A survey of responses from greater than 30 firms to questions on how they’re approaching EU-US information transfers within the wake of a landmark ruling (aka Schrems II) by Europe’s prime court docket in July, which struck down the flagship Privacy Shield over US surveillance overreach, suggests most are doing the equal of burying their head within the sand and hoping the authorized nightmare goes away.
European privateness rights group, noyb, has carried out a lot of the groundwork right here — rounding up in this 45-page report responses (some in English, others in German) from EU entities of 33 firms to a set of questions on private information transfers.
It sums up the solutions to the questions on firms’ authorized foundation for transferring EU residents’ information over the pond post-Schrems II as “astonishing” or AWOL — given some didn’t ship a response in any respect.
Tech firms polled on the difficulty run the alphabetic gamut from Apple to Zoom. Whereas Airbnb, Netflix and WhatsApp are among the many firms that noyb says failed to reply about their EU-US information transfers.
Responses offered by firms that did reply seem to boost many extra questions than they reply — with numerous question-dodging ‘boilerplate responses’ in proof and/or pointing to present privateness insurance policies within the hope that can make the questioner go away (hello Facebook!) .
Fb additionally made repeat claims that sought for information falls outdoors the scope of the EU’s information safety framework…
noyb additionally highlights a response by Slack which stated it doesn’t “voluntarily” present governments with entry to information — which, because the privateness rights group factors out, “doesn’t reply the query of whether or not they’re compelled to take action underneath surveillance legal guidelines equivalent to FISA702”.
The same challenge impacts Microsoft. So whereas the tech large did at the very least reply particularly to every query it was requested, saying it’s counting on Customary Contractual Clauses (SCCs) for EU-US information transfers, once more it’s one of many firms topic to US surveillance legislation — or as noyb notes: “explicitly named by the paperwork disclosed by Edward Snowden and publicly numbering the FISA702 requests by the US authorities it obtained and answered”.
That, in flip, raises questions on how Microsoft can declare to (legally) use SCCs if customers’ information can’t be adequately protected against US mass surveillance…
The Court docket of Justice of the EU made it clear that use of SCCs to take information outdoors the EU is contingent on a case by case evaluation of whether or not the info will in actual fact be protected. If it isn’t the info controller is legally required to droop the switch. EU regulators even have a transparent obligation to behave to droop transfers the place information is in danger.
“General, we had been astonished by what number of firms had been unable to supply little greater than a boilerplate reply. Evidently a lot of the trade nonetheless doesn’t have a plan as to find out how to transfer ahead,” noyb provides.
In August the group filed 101 complaints in opposition to web sites it had recognized as nonetheless sending information to the US by way of Google Analytics and/or Fb Join integrations — with, once more, each tech giants clearly topic to US surveillance legal guidelines, equivalent to FISA 702.
noyb founder Max Schrems — whose surname has change into synonymous with questions over EU-US information transfers — additionally continues to push the Irish Information Safety Fee (DPC) to take enforcement motion over Fb’s use of SCCs in a case that dates again some seven years.
Earlier this month it emerged the DPC had written to Fb — issuing a preliminary order to droop transfers. Nonetheless Fb filed an enchantment for a judicial assessment within the Irish courts and was granted a keep.
In an affidavit filed to the court docket the tech large appeared to assert it might shut down its service in Europe if the suspension order is enforced. However last week Fb’s international VP and former UK deputy PM, Nick Clegg, denied it might shut down in Europe over the difficulty. Although he warned of “profound results” on scores of digital companies if a approach shouldn’t be discovered by lawmakers on each side of the pond to resolve the authorized uncertainty round U.S. information transfers. (A Privacy Shield 2 has been mooted however the European Fee has warned there’s no quick fix, suggesting reform of US surveillance legislation shall be required.)
For his half Schrems has suggested the answer for Fb at the very least is to federate its service — splitting its infrastructure in two. However Thierry Breton, EU commissioner for the inner market, has also called for “European information…[to] be saved and processed in Europe” — arguing earlier this month this information “belong in Europe” and “there’s nothing protectionist about this”, in a dialogue that flowed from US president Trump’s considerations about TikTok.
Again in Eire, Fb has complained to the courts that regulatory motion over its EU-EU information transfers is being rushed (regardless of the grievance relationship again to 2013); and in addition that it’s being unfairly singled out.
However now with information switch complaints filed by noyb in opposition to scores of firms on the desk of each EU information supervisor, and regulators underneath express ECJ instruction they’ve an obligation to step in plenty of stress is being exerted to really implement the legislation and uphold Europeans’ information rights.
The European Information Safety Board’s guidance on Schrems II — which Fb had additionally claimed to be ready for — additionally specifies that the power to (legally) use SCCs to switch information to the U.S. hinges on a knowledge controller having the ability to supply a authorized assure that “U.S. legislation doesn’t impinge on the enough degree of safety” for the transferred information. So Fb et al would do properly to foyer the US authorities on reform of FISA.
#Tech #giants #ignoring #questions #legality #EUUS #information #transfers #PJDM