection watchdog instigated an emergency procedure, using GDPR powers, following child safety concerns.

TikTok went on to comply with the order — removing more than half a million accounts where it could not verify the users were not children.

This year European consumer protection groups have also raised a number of child safety and privacy concerns about the platform. And, in May, EU lawmakers said they would review the company’s terms of service.

On children’s data, the GDPR sets limits on how kids’ information can be processed, putting an age cap on the ability of children to consent to their data being used. The age limit varies per EU Member State but there’s a hard cap for kids’ ability to consent at 13 years old (some EU countries set the age limit at 16).

In response to the announcement of the DPC’s enquiry, TikTok pointed to its use of age gating technology and other strategies it said it uses to detect and remove underage users from its platform.

It also flagged a number of recent changes it’s made around children’s accounts and data — such as flipping the default settings to make their accounts privacy by default and limiting their exposure to certain features that intentionally encourage interaction with other TikTok users if those users are over 16.

While on international data transfers it claims to use “approved methods”. However the picture is rather more complicated than TikTok’s statement implies. Transfers of Europeans’ data to China are complicated by there being no EU data adequacy agreement in place with China.

In TikTok’s case, that means, for any personal data transfers to China to be lawful, it needs to have additional “appropriate safeguards” in place to protect the information to the required EU standard.

When there is no adequacy arrangement in place, data controllers can, potentially, rely on mechanisms like Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) — and TikTok’s statement notes it uses SCCs.

But — crucially — personal data transfers out of the EU to third countries have faced significant legal uncertainty and added scrutiny since a landmark ruling by the CJEU last year which invalidated a flagship data transfer arrangement between the US and the EU and made it clear that DPAs (such as Ireland’s DPC) have a duty to step in and suspend transfers if they suspect people’s data is flowing to a third country where it might be at risk.

So while the CJEU did not invalidate mechanisms like SCCs entirely they essentially said all international transfers to third countries must be assessed on a case-by-case basis and, where a DPA has concerns, it must step in and suspend those non-secure data flows.

The CJEU ruling means just the fact of using a mechanism like SCCs doesn’t mean anything on its own re: the legality of a particular data transfer. It also amps up the pressure on EU agencies like Ireland’s DPC to be pro-active about assessing risky data flows.

Final guidance put out by the European Data Protection Board, earlier this year, provides details on the so-called ‘special measures’ that a data controller may be able to apply in order to increase the level of protection around their specific transfer so the information can be legally taken to a third country.

But these steps can include technical measures like strong encryption — and it’s not clear how a social media company like TikTok would be able to apply such a fix, given how its platform and algorithms are continuously mining users’ data to customize the content they see and in order to keep them engaged with TikTok’s ad platform.

In another recent development, China has just passed its first data protection law.

But, again, this is unlikely to change much for EU transfers. The Communist Party regime’s ongoing appropriation of personal data, through the application of sweeping digital surveillance laws, means it would be all but impossible for China to meet the EU’s stringent requirements for data adequacy. (And if the US can’t get EU adequacy it would be ‘interesting’ geopolitical optics, to put it politely, were the coveted status to be granted to China…)

One factor TikTok can take heart from is that it does likely have time on its side when it comes to the’s EU enforcement of its data protection rules.

The Irish DPC has a huge backlog of cross-border GDPR investigations into a number of tech giants.

It was only earlier this month that Irish regulator finally issued its first decision against a Facebook-owned company — announcing a $267M fine against WhatsApp for breaching GDPR transparency rules (but only doing so years after the first complaints had been lodged).

The DPC’s first decision in a cross-border GDPR case pertaining to Big Tech came at the end of last year — when it fined Twitter $550k over a data breach dating back to 2018, the year GDPR technically begun applying.

The Irish regulator still has scores of undecided cases on its desk — against tech giants including Apple and Facebook. That means that the new TikTok probes join the back of a much criticized bottleneck. And a decision on these probes isn’t likely for years.

On children’s data, TikTok may face swifter scrutiny elsewhere in Europe: The UK added some ‘gold-plaiting’ to its version of the EU GDPR in the area of children’s data — and, from this month, has said it expects platforms meet its recommended standards.

It has warned that platforms that don’t fully engage with its Age Appropriate Design Code could face penalties under the UK’s GDPR. The UK’s code has been credited with encouraging a number of recent changes by social media platforms over how they handle kids’ data and accounts.

#apps, #articles, #china, #communist-party, #data-controller, #data-protection, #data-protection-commission, #data-protection-law, #data-security, #encryption, #europe, #european-data-protection-board, #european-union, #general-data-protection-regulation, #ireland, #italy, #max-schrems, #noyb, #personal-data, #privacy, #social, #social-media, #spokesperson, #tiktok, #united-kingdom, #united-states

Dutch court will hear another Facebook privacy lawsuit

Privacy litigation that’s being brought against Facebook by two not-for-profits in the Netherlands can go ahead, an Amsterdam court has ruled. The case will be heard in October.

Since 2019, the Amsterdam-based Data Privacy Foundation (DPS) has been seeking to bring a case against Facebook over its rampant collection of Internet users’ data — arguing the company does not have a proper legal basis for the processing.

It has been joined in the action by the Dutch consumer protection not-for-profit, Consumentenbond.

The pair are seeking redress for Facebook users in the Netherlands for alleged violations of their privacy rights — both by suing for compensation for individuals; and calling for Facebook to end the privacy-hostile practices.

European Union law allows for collective redress across a number of areas, including data protection rights, enabling qualified entities to bring representative actions on behalf of rights holders. And the provision looks like an increasingly important tool for furthering privacy enforcement in the bloc, given how European data protection regulators’ have continued to lack uniform vigor in upholding rights set out in legislation such as the General Data Protection Regulation (which, despite coming into application in 2018, has yet to be seriously applied against platform giants like Facebook).

Returning to the Dutch litigation, Facebook denies any abuse and claims it respects user privacy and provides people with “meaningful control” over how their data gets exploited.

But it has fought the litigation by seeking to block it on procedural grounds — arguing for the suit to be tossed by claiming the DPS does not fit the criteria for bringing a privacy claim on behalf of others and that the Amsterdam court has no jurisdiction as its European business is subject to Irish, rather than Dutch, law.

However the Amsterdam District Court rejected its arguments, clearing the way for the litigation to proceed.

Contacted for comment on the ruling, a Facebook spokesperson told us:

“We are currently reviewing the Court’s decision. The ruling was about the procedural part of the case, not a finding on the merits of the action, and we will continue to defend our position in court. We care about our users in the Netherlands and protecting their privacy is important to us. We build products to help people connect with people and content they care about while honoring their privacy choices. Users have meaningful control over the data that they share on Facebook and we provide transparency around how their data is used. We also offer people tools to access, download, and delete their information and we are committed to the principles of GDPR.”

In a statement today, the Consumentenbond‘s director, Sandra Molenaar, described the ruling as “a big boost for the more than 10 million victims” of Facebook’s practices in the country.

“Facebook has tried to throw up all kinds of legal hurdles and to delay this case as much as possible but fortunately the company has not succeeded. Now we can really get to work and ensure that consumers get what they are entitled to,” she added in the written remarks (translated from Dutch with Google Translate).

In another supporting statement, Dick Bouma, chairman of DPS, added: “This is a nice and important first step for the court. The ruling shows that it pays to take a collective stand against tech giants that violate privacy rights.”

The two not-for-profits are urging Facebook users in the Netherlands to sign up to be part of the representative action (and potentially receive compensation) — saying more than 185,000 people have registered so far.

The suit argues that Facebook users are ‘paying’ for the ‘free’ service with their data — contending the tech giant does not have a valid legal basis to process people’s information because it has not provided users with comprehensive information about the data it is gathering from and on them, nor what it does with it.

So — in essence — the argument is that Facebook’s tracking and targeting is in breach of EU privacy law.

The legal challenge follows an earlier investigation (back in 2014) of Facebook’s business by the Dutch data protection authority which identified problems with its privacy policy and — in a 2017 report — found the company to be processing users’ data without their knowledge or consent.

However, since 2018, Europe’s GDPR has been in application and a ‘one-stop-shop’ mechanism baked into the regulation — to streamline the handling of cross-border cases — has meant complaints against Facebook have been funnelled through Ireland’s Data Protection Commission. The Irish DPC has yet to issue a single decision against Facebook despite receiving scores of complaints. (And it’s notable that  ‘forced consent‘ complaints were filed against Facebook the day GDPR begun being applied — yet still remain undecided by Ireland.)

The GDPR’s enforcement bottleneck makes collective redress actions, such as this one in the Netherlands a potentially important route for Europeans to get rights relief against powerful platforms which seek to shrink the risk of regulatory enforcement via forum shopping.

Although national rules — and courts’ interpretations of them — can vary. So the chance of litigation succeeding is not uniform.

In this case, the Amsterdam court allowed the suit to proceed on the grounds that the Facebook data subjects in question reside in the Netherlands.

It also took the view that a local Facebook corporate entity in the Netherlands is an establishment of Facebook Ireland, among other reasons for rejecting Facebook’s arguments.

How Facebook will seek to press a case against the substance of the Dutch privacy litigation remains to be seen. It may well have other procedural strategies up its sleeve.

The tech giant has used similar stalling tactics against far longer-running privacy litigation in Austria, for example.

In that case, brought by privacy campaigner Max Schrems and his not-for-profit noyb, Facebook has sought to claim that the GDPR’s consent requirements do not apply to its advertising business because it now includes “personalized advertising” in its T&Cs — and therefore has a ‘duty’ to provide privacy-hostile ads to users — seeking to bypass the GDPR by claiming it must process users’ data because it’s “necessary for the performance of a contract”, as noyb explains here.

A court in Vienna accepted this “GDPR consent bypass” sleight-of-hand, dealing a blow to European privacy campaigners.

But an appeal reached the Austrian Supreme Court in March — and a referral could be made to Europe’s top court.

If that happens it would then be up to the CJEU to weigh in whether such a massive loophole in the EU’s flagship data protection framework should really be allowed to stand. But that process could still take over a year or longer.

In the short term, the result is yet more delay for Europeans trying to exercise their rights against platform giants and their in-house armies of lawyers.

In a more positive development for privacy rights, a recent ruling by the CJEU bolstered the case for data protection agencies across the EU to bring actions against tech giants if they see an urgent threat to users — and believe a lead supervisor is failing to act.

That ruling could help unblock some GDPR enforcement against the most powerful tech companies at the regulatory level, potentially reducing the blockages created by bottlenecks such as Ireland.

Facebook’s EU-to-US data flows are also now facing the possibility of a suspension order in a matter of months — related to another piece of litigation brought by Schrems which hinges on the conflict between EU fundamental rights and US surveillance law.

The CJEU weighed in on that last summer with a judgement that requires regulators like Ireland to act when user data is at risk. (And Germany’s federal data protection commissioner, for instance, has warned government bodies to shut their official Facebook pages ahead of planned enforcement action at the start of next year.)

So while Facebook has been spectacularly successful at kicking Europe’s privacy rights claims down the road, for well over a decade, its strategy of legal delay tactics to shield a privacy-hostile business model could finally hit a geopolitical brick wall.

The tech giant has sought to lobby against this threat to its business by suggesting it might switch off its service in Europe if the regulator follows through on a preliminary suspension order last year.

But it has also publicly denied it would actually follow through and close service in Europe.

How might Facebook actually comply if ordered to cut off EU data flows? Schrems has argued it may need to federate its service and store European users’ data inside the EU in order to comply with the eponymous Schrems II CJEU ruling.

Albeit, Facebook has certainly shown itself adept at exploiting the gaps between Europeans’ on-paper rights, national case law and the various EU and Member State institutions involved in oversight and enforcement as a tactic to defend its commercial priorities — playing different players and pushing agendas to further its business interests. So whether any single piece of EU privacy litigation will prove to be the silver bullet that forces a reboot of its privacy-hostile business model very much remains to be seen.

A perhaps more likely scenario is that each of these cases further erodes user trust in Facebook’s services — reducing people’s appetite to use its apps and expanding opportunities for rights-respecting competitors to poach custom by offering something better. 


#amsterdam, #austria, #data-protection, #data-protection-commission, #digital-rights, #europe, #european-union, #facebook, #general-data-protection-regulation, #germany, #human-rights, #ireland, #lawsuit, #max-schrems, #netherlands, #noyb, #privacy, #surveillance-law, #vienna

German government bodies urged to remove their Facebook Pages before next year

Germany’s federal information commissioner has run out of patience with Facebook.

Last month, Ulrich Kelber wrote to government agencies “strongly recommend[ing]” they to close down their official Facebook Pages because of ongoing data protection compliance problems and the tech giant’s failure to fix the issue.

In the letter, Kelber warns the government bodies that he intends to start taking enforcement action from January 2022 — essentially giving them a deadline of next year to pull their pages from Facebook.

So expect not to see official Facebook Pages of German government bodies in the coming months.

While Kelber’s own agency, the BfDi, does not appear to have a Facebook Page (although Facebook’s algorithms appear to generate this artificial stub if you try searching for one) plenty of other German federal bodies do — such as the Ministry of Health, whose public page has more than 760,000 followers.

The only alternative to such pages vanishing from Facebook’s platform by Christmas — or else being ordered to be taken down early next year by Kelber — seems to be for the tech giant to make more substantial changes to how its platform operators than it has offered so far, allowing the Pages to be run in Germany in a way that complies with EU law.

However Facebook has a long history of ignoring privacy expectations and data protection laws.

It has also, very recently, shown itself more than willing to reduce the quality of information available to users — if doing so further its business interests (such as to lobby against a media code law, as users in Australia can attest).

So it looks rather more likely that German government agencies will be the ones having to quietly bow off the platform soon…

Kelber says he’s avoided taking action over the ministries’ Facebook Pages until now on account of the public bodies arguing that their Facebook Pages are an important way for them to reach citizens.

However his letter points out that government bodies must be “role models” in matters of legal compliance — and therefore have “a particular duty” to comply with data protection law. (The EDPS is taking a similar tack by reviewing EU institutions’ use of US cloud services giants.)

Per his assessment, an “addendum” provided by Facebook in 2019 does not rectify the compliance problem and he concludes that Facebook has made no changes to its data processing operations to enable Page operators to comply with requirements set out in the EU’s General Data Protection Regulation.

A ruling by Europe’s top court, back in June 2018, is especially relevant here — as it held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page.

That means that the operators of such pages also face data protection compliance obligations, and cannot simply assume that Facebook’s T&Cs provide them with legal cover for the data processing the tech giant undertakes.

The problem, in a nutshell, is that Facebook does not provide Pages operates with enough information or assurances about how it processes users’ data — meaning they’re unable to comply with GDPR principles of accountability and transparency because, for example, they’re unable to adequately inform followers of their Facebook Page what is being done with their data.

There is also no way for Facebook Page operators to switch off (or otherwise block) wider processing of their Page followers by Facebook. Even if they don’t make use of any of the analytics features Facebook provides to Page operators.

The processing still happens.

This is because Facebook operates a take-it-or-leave it ‘data maximizing’ model — to feed its ad-targeting engines.

But it’s an approach that could backfire if it ends up permanently reducing the quality of the information available on its network because there’s a mass migration of key services off its platform. Such as, for example, every government agency in the EU deleted its Facebook Page.

A related blog post on the BfDi’s website also holds out the hope that “data protection-compliant social networks” might develop in the Facebook compliance vacuum.

Certainly there could be a competitive opportunity for alternative platforms that seek to sell services based on respecting users’ rights.

The German Federal Ministry of Health’s verified Facebook Page (Screengrab: TechCrunch/Natasha Lomas)

Discussing the BfDis intervention, Luca Tosoni, a research fellow at the University of Oslo’s Norwegian Research Center for Computers and Law, told TechCrunch: “This development is strictly connected to recent CJEU case law on joint controllership. In particular, it takes into account the Wirtschaftsakademie ruling, which found that the administrator of a Facebook page should be considered a joint controller with Facebook in respect of processing the personal data of the visitors of the page.

“This does not mean that the page administrator and Facebook share equal responsibility for all stages of the data processing activities linked to the use of the Facebook page. However, they must have an agreement in place with a clear allocation of roles and responsibilities. According to the German Federal Commissioner for Data Protection and Freedom of Information, Facebook’s current data protection ‘Addendum’ would not seem to be sufficient to meet the latter requirement.”

“It is worth noting that, in its Fashion ID ruling, the CJEU has taken the view that the GDPR’s obligations for joint controllers are commensurate with those data processing stages in which they actually exercise control,” Tosoni added. “This means that the data protection obligations a Facebook page administrator would normally tend to be quite limited.”

Warnings for other social media services

This particular compliance issue affects Facebook in Germany — and potentially any other EU market. But other social media services may face similar problems too.

For example, Kelber’s letter flags an ongoing audit of Instagram, TikTok and Clubhouse — warning of “deficits” in the level of data protection they offer too.

He goes on to recommend that agencies avoid using the three apps on business devices.  

In an earlier, 2019 assessment of government bodies’ use of social media services, the BfDi suggested usage of Twitter could — by contrast — be compliant with data protection rules. At least if privacy settings were fully enabled and analytics disabled, for example.

At the time the BfDi also warned that Facebook-owned Instagram faced similar compliance problems to Facebook, being subject to the same “abusive” approach to consent he said was taken by the whole group.

Reached for comment on Kelber’s latest recommendations to government agencies, Facebook did not engage with our specific questions — sending us this generic statement instead:

“At the end of 2019, we updated the Page Insights addendum and clarified the responsibilities of Facebook and Page administrators, for which we took questions regarding transparency of data processing into account. It is important to us that also federal agencies can use Facebook Pages to communicate with people on our platform in a privacy-compliant manner.”

An additional complication for Facebook has arisen in the wake of the legal uncertainty following last summer’s Schrems II ruling by the CJEU.

Europe’s top court invalidated the EU-US Privacy Shield arrangement, which had allowed companies to self-certify an adequate level of data protection, removing the easiest route for transferring EU users’ personal data over to the US. And while the court did not outlaw international transfers of EU users’ personal data altogether it made it clear that data protection agencies must intervene and suspend data flows if they suspect information is being moved to a place, and in in such a way, that it’s put at risk.

Following Schrems II, transfers to the US are clearly problematic where the data is being processed by a US company that’s subject to FISA 702, as is the case with Facebook.

Indeed, Facebook’s EU-to-US data transfers were the original target of the complainant in the Schrems II case (by the eponymous Max Schrems). And a decision remains pending on whether the tech giant’s lead EU data supervisor will follow through on a preliminary order last year to it should suspend its EU data flows — due in the coming months.

Even ahead of that long-anticipated reckoning in Ireland, other EU DPAs are now stepping in to take action — and Kelber’s letter references the Schrems II ruling as another issue of concern.

Tosoni agrees that GDPR enforcement is finally stepping up a gear. But he also suggested that compliance with the Schrems II ruling comes with plenty of nuance, given that each data flow must be assessed on a case by case basis — with a range of supplementary measures that controllers may be able to apply.

“This development also shows that European data protection authorities are getting serious about enforcing the GDPR data transfer requirements as interpreted by the CJEU in Schrems II, as the German Federal Commissioner for Data Protection and Freedom flagged this as another pain point,” he said.

“However, the German Federal Commissioner sent out his letter on the use of Facebook pages a few days before the EDPB adopted the final version its recommendations on supplementary measures for international data transfers following the CJEU Schrems II ruling. Therefore, it remains to be seen how German data protection authorities will take these new recommendations into account in the context of their future assessment of the GDPR compliance of the use of Facebook pages by German public authorities.

“Such recommendations do not establish a blanket ban on data transfers to the US but impose the adoption of stringent safeguards, which will need to be followed to keep on transferring the data of German visitors of Facebook pages to the US.”

Another recent judgment by the CJEU reaffirmed that EU data protection agencies can, in certain circumstances, take action when they are not the lead data supervisor for a specific company under the GDPR’s one-stop-shop mechanism — expanding the possibility for litigation by watchdogs in Member States if a local agency believes there’s an urgent need to act.

Although, in the case of the German government bodies’ use of Facebook Pages, the earlier CJEU ruling finding on joint law controllership means the BfDi already has clear jurisdiction to target these agencies’ Facebook Pages itself.


#advertising-tech, #australia, #cjeu, #data-processing, #data-protection, #data-security, #digital-rights, #eu-us-privacy-shield, #europe, #european-union, #facebook, #facebook-pages, #general-data-protection-regulation, #germany, #instagram, #ireland, #law, #max-schrems, #policy, #privacy, #twitter, #united-states

EU puts out final guidance on data transfers to third countries

The European Data Protection Board (EDPB) published its final recommendations yesterday setting on guidance for making transfers of personal data to third countries to comply with EU data protection rules in light of last summer’s landmark CJEU ruling (aka Schrems II).

The long and short of these recommendations — which are fairly long; running to 48 pages — is that some data transfers to third countries will simply not be possible to (legally) carry out. Despite the continued existence of legal mechanisms that can, in theory, be used to make such transfers (like Standard Contractual Clauses; a transfer tool that was recently updated by the Commission).

However it’s up to the data controller to assess the viability of each transfer, on a case by case basis, to determine whether data can legally flow in that particular case. (Which may mean, for example, a business making complex assessments about foreign government surveillance regimes and how they impinge upon its specific operations.)

Companies that routinely take EU users’ data outside the bloc for processing in third countries (like the US), which do not have data adequacy arrangements with the EU, face substantial cost and challenge in attaining compliance — in a best case scenario.

Those that can’t apply viable ‘special measures’ to ensure transferred data is safe are duty bound to suspend data flows — with the risk, should they fail to do that, of being ordered to by a data protection authority (which could also apply additional sanctions).

One alternative option could be for such a firm to store and process EU users’ data locally — within the EU. But clearly that won’t be viable for every company.

Law firms are likely to be very happy with this outcome since there will be increased demand for legal advice as companies grapple with how to structure their data flows and adapt to a post-Schrems II world.

In some EU jurisdictions (such as Germany) data protection agencies are now actively carrying out compliance checks — so orders to suspend transfers are bound to follow.

While the European Data Protection Supervisor is busy scrutinizing EU institutions’ own use of US cloud services giants to see whether high level arrangements with tech giants like AWS and Microsoft pass muster or not.

Last summer the CJEU struck down the EU-US Privacy Shield — only a few years after the flagship adequacy arrangement was inked. The same core legal issues did for its predecessor, ‘Safe Harbor‘, though that had stood for some fifteen years. And since the demise of Privacy Shield the Commission has repeatedly warned there will be no quick fix replacement this time; nothing short of major reform of US surveillance law is likely to be required.

US and EU lawmakers remain in negotiations over a replacement EU-US data flows deal but a viable outcome that can stand up to legal challenge as the prior two agreements could not, may well require years of work, not months.

And that means EU-US data flows are facing legal uncertainty for the foreseeable future.

The UK, meanwhile, has just squeezed a data adequacy agreement out of the Commission — despite some loudly enunciated post-Brexit plans for regulatory divergence in the area of data protection.

If the UK follows through in ripping up key tenets of its inherited EU legal framework there’s a high chance it will also lose adequacy status in the coming years — meaning it too could face crippling barriers to EU data flows. (But for now it seems to have dodged that bullet.)

Data flows to other third countries that also lack an EU adequacy agreement — such as China and India — face the same ongoing legal uncertainty.

The backstory to the EU international data flows issues originates with a complaint — in the wake of NSA whistleblower Edward Snowden’s revelations about government mass surveillance programs, so more than seven years ago — made by the eponymous Max Schrems over what he argued were unsafe EU-US data flows.

Although his complaint was specifically targeted at Facebook’s business and called on the Irish Data Protection Commission (DPC) to use its enforcement powers and suspend Facebook’s EU-US data flows.

A regulatory dance of indecision followed which finally saw legal questions referred to Europe’s top court and — ultimately — the demise of the EU-US Privacy Shield. The CJEU ruling also put it beyond legal doubt that Member States’ DPAs must step in and act when they suspect data is flowing to a location where the information is at risk.

Following the Schrems II ruling, the DPC (finally) sent Facebook a preliminary order to suspend its EU-US data flows last fall. Facebook immediately challenged the order in the Irish courts — seeking to block the move. But that challenge failed. And Facebook’s EU-US data flows are now very much operating on borrowed time.

As one of the platform’s subject to Section 702 of the US’ FISA law, its options for applying ‘special measures’ to supplement its EU data transfers look, well, limited to say the least.

It can’t — for example — encrypt the data in a way that ensures it has no access to it (zero access encryption) since that’s not how Facebook’s advertising empire functions. And Schrems has previously suggested Facebook will have to federate its service — and store EU users’ information inside the EU — to fix its data transfer problem.

Safe to say, the costs and complexity of compliance for certain businesses like Facebook look massive.

But there will be compliance costs and complexity for thousands of businesses in the wake of the CJEU ruling.

Commenting on the EDPB’s adoption of final recommendations, chair Andrea Jelinek said: “The impact of Schrems II cannot be underestimated: Already international data flows are subject to much closer scrutiny from the supervisory authorities who are conducting investigations at their respective levels. The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area.

“By clarifying some doubts expressed by stakeholders, and in particular the importance of examining the practices of public authorities in third countries, we want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance.”

The EDPB put out earlier guidance on Schrems II compliance last year.

It said the main modifications between that earlier advice and its final recommendations include: “The emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment to determine whether the legislation and/or practices of the third country impinge — in practice — on the effectiveness of the Art. 46 GDPR transfer tool; the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool”.

Commenting on the EDPB’s recommendations in a statement, law firm Linklaters dubbed the guidance “strict” — warning over the looming impact on businesses.

“There is little evidence of a pragmatic approach to these transfers and the EDPB seems entirely content if the conclusion is that the data must remain in the EU,” said Peter Church, a Counsel at the global law firm. “For example, before transferring personal data to third country (without adequate data protection laws) businesses must consider not only its law but how its law enforcement and national security agencies operate in practice. Given these activities are typically secretive and opaque, this type of analysis is likely to cost tens of thousands of euros and take time. It appears this analysis is needed even for relatively innocuous transfers.”

“It is not clear how SMEs can be expected to comply with these requirements,” he added. “Given we now operate in a globalised society the EDPB, like King Canute, should consider the practical limitations on its power. The guidance will not turn back the tides of data washing back and forth across the world, but many businesses will really struggle to comply with these new requirements.”


#andrea-jelinek, #china, #data-controller, #data-protection, #data-security, #edpb, #edward-snowden, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-union, #facebook, #general-data-protection-regulation, #germany, #india, #law-enforcement, #law-firms, #linklaters, #max-schrems, #policy, #privacy, #schrems-ii, #surveillance-law, #united-kingdom, #united-states

Europe needs to back browser-level controls to fix cookie consent nightmares, says privacy group

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless ‘your data choices’ pop-ups.

Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

The approach would offer a route to circumvent the user experience nightmare flowing from all the dark pattern design that’s made cookie consent collection so cynical, confusing and tedious — by simply automating the yeses and noes, thereby keeping interruptions to a user-defined minimum.

In the European Union cookie consent banners mushroomed in the wake of a 2018 update to the bloc’s privacy rules (GDPR) — especially on websites that rely on targeted advertising to generate revenue. And in recent years it has not been unusual to find cookie pop-ups that contain a labyrinthine hell of opacity — culminating (if you don’t just click ‘agree’) — to vast menus of ‘trusted partners’ all after your data. Some of which are pre-set to share information and require the user to individually toggle each and every one off.

Such stuff is a mockery of compliance, rather than the truly simple choice envisage by the law. So noyb’s earlier campaign is focused on filing scores of complaints against sites it believes aren’t complying with requirements to provide users with a clear and free choice to say no to their data being used for ads (and it’s applying a little automation tech there too to help scale up the number of complaint it can file).

Its follow-up here — showing how an advanced control layer that signals user choices in the background could work — shares the same basic approach as the ‘Do Not Track’ proposals originally proposed for baking into web browsers all the way back in 2009 but which failed to get industry buy-in. There has also been a more recent US-based push to revive the idea of browser-level privacy control — buoyed by California’s California Consumer Privacy Act (CCPA), which took effect at the start of last year, and includes a requirement that businesses respect user opt-out preferences via a signal from their browser.

However noyb’s version of browser-level privacy control seeks to go further by enabling more granular controls — which it says it necessary to better mesh with the EU’s nuanced legal framework around data protection.

It points out that Article 21(5) of the GDPR already allows for automatic signals from the browser to inform websites in the background whether a user is consenting to data processing or not.

The ePrivacy Regulation proposal, a much delayed reform of the bloc’s rules around electronic privacy has also included such a provision.

However noyb says development to establish such a signal hasn’t happened yet — suggesting that cynically manipulative consent management platforms may well have been hampering privacy-focused innovation.

But it also sees a chance for the necessary momentum to build behind the idea.

For example, it points to how Apple has recently been dialling up the notification and control it offers users of its mobile platform, iOS, to allow people to both know which third party apps want to track them and allow or deny access to their data — including giving users a super simple ‘deny all third party tracking’ option backed into iOS’ settings.

So, well, why should Internet users who happen to be browsing on a desktop device not have a set of similarly advanced privacy controls too?

EU lawmakers are also still debating the ePrivacy Regulation reform — which deals centrally with cookies — so the campaign group wants to demonstrate how automated control tech could be a key piece of the answer to so-called ‘cookie consent fatigue’; by giving users a modern toolset to shrink consent friction without compromising their ability to control what happens with their data.

In order to work as intended automated signals would need to be legally binding (to prevent adtech companies just ignoring them) — and having a clear legal basis set out in the ePrivacy Regulation is one way that could happen within fairly short order.

The chance at least is there.

There have been concerns that the ePrivacy reform — which was stalled for years — could end up weakening the EU’s data protection framework in the face of massive adtech industry lobbying. And the negotiation process to reach a final text remains ongoing. So it’s still not clear where it’s going to end up.

But, earlier this year, the European Council agreed its negotiating mandate with the other EU institutions. And, on cookies, the Council said they want companies to find ways to reduce ‘cookie consent fatigue’ among users — such as by whitelisting types of cookies/providers in their browser settings. So there is at least a potential path to legislate for an effective browser-level control layer in Europe.

For now, noyb has published a prototype and a technology specification for what it’s calling the ADPC (aka Advanced Data Protection Control). The work on the framework has been carried out by noyb working with the Sustainable Computing Lab at the Vienna University of Economics and Business.

The proposal envisages web pages sending privacy requests in a machine-readable way and the ADPC allowing the response to be transmitted using header signals or via Java Script. noyb likens the intelligent management of queries and automatic responses such a system could support to an email spam filter.

Commenting in a statement, chairman Max Schrems said: “For Europe, we need more than just an ‘opt-out’ so that it fits into our legal framework. That’s why we call the prototype ‘Advanced’ Data Protection Control, because it’s much more flexible and specific than previous approaches.

“ADPC allows intelligent management of privacy requests. A user could say, for example, ‘please ask me only after I’ve been to the site several times’ or ‘ask me again after 3 months.’ It is also possible to answer similar requests centrally. ADPC thus allows the flood of data requests to be managed in a meaningful way.”

“With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides,” he added. “We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well.”

The Commission has been contacted for comment on noyb’s ADPC.

While there are wider industry shifts afoot to depreciate tracking cookies altogether — with Google proposing to replace current adtech infrastructure supported by Chrome with an alternative stack of (it claims) more privacy respecting alternatives (aka its Privacy Sandbox) — there’s still plenty of uncertainty over what will ultimately happen to third party cookies.

Google’s move to end support for tracking cookies is being closely scrutinized by regional antitrust regulators. And just last week the UK’s Competition and Markets Authority (CMA), which is investigating a number of complaints about the plan, said it’s minded to accept concessions from Google that would mean the regulator could order it not to switch off tracking cookies.

Moreover, even if tracking cookies do finally crumble there is still the question of what exactly they get replaced with — and how alternative adtech infrastructure could impact user privacy?

Google’s so-called ‘Privacy Sandbox’ proposal to target ads at cohorts of users (based on bucketed ‘interests’ its technology will assign them via on-device analysis of their browsing habits) has raised fresh concerns about the risks of exploitative and predatory advertising. So it may be no less important for users to have meaningful browser-level controls over their privacy choices in the future — even if the tracking cookie itself goes away.

A browser-level signal could offer a way for a web user to say ‘no’ to being stuck in an ‘interest bucket’ for ad targeting purposes, for example — signalling that they prefer to see only contextual ads instead, say.

tl;dr: The issue of consent does not only affect cookies — and it’s telling that Google has avoided running the first trials of its replacement tech for tracking cookies (FLoCs, or federated learning of cohorts) in Europe.


#advertising-tech, #competition-and-markets-authority, #data-processing, #data-protection, #do-not-track, #eprivacy-regulation, #europe, #european-parliament, #european-union, #max-schrems, #noyb, #privacy, #tc, #web-browsers

Europe’s cookie consent reckoning is coming

Cookie pop-ups getting you down? Complaints that the web is ‘unusable’ in Europe because of frustrating and confusing ‘data choices’ notifications that get in the way of what you’re trying to do online certainly aren’t hard to find.

What is hard to find is the ‘reject all’ button that lets you opt out of non-essential cookies which power unpopular stuff like creepy ads. Yet the law says there should be an opt-out clearly offered. So people who complain that EU ‘regulatory bureaucracy’ is the problem are taking aim at the wrong target.

EU law on cookie consent is clear: Web users should be offered a simple, free choice — to accept or reject.

The problem is that most websites simply aren’t compliant. They choose to make a mockery of the law by offering a skewed choice: Typically a super simple opt-in (to hand them all your data) vs a highly confusing, frustrating, tedious opt-out (and sometimes even no reject option at all).

Make no mistake: This is ignoring the law by design. Sites are choosing to try to wear people down so they can keep grabbing their data by only offering the most cynically asymmetrical ‘choice’ possible.

However since that’s not how cookie consent is supposed to work under EU law sites that are doing this are opening themselves to large fines under the General Data Protection Regulation (GDPR) and/or ePrivacy Directive for flouting the rules.

See, for example, these two whopping fines handed to Google and Amazon in France at the back end of last year for dropping tracking cookies without consent…

While those fines were certainly head-turning, we haven’t generally seen much EU enforcement on cookie consent — yet.

This is because data protection agencies have mostly taken a softly-softly approach to bringing sites into compliance. But there are signs enforcement is going to get a lot tougher. For one thing, DPAs have published detailed guidance on what proper cookie compliance looks like — so there are zero excuses for getting it wrong.

Some agencies had also been offering compliance grace periods to allow companies time to make the necessary changes to their cookie consent flows. But it’s now a full three years since the EU’s flagship data protection regime (GDPR) came into application. So, again, there’s no valid excuse to still have a horribly cynical cookie banner. It just means a site is trying its luck by breaking the law.

There is another reason to expect cookie consent enforcement to dial up soon, too: European privacy group noyb is today kicking off a major campaign to clean up the trashfire of non-compliance — with a plan to file up to 10,000 complaints against offenders over the course of this year. And as part of this action it’s offering freebie guidance for offenders to come into compliance.

Today it’s announcing the first batch of 560 complaints already filed against sites, large and small, located all over the EU (33 countries are covered). noyb said the complaints target companies that range from large players like Google and Twitter to local pages “that have relevant visitor numbers”.

“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button,” said noyb chair and long-time EU privacy campaigner, Max Schrems, in a statement.

“Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than fifteen common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page,” he added. “We focus on popular pages in Europe. We estimate that this project can easily reach 10,000 complaints. As we are funded by donations, we provide companies a free and easy settlement option — contrary to law firms. We hope most complaints will quickly be settled and we can soon see banners become more and more privacy friendly.”

To scale its action, noyb developed a tool which automatically parses cookie consent flows to identify compliance problems (such as no opt out being offered at the top layer; or confusing button coloring; or bogus ‘legitimate interest’ opt-ins, to name a few of the many chronicled offences); and automatically create a draft report which can be emailed to the offender after it’s been reviewed by a member of the not-for-profit’s legal staff.

It’s an innovative, scalable approach to tackling systematically cynical cookie manipulation in a way that could really move the needle and clean up the trashfire of horrible cookie pop-ups.

noyb is even giving offenders a warning first — and a full month to clean up their ways — before it will file an official complaint with their relevant DPA (which could lead to an eye-watering fine).

Its first batch of complaints are focused on the OneTrust consent management platform (CMP), one of the most popular template tools used in the region — and which European privacy researchers have previously shown (cynically) provides its client base with ample options to set non-compliant choices like pre-checked boxes… Talk about taking the biscuit.

A noyb spokeswoman said it’s started with OneTrust because its tool is popular but confirmed the group will expand the action to cover other CMPs in the future.

The first batch of noyb’s cookie consent complaints reveal the rotten depth of dark patterns being deployed — with 81% of the 500+ pages not offering a reject option on the initial page (meaning users have to dig into sub-menus to try to find it); and 73% using “deceptive colors and contrasts” to try to trick users into clicking the ‘accept’ option.

noyb’s assessment of this batch also found that a full 90% did not provide a way to easily withdraw consent as the law requires.

Cookie compliance problems found in the first batch of sites facing complaints (Image credit: noyb)

It’s a snapshot of truly massive enforcement failure. But dodgy cookie consents are now operating on borrowed time.

Asked if it was able to work out how prevalent cookie abuse might be across the EU based on the sites it crawled, noyb’s spokeswoman said it was difficult to determine, owing to technical difficulties encountered through its process, but she said an initial intake of 5,000 websites was whittled down to 3,600 sites to focus on. And of those it was able to determine that 3,300 violated the GDPR.

That still left 300 — as either having technical issues or no violations — but, again, the vast majority (90%) were found to have violations. And with so much rule-breaking going on it really does require a systematic approach to fixing the ‘bogus consent’ problem — so noyb’s use of automation tech is very fitting.

More innovation is also on the way from the not-for-profit — which told us it’s working on an automated system that will allow Europeans to “signal their privacy choices in the background, without annoying cookie banners”.

At the time of writing it couldn’t provide us with more details on how that will work (presumably it will be some kind of browser plug-in) but said it will be publishing more details “in the next weeks” — so hopefully we’ll learn more soon.

A browser plug-in that can automatically detect and select the ‘reject all’ button (even if only from a subset of the most prevalent CMPs) sounds like it could revive the ‘do not track’ dream. At the very least, it would be a powerful weapon to fight back against the scourge of dark patterns in cookie banners and kick non-compliant cookies to digital dust.


#advertising-tech, #cookie-consent, #data-protection, #eprivacy, #europe, #european-union, #gdpr, #general-data-protection-regulation, #max-schrems, #noyb, #policy, #privacy, #tc

EU bodies’ use of US cloud services from AWS, Microsoft being probed by bloc’s privacy chief

Europe’s lead data protection regulator has opened two investigations into EU institutions’ use of cloud services from U.S. cloud giants, Amazon and Microsoft, under so called Cloud II contracts inked earlier between European bodies, institutions and agencies and AWS and Microsoft.

A separate investigation has also been opened into the European Commission’s use of Microsoft Office 365 to assess compliance with earlier recommendations, the European Data Protection Supervisor (EDPS) said today.

Wojciech Wiewiórowski is probing the EU’s use of U.S. cloud services as part of a wider compliance strategy announced last October following a landmark ruling by the Court of Justice (CJEU) — aka, Schrems II — which struck down the EU-US Privacy Shield data transfer agreement and cast doubt upon the viability of alternative data transfer mechanisms in cases where EU users’ personal data is flowing to third countries where it may be at risk from mass surveillance regimes.

In October, the EU’s chief privacy regulator asked the bloc’s institutions to report on their transfers of personal data to non-EU countries. This analysis confirmed that data is flowing to third countries, the EDPS said today. And that it’s flowing to the U.S. in particular — on account of EU bodies’ reliance on large cloud service providers (many of which are U.S.-based).

That’s hardly a surprise. But the next step could be very interesting as the EDPS wants to determine whether those historical contracts (which were signed before the Schrems II ruling) align with the CJEU judgement or not.

Indeed, the EDPS warned today that they may not — which could thus require EU bodies to find alternative cloud service providers in the future (most likely ones located within the EU, to avoid any legal uncertainty). So this investigation could be the start of a regulator-induced migration in the EU away from U.S. cloud giants.

Commenting in a statement, Wiewiórowski said: “Following the outcome of the reporting exercise by the EU institutions and bodies, we identified certain types of contracts that require particular attention and this is why we have decided to launch these two investigations. I am aware that the ‘Cloud II contracts’ were signed in early 2020 before the ‘Schrems II’ judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.”

Amazon and Microsoft have been contacted with questions regarding any special measures they have applied to these Cloud II contracts with EU bodies.

The EDPS said it wants EU institutions to lead by example. And that looks important given how, despite a public warning from the European Data Protection Board (EDPB) last year — saying there would be no regulatory grace period for implementing the implications of the Schrems II judgement — there hasn’t been any major data transfer fireworks yet.

The most likely reason for that is a fair amount of head-in-the-sand reaction and/or superficial tweaks made to contracts in the hopes of meeting the legal bar (but which haven’t yet been tested by regulatory scrutiny).

Final guidance from the EDPB is also still pending, although the Board put out detailed advice last fall.

The CJEU ruling made it plain that EU law in this area cannot simply be ignored. So as the bloc’s data regulators start scrutinizing contracts that are taking data out of the EU some of these arrangement are, inevitably, going to be found wanting — and their associated data flows ordered to stop.

To wit: A long-running complaint against Facebook’s EU-US data transfers — filed by the eponymous Max Schrems, a long-time EU privacy campaigners and lawyer, all the way back in 2013 — is slowing winding toward just such a possibility.

Last fall, following the Schrems II ruling, the Irish regulator gave Facebook a preliminary order to stop moving Europeans’ data over the pond. Facebook sought to challenge that in the Irish courts but lost its attempt to block the proceeding earlier this month. So it could now face a suspension order within months.

How Facebook might respond is anyone’s guess but Schrems suggested to TechCrunch last summer that the company will ultimately need to federate its service, storing EU users’ data inside the EU.

The Schrems II ruling does generally look like it will be good news for EU-based cloud service providers which can position themselves to solve the legal uncertainty issue (even if they aren’t as competitively priced and/or scalable as the dominant US-based cloud giants).

Fixing U.S. surveillance law, meanwhile — so that it gets independent oversight and accessible redress mechanisms for non-citizens in order to no longer be considered a threat to EU people’s data, as the CJEU judges have repeatedly found — is certainly likely to take a lot longer than ‘months’. If indeed the US authorities can ever be convinced of the need to reform their approach.

Still, if EU regulators finally start taking action on Schrems II — by ordering high profile EU-US data transfers to stop — that might help concentrate US policymakers’ minds toward surveillance reform. Otherwise local storage may be the new future normal.

#amazon, #aws, #cloud, #cloud-services, #data-protection, #data-protection-law, #data-security, #eu-us-privacy-shield, #europe, #european-commission, #european-data-protection-board, #european-union, #facebook, #lawyer, #max-schrems, #microsoft, #privacy, #surveillance-law, #united-states, #wojciech-wiewiorowski

European Parliament amps up pressure on EU-US data flows and GDPR enforcement

European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation.

The Commission and the DPC have been contacted for comment on the parliament’s call.

Last summer the Commission’s own two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”.

But it’s now nearly three years since the regulation begun being applied and criticism over weak enforcement is getting harder for the EU’s executive to ignore.

The parliament’s resolution — which, while non-legally binding, fires a strong political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcement of the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies which choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).

The text of the resolution expresses “deep concern” over the DPC’s failure to reach a decision on a number of complaints against breaches of the GDPR filed the day it came into application, on May 25, 2018 — including against Facebook and Google — and criticises the Irish data watchdog for interpreting ‘without delay’ in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.

To date the DPC has only reached a final decision on one cross-border GDPR case — against Twitter.

The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint originally brought by privacy campaigner Max Schrems years before the GDPR came into application, which relates to the clash between EU privacy rights and US surveillance laws, and which still hasn’t resulted in a decision.

The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU — which in turn led to the landmark Schrems II judgement last summer invalidating the flagship EU-US data transfer arrangement, Privacy Shield.

That ruling did not outlaw alternative data transfer mechanisms but made it clear that EU DPAs have an obligation to step in and suspend data transfers if European’s information is being taken to a third country that does not have essentially equivalent protections to those they have under EU law — thereby putting the ball back in the DPC’s court on the Schrems complaint.

The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers and the tech giant responded by filing for a judicial review of the DPC’s processes. However the Irish High Court rejected Facebook’s petition last week. And a stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of reaching a decision on the Facebook data flows complaint has started moving again.

A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.

The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:

Is concerned about the insufficient level of enforcement of the GDPR, particularly in the area of international transfers; expresses concerns at the lack of prioritisation and overall scrutiny by national supervisory authorities with regard to personal data transfers to third countries, despite the significant CJEU case law developments over the past five years; deplores the absence of meaningful decisions and corrective measures in this regard, and urges the EDPB [European Data Protection Board] and national supervisory authorities to include personal data transfers as part of their audit, compliance and enforcement strategies; points out that harmonised binding administrative procedures on the representation of data subjects and admissibility are needed to provide legal certainty and deal with crossborder complaints;

The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political and commercial complexities bound up with data flows out of the EU (post-Snowden’s 2013 revelations of US mass surveillance programs) — not to mention the staggering challenge for EU data subjects to actually exercise the rights they have on paper. But these intersecting issues around international data flows do seem to be finally coming to a head, in the wake of the Schrems II CJEU ruling.

The clock is now ticking for the issuing of major data suspension orders by EU data protection agencies, with Facebook’s business first in the firing line.

Other US-based services that are — similarly — subject to the US’ FISA regime (and also move EU users data over the pond for processing; and whose businesses are such they cannot shield user data via ‘zero access’ encryption architecture) are equally at risk of receiving an order to shut down their EU-US data-pipes. Or else having to shift data processing for these users inside the EU.

US-based services aren’t the only ones facing increasing legal uncertainty, either.

The UK, post-Brexit, is also classed as a third country (in EU law terms). And in a separate resolution today the parliament adopted a text on the UK adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the UK as problematic.

On that front the parliament highlights how adtech complaints filed with the ICO have failed to yield a decision. (It writes that it’s concerned “non-enforcement is a structural problem” in the UK — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)

It also calls out the UK’s surveillance regime, questioning its compatibility with the CJEU’s requirements for essential equivalence — while also raising concerns about the risk that the UK could undermine protections on EU citizens data via onward transfers to jurisdictions the EU does not have an adequacy agreement with, among other objections.

The Commission put a four year lifespan on the UK’s adequacy deal — meaning there will be another major review ahead of any continuation of the arrangement in 2025.

It’s a far cry from the ‘hands-off’ fifteen years the EU-US ‘Safe Harbor’ agreement stood for, before a Schrems challenge finally led to the CJEU striking it down back in 2015. So the takeaway here is that data deals that allow for people’s information to leave Europe aren’t going to be allowed to stand unchecked for years; close scrutiny and legal accountability are now firmly up front — and will remain in the frame going forward.

The global nature of the Internet and the ease with which data can digitally flow across borders of course brings huge benefits for businesses — but the resulting interplay between different legal regimes is leading to increasing levels of legal uncertainty for companies seeking to take people’s data across borders.

In the EU’s case, the issue is that data protection is regulated within the bloc and these laws require that protection stays with people’s information, no matter where it goes. So if the data flows to countries that do not offer the same safeguards — be that the US or indeed China or India (or even the UK) — then that risk is that it can’t, legally, be taken there.

How to resolve this clash, between data protection laws based on individual privacy rights and data access mandates driven by national security priorities, has no easy answers.

For the US, and for the transatlantic data flows between the EU and the US, the Commission has warned there will be no quick fix this time — as happened when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a new ‘Privacy Shield’ regime; only for the CJEU to blast that out of the water for much the same reasons a few years later. (The parliament resolution is particularly withering in its assessment of the Commission’s historic missteps there.)

For a fix to stick, major reform of US surveillance law is going to be needed. And the Commission appears to have accepted that’s not going to come overnight, so it seems to be trying to brace businesses for turbulence…

The parliament’s resolution on Schrems II also makes it clear that it expects DPAs to step in and cut off risky data flows — with MEPs writing that “if no arrangement with the US is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.

So if DPAs fail to do this — and if Ireland keeps dragging its feet on closing out the Schrems complaint — they should expect more resolutions to be blasted at them from the parliament.

MEPs emphasize the need for any future EU-US data transfer agreement “to address the problems identified by the Court ruling in a sustainable manner” — pointing out that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.

“This requires a reform of US surveillance laws and practices with a view to ensuring that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate, and that European data subjects have access to effective judicial redress before US courts,” the parliament adds.

It’s still true that businesses may be able to legally move EU personal data out of the bloc. Even, potentially, to the US — depending on the type of business; the data itself; and additional safeguards that could be applied.

However for data-mining companies like Facebook — which are subject to FISA and whose businesses rely on accessing people’s data — then achieving essential equivalence with EU privacy protections looks, well, essentially impossible.

And while the parliament hasn’t made an explicit call in the resolution for Facebook’s EU data flows to be cut off that is the clear implication of it urging infringement proceedings against the DPC (and deploring “the absence of meaningful decisions and corrective measures” in the area of international transfers).

The parliament says it wants to see “solid mechanisms compliant with the CJEU judgement” set out — for the benefit of businesses with the chance to legally move data out of the EU — saying, for example, that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) should “duly take into account all the relevant recommendations of the EDPB“.

It also says it supports the creation of a tool box of supplementary measures for such businesses to choose from — in areas like security and data protection certification; encryption safeguards; and pseudonymisation — so long as the measures included are accepted by regulators.

It also wants to see publicly available resources on the relevant legislation of the EU’s main trading partners to help businesses that have the possibility of being able to legally move data out of the bloc get guidance to help them do so with compliance.

The overarching message here is that businesses should buckle up for disruption of cross-border data flows — and tool up for compliance, where possible.

In another segment of the resolution, for example, the parliament calls on the Commission to “analyse the situation of cloud providers falling under section 702 of the FISA who transfers data using SCCs” — going on to suggest that support for European alternatives to US cloud providers may be needed to plug “gaps in the protection of data of European citizens transferred to the United States” and “reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection”.

#brexit, #china, #cloud, #data-mining, #data-protection, #data-protection-commission, #data-security, #encryption, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-parliament, #european-union, #facebook, #general-data-protection-regulation, #google, #india, #ireland, #lawsuit, #max-schrems, #noyb, #privacy, #safe-harbor, #surveillance-law, #twitter, #united-kingdom, #united-states

Facebook loses last ditch attempt to derail DPC decision on its EU-US data flows

Facebook has failed in its bid to prevent its lead EU data protection regulator from pushing ahead with a decision on whether to order suspension of its EU-US data flows.

The Irish High Court has just issued a ruling dismissing the company’s challenge to the Irish Data Protection Commission’s (DPC) procedures.

The case has huge potential operational significance for Facebook which may be forced to store European users’ data locally if it’s ordered to stop taking their information to the U.S. for processing.

Last September Irish data watchdog made a preliminary order warning Facebook it may have to suspend EU-US data flows. Facebook responding by filing for a judicial review and obtaining a stay on the DPC’s procedure. That block is now being unblocked.

We understand the involved parties have been given a few days to read the High Court judgement ahead of another hearing on Thursday — when the court is expected to formally lift Facebook’s stay on the DPC’s investigation (and settle the matter of case costs).

The DPC declined to comment on today’s ruling in any detail — or on the timeline for making a decision on Facebook’s EU-US data flows — but deputy commissioner Graham Doyle told us it “welcomes today’s judgment”.

Its preliminary suspension order last fall followed a landmark judgement by Europe’s top court in the summer — when the CJEU struck down a flagship transatlantic agreement on data flows, on the grounds that US mass surveillance is incompatible with the EU’s data protection regime.

The fall-out from the CJEU’s invalidation of Privacy Shield (as well as an earlier ruling striking down its predecessor Safe Harbor) has been ongoing for years — as companies that rely on shifting EU users’ data to the US for processing have had to scramble to find valid legal alternatives.

While the CJEU did not outright ban data transfers out of the EU, it made it crystal clear that data protection agencies must step in and suspend international data flows if they suspect EU data is at risk. And EU to US data flows were signalled as at clear risk given the court simultaneously struck down Privacy Shield.

The problem for some businesses is that there may simply not be a valid legal alternative. And that’s where things look particularly sticky for Facebook, since its service falls under NSA surveillance via Section 702 of the FISA (which is used to authorize mass surveillance programs like Prism).

So what happens now for Facebook, following the Irish High Court ruling?

As ever in this complex legal saga — which has been going on in various forms since an original 2013 complaint made by European privacy campaigner Max Schrems — there’s still some track left to run.

After this unblocking the DPC will have two enquiries in train: Both the original one, related to Schrems’ complaint, and an own volition enquiry it decided to open last year — when it said it was pausing investigation of Schrems’ original complaint.

Schrems, via his privacy not-for-profit noyb, filed for his own judicial review of the DPC’s proceedings. And the DPC quickly agreed to settle — agreeing in January that it would ‘swiftly’ finalize Schrems’ original complaint. So things were already moving.

The tl;dr of all that is this: The last of the bungs which have been used to delay regulatory action in Ireland over Facebook’s EU-US data flows are finally being extracted — and the DPC must decide on the complaint.

Or, to put it another way, the clock is ticking for Facebook’s EU-US data flows. So expect another wordy blog post from Nick Clegg very soon.

Schrems previously told TechCrunch he expects the DPC to issue a suspension order against Facebook within months — perhaps as soon as this summer (and failing that by fall).

In a statement reacting to the Court ruling today he reiterated that position, saying: “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”

When Ireland (finally) decides it won’t mark the end of the regulatory procedures, though.

A decision by the DPC on Facebook’s transfers would need to go to the other EU DPAs for review — and if there’s disagreement there (as seems highly likely, given what’s happened with draft DPC GDPR decisions) it will trigger a further delay (weeks to months) as the European Data Protection Board seeks consensus.

If a majority of EU DPAs can’t agree the Board may itself have to cast a deciding vote. So that could extend the timeline around any suspension order. But an end to the process is, at long last, in sight.

And, well, if a critical mass of domestic pressure is ever going to build for pro-privacy reform of U.S. surveillance laws now looks like a really good time…

“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the US to change its surveillance laws.”

Facebook has been contacted for comment on the Irish High Court ruling.

Update: The company has now sent us this statement:

“Today’s ruling was about the process the IDPC followed. The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family and employees across the Atlantic. Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities. We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses.”

#data-protection, #data-security, #digital-rights, #dpc, #eu-us-privacy-shield, #europe, #european-data-protection-board, #european-union, #facebook, #human-rights, #ireland, #lawsuit, #max-schrems, #nick-clegg, #noyb, #policy, #privacy, #safe-harbor, #united-states

Facebook’s EU-US data transfers face their final countdown

Ireland’s Data Protection Commission (DPC) has agreed to swiftly finalize a long-standing complaint against Facebook’s international data transfers which could force the tech giant to suspend data flows from the European Union to the US within in a matter of months.

The complaint, which was filed in 2013 by privacy campaigner Max Schrems, relates to the clash between EU privacy rights and US government intelligent agencies’ access to Facebook users’ data under surveillance programs that were revealed in high resolution detail by NSA whistleblower Edward Snowden.

The DPC has made the commitment to a swift resolution of Schrems’ complaint now in order to settle a judicial review of its processes which noyb, his privacy campaign group, filed last year in response to its decision to pause his complaint and opt to open a new case procedure.

Under the terms of the settlement Schrems will also be heard in the DPC’s “own volition” procedure, as well as getting access to all submissions made by Facebook — assuming the Irish courts allow that investigation to go ahead, noyb said today.

And while noyb acknowledged there may (yet) be a further pause, as/if the DPC waits on a High Court judgement of Facebook’s own Judicial Review of its processes before revisiting the original complaint, Schrems suggests his 7.5 year old complaint could at long last be headed for a final decision within a matter of months…

“The courts in Ireland would be reluctant to give a deadline and the DPC played that card and said they can’t provide a timeline… So we got the maximum that’s possible under Irish law. Which is ‘swift’,” he told TechCrunch, describing this as “frustrating but the maximum possible”.

Asked for his estimate of when a final decision will at last close out the complaint, he suggested it could be as soon as this summer — but said that more “realistically” it would be fall.

Schrems has been a vocal critic of how the DPC has handled his complaint — and more widely of the slow pace of enforcement of the bloc’s data protection rules vs fast-moving tech giants — with Ireland’s regulator choosing to raise wider concerns about the legality of mechanisms for transferring data from the EU to the US, rather than ordering Facebook to suspend data flows as Schrems had asked in the complaint.

The saga has already had major ramifications — leading to a landmark ruling by Europe’s top court last summer when the CJEU struck down a flagship EU-US data transfer arrangement after it found the US does not provide the same high standards of protection for personal data as the EU does.

The CJEU also made it clear that EU data protection regulators have a duty to step in and suspend transfers to third countries when data is at risk — putting the ball squarely back in Ireland’s court.

Reached for comment on the latest development the DPC told us it would have a response later today. So we’ll update this report when we have it.

The DPC, which is Facebook’s lead data regulator in the EU under the bloc’s General Data Protection Regulation (GDPR), sent the tech giant a preliminary order to suspend data transfers back in September — following the landmark ruling by the CJEU.

However Facebook immediately filed a legal challenge — couching the DPC’s order as premature, despite the complaint itself being more than seven years old.

noyb said today that it’s expecting Facebook to continue to try to use the Irish courts to delay enforcement of EU law. And the tech giant admitted last year that it’s using the courts to ‘send a signal’ to lawmakers to come up with a political resolution for an issue that affects scores of businesses which also transfer data between the EU and the US, as well as to buy time for a new US administration to be in a position to grapple with the issue.

But the clock is now ticking on how much longer Zuckerberg can play this game of regulatory whack-a-mole. And a final reckoning for Facebook’s EU data flows could come within half a year.

This sets a fairly tight deadline for any negotiations between EU and US lawmakers over a replacement for the defunct EU-US Privacy Shield.

European commissioners said last fall that no replacement would be possible without reform of US surveillance law. And whether such radical retooling of US law could come as soon as the summer, or even fall, seems doubtful — unless there’s a major effort among US companies to lobby their own lawmakers to make the necessary changes.

In court documents Facebook filed last year, linked to its challenge of the DPC’s preliminary order, the tech giant suggested it might have to close service in Europe if EU law is enforced against its data transfers.

However its PR chief, Nick Clegg, swiftly denied Facebook would ever pull service — instead urging EU lawmakers to look favorably on its data-dependent business model by claiming that “personalized advertising” is vital to the EU’s post-COVID-19 economic recovery.

The consensus among the bloc’s digital lawmakers, however, is that tech giants need more regulation, not less.

Separately today, an opinion by an influential advisor to the CJEU could have implications for how swiftly GDPR is enforced in Europe in the future if the court aligns with Advocate General Bobek’s opinion — as he appears to be taking aim at bottlenecks that have formed in key jurisdictions like Ireland as a result of the GDPR’s one-stop-shop mechanism for handling cross-border cases.

So while Bobek confirms the general competence of a lead regulator to investigate in cross-border cases, he also writes that “the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area”.

He also sets out specific conditions where national DPAs could bring their own proceedings, in his view, including for the purpose of adopting “urgent measures” or to intervene “following the lead data protection authority having decided not to handle a case”, among other delineated reasons.

Responding to the AG’s opinion, the DPC’s deputy commissioner, Graham Doyle, told us: “We, along with our colleague EU DPAs, note the opinion of the Advocate General and await the final judgment of the Court in terms of its interpretation of any relevant One Stop Shop rules.”

Asked for a view on the AG’s remarks, Jef Ausloos, a postdoc researcher in data privacy at the University of Amsterdam, said the opinion conveys “a clear recognition that ACTUAL protection and enforcement might be crippled by the [one-stop-shop] mechanism”.

However he suggested any new openings for DPAs to bypass a lead regulator that could flow from the opinion aren’t likely to shake things up in the short term. “I think the door is open for some changes/bypassing DPC. BUT, only in the long run,” he said. 

#eu-data-protection-law, #facebook, #ireland, #mass-surveillance, #max-schrems, #privacy-shield, #tc

Facebook seeks fresh legal delay to block order to suspend its transatlantic data transfers

Facebook is firing up its lawyers to try to block EU regulators from forcing it to suspend transatlantic data transfers in the wake of a landmark ruling by Europe’s top court this summer.

The tech giant has applied to judges in Ireland to seek a judicial review of a preliminary suspension order, it has emerged.

Earlier this week Facebook confirmed it had received a preliminary order from its lead EU data regulator — Ireland’s Data Protection Commission (DPC) — ordering it to suspend transfers.

That’s the logical conclusion after the so-called Schrems II ruling which struck down a flagship EU-US data transfer arrangement on the grounds of US surveillance overreach — simultaneously casting doubt on the legality of alternative mechanisms for EU to US data transfers in cases where the data controller is subject to FISA 702 (as Facebook is).

Today The Currency reported that Dublin commercial law firm, Mason Hayes + Curran, filed papers with the Irish High Court yesterday, naming Ireland’s data protection commissioners as defendant in the judicial review action.

Facebook confirmed the application — sending us this statement: “A lack of safe, secure and legal international data transfers would have damaging consequences for the European economy. We urge regulators to adopt a pragmatic and proportionate approach until a sustainable long-term solution can be reached.”

In further remarks the company did not want directly quoted it told us it believes the preliminary order is premature as it said it expects further regulator guidance in the wake of the Schrems II ruling.

It’s not clear what further guidance Facebook is hankering for, nor what grounds it is claiming for seeking a judicial review of the DPC’s process. We asked it about this but it declined to offer any details. However the tech giant’s intent to (further) delay regulatory action which threats its business interests is crystal clear.

The original complaint against Facebook’s transatlantic data transfers dates all the way back to 2013.


Ireland’s legal system allows for ex parte applications for judicial review. So all Facebook had to do to file an application to the High Court to challenge the DPC’s preliminary order is a statement of grounds, a verifying affidavit and an ex parte docket (plus any relevant court fee). Oh and it had to be sure this paperwork was submitted on A4.

The DPC’s deputy commissioner, Graham Doyle, declined to comment on the latest twist in the neverending saga.

#cjeu, #data-transfers, #europe, #facebook, #irish-dpc, #lawsuit, #max-schrems, #privacy, #schrems-ii, #social

Facebook told it may have to suspend EU data transfers after Schrems II ruling

Ireland’s data protection watchdog, the DPC, has sent Facebook a preliminary order to suspend data transfers from the EU to the US, the Wall Street Journal reports, citing people familiar with the matter and including a confirmation from Facebook’s VP of global affairs, Nick Clegg.

The preliminary suspension order follows a landmark ruling by Europe’s top court this summer which both struck down a flagship data transfer arrangement between the EU and the US and cast doubt on the legality of an alternative transfer mechanism (aka SCCs) — certainly in cases where data is flowing to a non-EU entity that falls under US surveillance law. 

Facebook’s use of Standard Contractual Clauses to claim a legal basis for EU data transfers therefore looks to be fast running out of borrowed time.

European privacy campaigner Max Schrems, whose surname is colloquially attached to the CJEU ruling (aka Schrems II) — and to an earlier ruling which invalidated the prior EU-US data transfer deal, Safe Harbor, on the same grounds of US surveillance overreach — filed his original complaint about Facebook’s use of SCCs all the way back in 2013. So the tech giant has had more than half a decade to get its European data ducks in order.

Reached for comment on the WSJ report, Facebook pointed us to a freshly published blog post, also penned by Clegg — who acknowledges “significant uncertainty” for businesses operating online services that rely on transatlantic data flows in the wake of the Schrems II ruling.

In the blog post the former deputy prime minister of the United Kingdom goes on to advocate for “global rules that can ensure consistent treatment of data around the world”.

“The Irish Data Protection Commission has commenced an inquiry into Facebook controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers,” Cleggs writes. “While this approach is subject to further process, if followed, it could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on.”

Facebook’s blog post lobbying for global rules to ensure “stability” for cross-border data transfers paints a picture of how the Schrems II ruling might negatively affect European startups — claiming it could result in local businesses being unable to use US-based cloud providers or run operations across multiple time zones.

The blog post doesn’t have anything much to say on how Facebook itself having to stop using SCCs might affect Facebook’s own business — but we’ve discussed that before here. (The short version is Facebook may need to split its infrastructure in two, and offer a federated version of its service to EU users — which would clearly be expensive and time consuming for Facebook.)

“Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term,” Clegg goes on, before lobbying for regulatory leniency in the meanwhile, as Facebook continues to transfer EU data to the US in what he claims is “good faith” — despite the acknowledged legal uncertainty and the complaint in question dating back well over half a decade at this point.

Here he is pleading for data transfer mercy on behalf of other businesses who are not involved in this specific complaint: “While policymakers are working towards a sustainable, long-term solution, we urge regulators to adopt a proportionate and pragmatic approach to minimise disruption to the many thousands of businesses who, like Facebook, have been relying on these mechanisms in good faith to transfer data in a safe and secure way.”

EU lawmakers warned recently that there would be no quick fix for US data transfers, despite some parallel Commission noises about working with the US on an enhanced replacement mechanism for the now defunct ‘Privacy Shield’. (Although for businesses that aren’t, as Facebook is, subject to FISA 702 there may be ways to use SCCs for US transfers that are legal, or at least law firms willing to suggest measures you could take… )

Speaking to the EU Parliament last week, justice commissioner Didier Reynders suggested changes to US surveillance law will be needed to bridge the legal schism between US surveillance law and EU privacy rights.

And of course legislative changes require both time and political will. Although it’s interesting to see Facebook’s global VP feeling moved to wade in and call for global solutions for cross-border data transfers. Perhaps the tech giant will funnel some of its multi-million dollar domestic lobbying budget on making the case for reforming US surveillance law in future.

Ireland’s data protection regulator declined to comment on the WSJ report when we got in touch.

Schrems, meanwhile, is not sitting on his hands. In a statement following the newspaper’s report he said his digital rights not-for-profit, noyb, was not informed about the preliminary order by the DPC — speculating the information was leaked to the newspaper by Facebook to draw political attention to its cause.

He also reveals an intent by noyb to start a legal procedure against the DPC, saying it informed Ireland’s regulator this week that it plans to file an interlocutory injunction over the opening a ‘second’ procedure into the matter — arguing this move is in breach of a 2015 court order and is essentially the equivalent of letting Facebook carry on a multi-year game of legal whack-a-mole where it never actually faces enforcement for breaking each specific law.

“Facebook is knowingly in violation of the law since 2013. So far the DPC has covered them and for seven years refused to enforce the law. It seems after the second judgement by the Court of Justice not even the DPC can deny that Facebook’s international data transfers are built on sand,” Schrems told TechCrunch.

“At the same time, Facebook has in internal communication indicated that it has again shifted its legal basis from the SCCs to [the GDPR] Article 49 and the contract they allegedly sign with users. We are therefore very concerned that the DPC is again only investigating one of two legal basis that Facebook uses. This approach could lead to another frustrated case, like the ‘Safe Harbor’ case in 2015.”

What’s new since 2015 is Europe’s General Data Protection Regulation (GDPR) — which came into application in May 2018 and has led EU lawmakers to claim standard-setting geopolitical glory, as the issue of data privacy has risen up the agenda around the world, propelled by the deforming effects of platform power on societies and democracies.

However the two-year-old framework has so far failed to deliver anything much at all on major cross-border complaints which pertain to platform giants like Facebook (or indeed to the adtech industry). This summer a Commission review of the regulation highlighted what it described as a lack of uniformly vigorous enforcement.

Ireland’s DPC is fully in the spotlight on this front too, as the lead regulator for a large number of US tech firms.

It finally submitted the first draft decision on a cross border complaint earlier this summer — but a final decision on that case (relating to a Twitter security breach) has been delayed as the draft failed to gain the backing of all the region’s data supervisors, triggering further procedures related to joint working under the GDPR’s one-stop-shop mechanism.

Any order from the DPC to Facebook to suspend SCCs would similarly need to gain the backing of the bloc’s other regulators (or at least a majority of them). Per the WSJ’s report, Ireland’s regulator has given Facebook until mid-September to respond to the order — after which a new draft would be sent to the other supervisors for joint approval.

So there’s further delay built into the GDPR process before any final suspension order could be issued against Facebook in this seven year+ case. Move fast and break things this most certainly is not.

The WSJ also speculates that Facebook could try to challenge such an order in court. “Internally, Facebook considers the preliminary order and its future implications a big deal,” it adds, citing one of its unnamed sources.

#data-protection-commission, #eu-data-protection-law, #europe, #facebook, #gdpr, #ireland, #max-schrems, #policy, #privacy, #privacy-shield, #sccs

No quick fix for transatlantic data transfers, says EC

Europe’s justice commissioner has conceded there will be “no quick fix” for EU-US data transfers in the wake of the decision by the region’s top court in July that struck down a flagship data transfer agreement which was being used by thousands of businesses.

Despite the ‘Schrems II’ judgement being the second such CJEU strike in around five years, commissioners from the EU’s executive body and US counterparts in the U.S. Department of Commerce announced last month that they had begun discussions on a potential replacement for the now defunct EU-US Privacy Shield.

Justice commissioner, Didier Reynders, said today that talks on an ‘enhanced framework’ are continuing but he admitted there’s no fast track fix for the schism between Europeans’ fundamental rights and US surveillance law.

“There is a common willingness to fully comply with the judgement of the court — on both sides we want to find ways in which to address the issues raised by the court,” said Didier Reynders. “We will intensify our engagement with the US in the coming weeks but we also have to recognize that the judgement raises complex issues related to the sensitive area of national security. Therefore there will be no quick fix.”

He went on to suggest that changes to US law may be needed for any Privacy Shield 2 to be possible — giving the example of the lack of a redress mechanism for EU citizens as an area where legislation may be needed — before emphasizing that any such legislative change would clearly take time (he noted, for example, that the US election is looming — which bakes natural delay into any such timeline).

“We are working with the US counterparts to evaluate the possibility of a strengthened framework — and of course it’s possible to build on existing elements but of course it’s maybe also a necessity to have legislative changes,” he said. “That’s the real question that we have with the US authorities. And that will of course have an impact on the time needed to put in place a new framework.

“It’s a real political debate; it’s not just a technical issue. And if we look at the domestic developments and debates in the US around privacy at the state and federal level but also limitation for intelligence service program there are probably more common grounds to find viable solutions than when the Privacy Shield was negotiated. You have also seen that the reaction of US authorities were constructive; they want to explore where to address the issues raised by the judgement but again sometimes, on the base of actual elements, there is maybe some legislative changes [required].”

“What we need are sustainable solutions that deliver legal certainty in full compliance with the judgement of the court,” he added. “That is also the message I have clearly passed to my EU counterparts and on which I will keep insisting.”

Reynders was speaking to the EU Parliament’s civil liberties (LIBE) committee, which was holding a hearing into the implications of the Court of Justice of the EU (CJEU) invalidating the EU-US Privacy Shield — aka the Schrems II ruling.

The chair of the European Data Protection Board (EDPB), Andrea Jelinek, had also been invited to speak, alongside Max Schrems himself, the European privacy campaigner who now has two successful strikes against EU-US data transfer mechanisms — after the CJEU invalidated Safe Harbor in 2015 and the EU-US Privacy Shield this July following his complaints. 

The discussion delved into the implications of the CJEU ruling for an alternative data transfer mechanism called Standard Contractual Clauses (SCCs) which were not invalidated by the court, even as their use for US data transfers is now larded with legal risk as a result of US surveillance overreach.

Reynders told the committee the Commission is continuing its work on modernizing SCCs to bring them into line with the EU’s General Data Protection Regulation (GDPR) framework — saying it will produce a draft version this month and is aiming to complete the process before the end of the year.

“Now that the judgement has been assured we will of course preserve the elements of the existing SCCs that have led to the court to find them valid. At the same time we will try to reflect and operationalize in all texts the additional clarification provided by the court on the conditions under which SCCs can be used — taking also fully into account the guidance issued by the EDPB that it should help companies in their compliance effort,” he added. “But of course we need to see what kind of more longer term evolution in the US [law there might be].”

Reynders said the same the issues around data transfers will arise with the UK, post Brexit — as it seeks an adequacy agreement and the Commission will have to assess its domestic laws, including infamously draconian surveillance laws — and with other third countries like China where there’s no adequacy agreement in place (nor any prospect of a finding of privacy protections that are essentially equivalent to those in the EU).

“We want to stay open to those that apply the rules,” he added.

Jelinek said the EDPB has just set up a taskforce to work on around 100 strategic complaints filed last month by Schrems’ digital rights group, noyb, that target EU-based entities across the region which are using SCCs for data transfers for Google Analytics and/or Facebook Connect integrations.

noyb argues there’s no legal basis for those transfers and that DPAs should step in and suspend them.

“We are going to work not only close together but closer together than we’ve ever done [with EU data protection authorities] to solve this issue,” said Jelinek. “We will analyze the matter and ensure that we will go together in the same direction.”

Enforcement of EU data protection law is both a duty for supervisory authorities and “a matter of credibility”, she added. “You can be sure we are investigating all together within the taskforce but again I have to tell you that enforcement… is a matter of the national supervisory authorities. Each and every supervisory authority has to enforce in their own country those complaints which are ruled with them.”

The prospect of any enforcement of Schrems’ original SCC complaint to the Irish DPC — filed some seven years ago at this point — is still a distant one, according to what he told the committee.

“Enforcement is going to be a matter of credibility,” he said. “So far the understanding is that there will be no enforcement — or no serious enforcement — that’s also the reason we have filed a couple of complaints already to make sure that there’s some movement. And I think there needs to be some kind of highlight cases where the industry feels there’s a feeling where they actually have to comply with all of this.

“I also want to throw in real short that we got a letter this week that I cannot disclose yet from the Irish data protection regulator informing us that, defacto, they will probably not pursue this case that is ongoing for seven years for the next, I would assume one or two years… We’re very sorry to see that the regulator in Ireland, despite being under a court order that they have to enforce this judgement is apparently choosing not to do so.”

We reached out to the Irish DPC for a response to Schrems’ remarks and it told us he is “wrong” in that supposition but at the time of writing the regulator had not provided any further comment. We’ll update this report if we get more.

Schrems was withering is his view of the Irish DPC’s record, telling the committee that its handling of his complaint was not a pro-privacy case but a “pro-delay case”.

“We have already said at the beginning that this case could have been done by the DPC itself. And we now get back to exactly the problems we have outlined five years’ ago — that the DPC is now working on again.” he said.

“The bottom line is probably there’s not going to be a decision within the next two or three years — if they continue like that. Which means the original complaint I filed after Snowden will probably take up to ten years to get a first instance decision. Then we’ll have three layers of appeals in Ireland. So I’m probably going to be retired once this case is actually finally decided! I’m going to be grey and old and that’s not how fundamental rights in Europe should work — and I think we really have to work on that.”

#data-transfers, #edpb, #europe, #gdpr, #lawsuit, #max-schrems, #policy, #privacy, #privacy-shield, #surveillance-law

Max Schrems on the EU court ruling that could cut Facebook in two

Last month’s ruling by the Court of Justice of the European Union (CJEU), ripping up the EU-US Privacy Shield and sewing doubt over alternative mechanisms, has put a cat among the pigeons of international data transfers.

For Facebook the impact could fall like a cleaving sword as its business is front and center following the so-called Schrems II judgement.

Eponymous privacy campaigner Max Schrems’ underlying complaint targeted the tech giant’s use of a data transfer tool known as Standard Contractual Clauses (SCCs). Thousands of businesses make use of SCCs to carry out EU to US transfers of personal data, sometimes in addition to the now defunct Privacy Shield framework. An earlier ruling by the CJEU — following another Schrems complaint which also drew on the 2013 Snowden disclosures of US government mass surveillance programs — struck down the prior transatlantic ‘Safe Harbor’ arrangement.

SCCs were an existing alternative for businesses to plug the gap then until Privacy Shield came into effect. But the CJEU ruling of no US adequacy with EU privacy standards casts doubt on their continued use for these transfers. Facebook was using SCCs in the Safe Harbor era. Now, in the wake of the CJEU decision, it’s said it’s moving its Privacy Shield transfers to SCCs. So the tech giant has no visible ‘plan B’ if it’s ordered to suspend these data flows too.

In Schrems’ views the only way Facebook will be able to comply with the CJEU ruling is if it splits its infrastructure into two. And while other types of companies — such as cloud storage providers — may already separate data by regions owing to factors like latency or even cost, Facebook’s business simply doesn’t operate like that. It’s designed to draws data to its center.

“Facebook is probably the most [susceptible] to all of this,” says Schrems, discussing the ramifications of the CJEU ruling in an interview with TechCrunch. “For Facebook it’s really, really complicated as a company to comply with any of this.”

“There are parts that are necessary data transfers, and [Facebook] can continue to do that. So basically the message that I sent to an American friend, stuff like that. But that’s only a small percentage,” he continues. “So I think technically the approach they’d have to do is basically split Facebook in two. And then kind of reconnect the necessary data transfers. So you’ve basically federated. A bit like Diaspora was always designed to be; a federated social network where you basically have different parts and what’s necessary is communicated and what’s not necessary is not communicated.”

“They’re not going to do that without heaven and hell moving onto them,” he adds. “I guess — especially for Facebook — that the problem is we kind of have a case where the consequences are so extreme the pushback is obviously as extreme as possible… They know that without fundamentally restructuring the whole system they will never be able to comply with any of this — so they don’t.”

Schrems points to what happened historically with SWIFT financial data exchanges as a comparable scenario — where the fix was to move backups from the US to Switzerland “so only the data that is international and US is actually stored in the US and all the other transfer data is kept in Belgium and Switzerland”. “So you separate your backups and your situations and so on,” he says, adding: “It’s a lot of engineering.”

At this point most of the big tech companies have data centers in Europe. While newer social video sharing app TikTok recently announced plans to establish one Ireland for EU users’ data. But Schrems reckons there’s no easy way for Facebook to unpick all its EU data flows.

We asked Facebook for details on its legal basis for continuing to use SCCs but the company did not engage with questions on the topic. Nor did it respond when we asked for clarity on any ‘plan B’ if it’s ordered to stop using SCCs.

Beyond a massive engineering headache for the company, Schrems doesn’t see huge legal significance in a federated version of Facebook’s service that holds EU users’ data in Europe. But he argues such a split would send an important message about the rule of law.

“The law doesn’t differentiate if the data is processed in Europe or in the US on having to be compliant with it… So I don’t really think we can probably gain much from it. To me it’s more of a general question of companies having to respect the law or just getting away with it, over and over again, without really complying. I don’t think [it would be a gain] for direct compliance — it’s probably more of a big message that you don’t get away with it that would be important to send,” he says.

Can SCCs still be used for US transfers?

In the clash between EU privacy rights and US surveillance law, Europe’s highest court has made it clear it isn’t budging. At the same time, lawyers all over the region are busy grappling with the apparent contradiction of the CJEU finding US surveillance practices fatal to Privacy Shield yet not putting an indelible blocker on SCCs for data transfers over the pond. This other long-standing transfer mechanism — sometimes also referred to as ‘model clauses’ — could have been struck down too but wasn’t. So the court left the door ajar.

Law firms have seized on that to shape strategies for businesses to proceed using SCCs for US data transfers in a way that minimizes their risk — via performing detailed risk assessments and/or applying ‘special measures’, where possible. Given the rich seam of paid advice opportunities opening up it’s not hard to find European lawyers who believe SCCs can be made to work for some data controllers who want to continue (or start) bulk processing EU users’ data in the US.

This advice boils down to handling all of the associated bureaucracy around performing risk assessments over a particular data transfer and whether/how it falls under US surveillance law; for some it may also mean investigating technical and operational solutions, such as whether data could be encrypted in transit and the keys held by a EU entity that’s not subject to US law; and perhaps seeing whether policies can be applied and contractual language beefed up so that a US receiving entity which gets a law enforcement request for data is obliged to take steps to make sure there’s a real legal compulsion underpinning it.

In a public discussion on the topic hosted by the International Association of Privacy Professionals last month, Hogan Lovells partner, Eduardo Ustaran — one of the more bullish voices touting the ongoing value of SCCs for US transfers — made the case for building policy protections into contracts to require a level of push back and interrogation of US government agency requests for data.

“When the court talked about additional safeguards and making up for the lack of protection in the regime of the recipients… they’re talking about precisely that: Having that legal process in place — a contractual obligation — to question that request. And you will probably find that if that is in place only a very, very, very small minority of cases will lead to something that is a true conflict where the prohibition of data really needs to be given,” he argued.

“Even in that case, one needs to question whether that is actually within the parameters of what European law provides. Or outside those parameters. Because, again, what the court didn’t say was that all access to data is unlawful; it’s the one that’s not necessary, it’s disproportionate. So that’s what you need to get at. And that’s what we’re saying. I think there is definitely room for manoeuvre in that contractual document for the parties to that document to agree to what level of scrutiny they’re going to undertake when one of them receives a request.”

In the same discussion, Fieldfisher privacy, security and information partner, Renzo Marchini, suggested some data controllers may be able to determine they do not have any risk of European standards not being met for their particular data transfer.

“For some vanilla transfers there might simply be no risks,” he posited. “They might be outside of FISA [the Foreign Intelligence Surveillance Act] and so on. And you only get to additional safeguards, additional measures if you conclude that you need to do something more — and the court has allowed you to do something more.”

“They haven’t said what that’s got to be,” he added. “I hope the EDPB [European Data Protection Board] will give some certainty here and tell us what those things are.”

The lack of judicial redress linked to US surveillance law is a stickier problem, though. One Marchini accepted can’t be fixed with any amount of contractual spit and polish — and which, for businesses subject to FISA, will carry through as what he couched as “residual risk”.

“That simply goes to the risk assessment that’s carried out beforehand,” he said when pressed on that point. “So if you’re at risk and you can’t fix it technically, operationally, then you’re left with the residual risk that you haven’t fulfilled essential equivalence. There’s no way of avoiding that, I think. You’re not going to fix that gap in US law which the court found either… There’s a lack of judicial redress under FISA 702; you can’t fix it, but you might be able to conclude you’re not at risk under FISA 702.”

In Facebook’s case, there’s no plausible dispute the company falls under US surveillance laws — which means its wiggle room in the face of Schrems II is minimal. And so suddenly the company throwing all its eggs into the SCCs’ basket in the hopes that Europe’s regulators will ignore the CJEU’s instruction to step in looks high risk.

“One of the holdings of the Court of Justice was there is simply no legal redress whatsoever as a foreigner,” notes Schrems, adding: “I’ve had calls with people from industry and they said we know that we actually don’t have a legal basis but we just hope they’re going to be reasonable and not enforce it. Which is basically saying you’re working illegally and you hope the law doesn’t apply to you.”

“We’re now asking different companies and most of them say we don’t really know the legal basis — we’re waiting for guidance,” he adds. “The reality is the vast majority of them is simply now working illegally. Google and Microsoft and even Facebook put out ‘oh we’re still using SCCs because we read the judgement differently’.”

In another example, the IAB Europe suggests in an Q&A on the CJEU ruling that worried advertisers “seek guidance from your lead supervisory authority” — and then immediately suggests DPAs “may give leniency towards data transfers that took place under the Privacy Shield due to the sudden nature of this change in the law”. Although, on SCCs, the ad industry body is more circumspect, writing that compliance is now determined on a case-by-case basis and “will depend on the companies sending and receiving the personal data, the regulator in the target country, and the types of personal data”.

“To be honest I’m not super enthusiastic about data transfers because we have so many other privacy problems there probably are bigger issues. But the reason why I’m really getting more and more excited about this case is it just shows the vast ignorance on any of these decisions,” adds Schrems. “If the Supreme Court of the EU says for the second time you can’t do that and they’re just saying ‘oh I guess the law doesn’t apply to us or is not going to be enforced anyways’.

“With the data transfers you kind of understand why it’s complicated and you can’t change it overnight. Even in the Facebook complaint I filed in 2015 — back then I said you know they should at least have an order where, within a certain time period, they should have to stop the data transfers than say you’ve got to stop it overnight because that’s not going to happen. But they could, theoretically, order them to stop the data transfers within a year, for example. Which would give them enough time to actually comply with it.”

What happens next?

Individual EU regulators have generally been keeping their cards close to their chest since the CJEU ruling. And it remains to be seen what action Facebook’s lead supervisor, the Irish Data Protection Commission (DPC), will take as its next steps vis-a-vis Schrems’ seven-year-old complaint. All eyes are on Dublin.

More than two years since the application of Europe’s General Data Protection Regulation (GDPR), the regulator is no stranger to complaints that it needs to pick up the pace and get on with the job of enforcing major cross-border complaints against tech giants like Facebook. Though its counter argument to such criticism is that building robust cases that will stand up to legal challenge takes time.

In the meanwhile, guidance on the CJEU ruling put out by the EDPB emphasizes that international data transfers via SCC must be assessed on a case by case basis; and, if a data controller intends to keep using SCCs, it must inform the relevant EU supervisory authority — inviting scrutiny of these flows.

Combine that with the CJEU telling EU data protection agencies they have a duty to intervene and stop data transfers to places where they suspect people’s information is at risk and it’s hard to see how regulators can keep sitting on their hands in obvious cases involving FISA-subject entities.

One thing looks clear: The era of ‘tickbox’ data transfers to any international jurisdiction that lacks an EU data adequacy agreement is toast.

Taking that further, any third country that lacks a comprehensive data protection framework akin to GDPR probably isn’t going to be able to sustain ‘seamless’ access to the European market for long, if at all — which means, yes, the US; but also China, India, and so on (a post-Brexit UK also looks dicey on the adequacy front given its penchant for surveillance overreach; though some of that has already been dialled back via the courts).

And even though there are now noises on both sides of the Atlantic about cooking up a ‘Privacy Shield 2‘, barring enlightened reform of US surveillance law — or the impossible flip-side of Europe tearing up its charter of fundamental rights — any such respawned instrument would soon follow its predecessors into legal history.

As we said last month, all this sums to a lot more work for lawyers. And right on cue law firms are talking up contractual risk reduction strategies to sell concerned data controllers a way forward.

Cash-strapped regulators are also going to find more work piled on their plates now they have unequivocal instruction not to look the other way at lawbreaking data transfer ‘business as usual’.

Pressure is being applied to regulators by EU lawmakers too who want to see more joint working to ensure harmonious application of major rulings across the bloc’s patchwork of data authorities. Businesses need clarity, is the common refrain. And the role of the EDPB — whose current duties include issuing guidance and promoting pan-EU cooperation and consistency of regulatory application — looks set to become increasingly pivotal as more of these cross-border cases and pinch-points flare up.

The EDPB will need to take on more of a leadership, decision-making role vs its customary talking shop, per Schrems. “They will have to become a proper legal entity that does proper legal decisions because they will be tested in court,” he argues. “So far they got away with more political statements and so on. In both directions. There’s some things that they put out that are just going way too far, which the GDPR does not provide for. And there are other things where they’re miles away from the basics of what the GDPR says. [Their output] will have to become more like a proper legal analysis — that says this is what you have to do now.”

Unsurprisingly, for a privacy activist who’s been petitioning regulators to uphold his fundamental rights for so many years — and now with two adequacy-crushing CJEU rulings that bear his name — Schrems expresses plenty of frustration at the DPAs’ performance to date.

After so much time and legal energy it’s amazing to think his original complaint against Facebook’s use of SCCs is still unresolved. And that’s just one of many he’s filed, having spun up noyb: A not-for-profit European digital rights group dedicated to strategic litigation to defend privacy.

“The other problem is that that the authorities locally then also have to enforce [EDPB guidance] because there’s still a lot of talk,” he says. “We have decisions that, I can’t name them publicly — but we have ‘in between’ decision from the Irish DPC where they literally say yeah that’s what the EDPB says but we have a different view and we’re just going to decide the opposite way. And they’re not technically bound by these guidelines but if structurally they’re not upheld in Member States then, yeah, nothing’s going to happen.”

noyb also has pending cases that have been sitting with DPAs for as much as 1.5 years without a key authority providing feedback — because “they simply don’t talk to each other”.

“I mean just in daily practice. We have cases that are pending — like the forced consent stuff — where the Germans said they now called them every month in Ireland and there’s simply no answer,” he adds. “And so it’s not working on such a childish, basic level.

“So the problem that we’re having is this whole cooperation system is just so fundamentally not working. It could work if everybody tries to pull in the same direction. But right now they are rather all pulling in different directions.”

What does Schrems believe will happen with his Facebook SCCs complaint now the CJEU has finally weighed in?

“I have no clue to be honest. We’re now planning to do more and more turning up the heat a bit,” he says, nodding to the 101 complaints just filed by noyb against the use of SCCs for Facebook Connect and Google Analytics data transfers. “Fundamentally it’s a question of whether the data protection authorities take themselves seriously or if they continue to be like ‘FAQs’ that are just like ‘blah, blah, we don’t really tell you anything’. And which of the DPAs are going to start to take some enforcement measures.”

“People complain about the US a lot and US companies not being compliant with EU law… But the reality is we’re simply not enforcing these laws. And it’s a fundamental European problem that we don’t do that,” he adds. “I’m usually joking in Austria; one Google penalty would buy us up to four high speed rail tunnels through the Alps!”

There has been one Google penalty since the GDPR began being applied in May 2018 — levied by France’s CNIL in early 2019. But Schrems argues the €50M fine was woefully low, pointing out Austria slapped a larger penalty on its postal service (€80M) for trying to calculate people’s political interests based on their location and age in order to run a direct mailing service. And it’s clear Google’s behavioral ad-targeting personal-data-sink goes a lot deeper than a spreadsheet to sell direct mailing.

“If you never really enforce the law, if you never really put out a penalty, if the maximum penalty even from the CNIL was €50M — which was nothing — then there’s no reason to wonder why [tech giants] don’t comply,” adds Schrems.

The Irish DPC has also sought to package product launch delays as annual-report-worthy enforcement wins. But Schrems argues such stuff “fundamentally underestimates their power”. He also notes that noyb has instigated legal action against the DPC “for being inactive”, as he puts it.

“They’re oftentimes more happy to write a press release than to actually take the law and take the options that they have on the law and go for it,” Schrems adds, discussing the problem of EU DPAs generally not feeling willing or able to enforce. “That’s the reason why we’ve tried to push them with these complaints, the 101 complaints. Basically they can’t say that they haven’t a case on their table anymore.”

He likens the impact on Europeans’ fundamental rights of so much regulatory inaction as akin to having the right to vote but without access to a polling station most of the time.

“That’s a bit of how we do privacy,” he suggests. “And that’s a part of what we’re trying to do at noyb; just dig into that and just see, you know, there is a law, you breached it, now you pay for it. Because unless we actually push for that structurally, and bit by bit, we’re just going to be in this endless debate about privacy for the next 30, 40 years.

“I’m always telling myself it’s a bit normal because when we had the first time that we talked about workers’ rights — it still is a 100+ years ongoing debate about actually getting paid what your collective, bargaining agreement says. It’s not like any of these problems are done tomorrow or done forever but here the gap between reality and law is just so huge — and even huge companies just fundamentally do not comply — and that’s a bit exceptional. Because in other areas they at least pretend to comply. Or somehow comply if they’re a larger company with some reputation.”

Of course even massive financial penalties can amount to a parking ticket for tech giants. Witness Facebook’s smiles-all-round $5BN FTC settlement. Or Google’s $5BN antitrust fine for a still dominant Android OS. But Schrems’ point is you have to actually have functioning institutions issuing penalties to stand any chance of tackling such massive rights asymmetries. And, well, a law that’s not enforced is like a footpath no one walks; soon enough there’s weeds growing over it and pretty quickly you couldn’t even walk it if you tried.

“We’re not going to police the world by having a DPA behind each bush and ogling each click that everybody does. But if they, in general, have an enforcement pressure that companies have the feeling that ok if I don’t comply, bit by bit, I’m going to get caught for something… It’s a bit like with traffic,” says Schrems. “You know I’m not a fan of having a speeding camera around every corner but if once in a while you get a speeding ticket you kind of realize that going 160 on an autobahn is not a good idea and it generally keeps people to drive at 140 if 130 is legal. It keeps it somehow at a format that is somehow acceptable — and that’s totally missing in the privacy world.”

For now, the enforcement gap is being challenged by not-for-profits like noyb. It’s also increasingly viewed as an opportunity by class action style litigation funders — hoping to profit off of population-scale damages even if regulators won’t.

Schrems says noyb has managed to attract a crowdfunded annual budget of around €600k-€700k at this point — “all donated money for doing the job that regulators are actually paid to do” — although he’s recently been running ads on social media to try to get it to full target funding. “Technically noyb shouldn’t exist,” he jokes.

Clearly, though, Schrems has tapped into an appetite among Europeans for someone to champion their rights.

After years of regulatory inaction that has allowed data-mining giants to exploit people’s privacy without any meaningful consequences — sewing up the attention economic in the process — there’s a vacancy for privacy heroes to tackle the sorts of abuses Schrems and his team are worried about. Problems regulators have failed historically to act on, and which Europeans are still waiting for action on. (A two-year Commission review of GDPR in June acknowledged a lack of uniformly vigorous enforcement.)

“Right now we’re looking into a lot of the data brokers on the advertisement stuff,” says Schrems, when asked about his biggest privacy concern. “What’s kind of interesting in some countries — not all — the credit ranking agencies and what they do and why they think they can have data on every European and their financial situation without ever having consent or anything. So there’s tonnes of stuff that we’re looking on right now. I’m luckily not involved in all of it at the same time anymore.”

#cjeu, #europe, #facebook, #gdpr, #max-schrems, #policy, #privacy, #privacy-shield, #sccs, #social, #tc

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints

A month after Europe’s top court struck down a flagship data transfer arrangement between the EU and the US as unsafe, European privacy campaign group, noyb, has filed complaints against 101 websites with regional operators which it’s identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations.

Among the entities listed in its complaint are ecommerce companies, publishers & broadcasters, telcos & ISPs, banks and universities — including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, and Tele2, to name a few.

“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) — despite both companies clearly falling under US surveillance laws, such as FISA 702,” the campaign group writes on its website.

“Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield’ a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

We’ve reached out to Facebook and Google with questions about their legal bases for such transfers — and will update this report with any response.

Privacy watchers will know that noyb’s founder, Max Schrems, was responsible for the original legal challenge that took down an anterior EU-US data arrangement, Safe Harbor, all the way back in 2015. His updated complaint ended up taking down the EU-US Privacy Shield last month — although he’d actually targeted Facebook’s use of a separate data transfer mechanism (SCCs), urging its data supervisor, Ireland’s DPC, to step in and suspend its use of that tool.

The regulator chose to go to court instead, raising wider concerns about the legality of EU-US data transfer arrangements — which resulted in the CJEU concluding that the Commission should not have granted the US a so-called ‘adequacy agreement’, thus pulling the rug out from under Privacy Shield.

The decision means the US is now what’s considered a ‘third country’ in data protection terms, with no special arrangement to enable it to process EU users’ information.

More than that, the court’s ruling also made it clear EU data watchdogs have a responsibility to intervene where they suspect there are risks to EU people’s data if it’s being transferred to a third country via SCCs.

European data watchdogs swiftly warned there would be no grace period for entities still illegally relying on Privacy Shield — so anyone listed in the above complaint that’s still referencing the defunct mechanism in their privacy policy won’t even have a proverbial figleaf to hide their legal blushes.

noyb’s contention with this latest clutch of complaints is that none of the aforementioned 101 websites has a valid legal basis to keep transferring visitor data to the US via the embedded Google Analytics and/or Facebook Connect integrations.

“We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now,” said Schrems, honorary chair of, in a statement.

Since the CJEU’s Schrems II ruling, and indeed since the Safe Harbor strike down, the US Department of Commerce and European Commission have stuck their heads in the sand — signalling they intend to try cobbling together another data pact to replace the defunct Privacy Shield (which replaced the blasted-to-smithereens (un)Safe Harbor. So, er… ).

Yet without root-and-branch reform of US surveillance law, any third pop by respective lawmakers at papering over the legal schism of US national security priorities vs EU privacy rights is just as surely doomed to fail.

The more cynical among you might say the high level administrative manoeuvers around this topic are, in fact, simply intended to buy more time — for the data to keep flowing and ‘business as usual’ to continue.

But there is now substantial legal risk attached to a strategy of trying to pretend US surveillance law doesn’t exist.

Here’s Schrems again, on last month’s CJEU ruling, suggesting that Facebook and Google could be in the frame for legal liability if they don’t proactively warn EU customers of their data responsibilities: “The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws. It seems US companies are still trying to convince their EU customers of the opposite. This is more than shady. Under the SCCs the US data importer would instead have to inform the EU data sender of these laws and warn them. If this is not done, then these US companies are actually liable for any financial damage caused.”

And as noyb’s press release notes, GDPR’s penalties regime can scale as high as 4% of the worldwide turnover of the EU sender and the US recipient of personal data. So, again, hi Facebook, hi Google…

The crowdfunded campaign group has pledged to continue dialling up the pressure on EU regulators to act and on EU data processors to review any US data transfer arrangements — and “adapt to the clear ruling by the EU’s supreme court”, as it puts it.

Other types of legal action are also starting to draw on Europe’s General Data Protection Regulation (GDPR) framework — and, importantly, attract funding — such as two class action style suits filed against Oracle and Salesforce’s use of tracking cookies earlier this month. (As we said when GDPR came into force back in 2018, the lawsuits are coming.)

Now, with two clear strikes from the CJEU on the issue of US surveillance law vs EU data protection, it looks like it’ll be diminishing returns for US tech giants hoping to pretend everything’s okay on the data processing front.

noyb is also putting its money where its mouth is — offering free guidelines and model requests for EU entities to use to help them get their data affairs in prompt legal order. 

“While we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court,” Schrems added, in further comments on the latest flotilla of complaints. “This is also unfair towards competitors that comply with these rules. We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish DPC that stays dormant.”

We’ve reached out to Ireland’s Data Protection Commission to ask what steps it will be taking in light of the latest noyb complaints, a number of which target websites that appear to be operated by an Ireland-based legal entity.

Schrems original 2013 complaint against Facebook’s use of SCCs also ended up in Ireland, where the tech giant — and many others — locates its EU EQ. Schrem’s request that the DPC order Facebook to suspend its use of SCCs still hasn’t been fulfilled, some seven years and five complaints later. And the regulator continues to face accusations of inaction, given the growing backlog of cross-border GDPR complaints against tech giants like Facebook and Google.

Ireland’s DPC has still yet to issue a single final decision on any of these major GDPR complaints. But the legal pressure for it and all EU regulators to get a move on and enforce the bloc’s law will only increase, even as class action style lawsuits are filed to try to do what regulators have failed to.

Earlier this summer the Commission acknowledged a lack of uniformly “vigorous” enforcement of GDPR in a review of the mechanism’s first two years of operation.

“The European Data Protection Board [EDPB] and the data protection authorities have to step up their work to create a truly common European culture — providing more coherent and more practical guidance, and work on vigorous but uniform enforcement,” said Věra Jourová, Commission VP for values and transparency then, giving the Commission’s first public assessment of whether GDPR is working.

We’ve also reached out to France’s CNIL to ask what action it will be taking in light of the noyb complaints.

Following the judgement in July the French regulator said it was “conducting a precise analysis”, along with the EDPB, with a view to “drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States”.

Since then the EDPB guidance has come out — inking the obvious: That transfers on the basis of Privacy Shield “are illegal”. And while the CJEU ruling did not invalidate the use of SCCs it gave only a very qualified green light to continued use.

As we reported last month, the ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that “U.S. law does not impinge on the adequate level of protection” for the transferred data.

“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” the EDPB added.

#airbnb, #campaign, #cjeu, #data-controller, #data-protection, #data-security, #digital-rights, #ecommerce, #eu-us-privacy-shield, #europe, #european-commission, #european-data-protection-board, #european-union, #facebook, #france, #gdpr, #general-data-protection-regulation, #html, #human-rights, #ireland, #lawsuit, #max-schrems, #noyb, #oracle, #privacy, #privacy-shield, #safe-harbor, #salesforce, #sccs, #schrems-ii, #takeaway-com, #tc, #united-states, #us-department-of-commerce, #vera-jourova

US tech needs a pivot to survive

Last month, American tech companies were dealt two of the most consequential legal decisions they have ever faced. Both of these decisions came from thousands of miles away, in Europe. While companies are spending time and money scrambling to understand how to comply with a single decision, they shouldn’t miss the broader ramification: Europe has different operating principles from the U.S., and is no longer passively accepting American rules of engagement on tech.

In the first decision, Apple objected to and was spared a $15 billion tax bill the EU said was due to Ireland, while the European Commission’s most vocal anti-tech crusader Margrethe Vestager was dealt a stinging defeat. In the second, and much more far-reaching decision, Europe’s courts struck a blow at a central tenet of American tech’s business model: data storage and flows.

American companies have spent decades bundling stores of user data and convincing investors of its worth as an asset. In Schrems, Europe’s highest court ruled that masses of free-flowing user data is, instead, an enormous liability, and sows doubt about the future of the main method that companies use to transfer data across the Atlantic.

On the surface, this decision appears to be about data protection. But there is a choppier undertow of sentiment swirling in legislative and regulatory circles across Europe. Namely that American companies have amassed significant fortunes from Europeans and their data, and governments want their share of the revenue.

What’s more, the fact that European courts handed victory to an individual citizen while also handing defeat to one of the commission’s senior leaders shows European institutions are even more interested in protecting individual rights than they are in propping up commission positions. This particular dynamic bodes poorly for the lobbying and influence strategies that many American companies have pursued in their European expansion.

After the Schrems ruling, companies will scramble to build legal teams and data centers that can comply with the court’s decision. They will spend large sums of money on pre-built solutions or cloud providers that can deliver a quick and seamless transition to the new legal reality. What companies should be doing, however, is building a comprehensive understanding of the political, judicial and social realities of the European countries where they do business — because this is just the tip of the iceberg.

American companies need to show Europeans — regularly and seriously — that they do not take their business for granted.

Europe is an afterthought no more

For many years, American tech companies have treated Europe as a market that required minimal, if any, meaningful adaptations for success. If an early-stage company wanted to gain market share in Germany, it would translate its website, add a notice about cookies and find a convenient way to transact in euros. Larger companies wouldn’t add many more layers of complexity to this strategy; perhaps it would establish a local sales office with a European from HQ, hire a German with experience in U.S. companies or sign a local partnership that could help it distribute or deliver its product. Europe, for many small and medium-sized tech firms, was little more than a bigger Canada in a tougher time zone.

Only the largest companies would go to the effort of setting up public policy offices in Brussels, or meaningfully try to understand the noncommercial issues that could affect their license to operate in Europe. The Schrems ruling shows how this strategy isn’t feasible anymore.

American tech must invest in understanding European political realities the same way they do in emerging markets like India, Russia or China, where U.S. tech companies go to great lengths to adapt products to local laws or pull out where they cannot comply. Europe is not just the European Commission, but rather 27 different countries that vote and act on different interests at home and in Brussels.

Governments in Beijing or Moscow refused to accept a reality of U.S. companies setting conditions for them from the outset. After underestimating Europe for years, American companies now need to dedicate headspace to considering how business is materially affected by Europe’s different views on data protection, commerce, taxation and other issues.

This is not to say that American and European values on the internet differ as dramatically as they do with China’s values, for instance. But Europe, from national governments to the EU and to courts, is making it clear that it will not accept a reality where U.S. companies assume that they have license to operate the same way they do at home. Where U.S. companies expect light taxation, European governments expect revenue for economic activity. Where U.S. companies expect a clear line between state and federal legislation, Europe offers a messy patchwork of national and international regulation. Where U.S. companies expect that their popularity alone is proof that consumers consent to looser privacy or data protection, Europe reminds them that (across the pond) the state has the last word on the matter.

Many American tech companies understand their commercial risks inside and out but are not prepared for managing the risks that are out of their control. From reputation risk to regulatory risk, they can no longer treat Europe as a like-for-like market with the U.S., and the winners will be those companies that can navigate the legal and political changes afoot. Having a Brussels strategy isn’t enough. Instead American companies will need to build deeper influence in the member states where they operate. Specifically, they will need to communicate their side of the argument early and often to a wider range of potential allies, from local and national governments in markets where they operate, to civil society activists like Max Schrems .

The world’s offline differences are obvious, and the time when we could pretend that the internet erased them rather than magnified them is quickly ending.

#canada, #column, #data-protection, #data-security, #europe, #european-commission, #european-union, #general-data-protection-regulation, #government, #ireland, #max-schrems, #opinion, #policy, #privacy, #startups, #tc, #united-states, #venture-capital