A survey of responses from more than 30 companies to questions about how theyâre approaching EU-US data transfers in the wake of a landmark ruling (aka Schrems II) by Europeâs top court in July, which struck down the flagship Privacy Shield over US surveillance overreach, suggests most are doing the equivalent of burying their head in the sand and hoping the legal nightmare goes away.
European privacy rights group, noyb, has done most of the groundwork here â rounding up in this 45-page report responses (some in English, others in German) from EU entities of 33 companies to a set of questions about personal data transfers.
It sums up the answers to the questions about companiesâ legal basis for transferring EU citizensâ data over the pond post-Schrems II as âastonishingâ or AWOL â given some failed to send a response at all.
Tech companies polled on the issue run the alphabetic gamut from Apple to Zoom. While Airbnb, Netflix and WhatsApp are among the companies that noyb says failed to respond about their EU-US data transfers.
Responses provided by companies that did respond appear to raise many more questions than they answer â with lots of question-dodging âboilerplate responsesâ in evidence and/or pointing to existing privacy policies in the hope that will make the questioner go away (hi Facebook!).
Facebook also made repeat claims that sought for info falls outside the scope of the EUâs data protection frameworkâ¦
noyb also highlights a response by Slack which said it does not âvoluntarilyâ provide governments with access to data â which, as the privacy rights group points out, âdoes not answer the question of whether they are compelled to do so under surveillance laws such as FISA702â.
A similar issue affects Microsoft. So while the tech giant did at least respond specifically to each question it was asked, saying itâs relying on Standard Contractual Clauses (SCCs) for EU-US data transfers, again itâs one of the companies subject to US surveillance law â or as noyb notes: âexplicitly named by the documents disclosed by Edward Snowden and publicly numbering the FISA702 requests by the US government it received and answeredâ.
That, in turn, raises questions about how Microsoft can claim to (legally) use SCCs if usersâ data cannot be adequately protected from US mass surveillanceâ¦Â
The Court of Justice of the EU made it clear that use of SCCs to take data outside the EU is contingent on a case by case assessment of whether the data will in fact be safe. If it is not the data controller is legally required to suspend the transfer. EU regulators also have a clear duty to act to suspend transfers where data is at risk.
âOverall, we were astonished by how many companies were unable to provide little more than a boilerplate answer. It seems that most of the industry still does not have a plan as to how to move forward,â noyb adds.
In August the group filed 101 complaints against websites it had identified as still sending data to the US via Google Analytics and/or Facebook Connect integrations â with, again, both tech giants clearly subject to US surveillance laws, such as FISA 702.
noyb founder Max Schrems â whose surname has become synonymous with questions over EU-US data transfers â also continues to push the Irish Data Protection Commission (DPC) to take enforcement action over Facebookâs use of SCCs in a case that dates back some seven years.
Earlier this month it emerged the DPC had written to Facebook â issuing a preliminary order to suspend transfers. However Facebook filed an appeal for a judicial review in the Irish courts and was granted a stay.
In an affidavit filed to the court the tech giant appeared to claim it could shut down its service in Europe if the suspension order is enforced. But last week Facebookâs global VP and former UK deputy PM, Nick Clegg, denied it could shut down in Europe over the issue. Though he warned of âprofound effectsâ on scores of digital businesses if a way is not found by lawmakers on both sides of the pond to resolve the legal uncertainty around U.S. data transfers. (A Privacy Shield 2 has been mooted but the European Commission has warned thereâs no quick fix, suggesting reform of US surveillance law will be required.)
For his part Schrems has suggested the solution for Facebook at least is to federate its service â splitting its infrastructure in two. But Thierry Breton, EU commissioner for the internal market, has also called for âEuropean dataâ¦[to] be stored and processed in Europeâ â arguing earlier this month this data âbelong in Europeâ and âthere is nothing protectionist about thisâ, in a discussion that flowed from US president Trumpâs concerns about TikTok.
Back in Ireland, Facebook has complained to the courts that regulatory action over its EU-EU data transfers is being rushed (despite the complaint dating back to 2013); and also that itâs being unfairly singled out.
But now with data transfer complaints filed by noyb against scores of companies on the desk of every EU data supervisor, and regulators under explicit ECJ instruction they have a duty to step in a lot of pressure is being exerted to actually enforce the law and uphold Europeansâ data rights.
The European Data Protection Boardâs guidance on Schrems II â which Facebook had also claimed to be waiting for â also specifies that the ability to (legally) use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that âU.S. law does not impinge on the adequate level of protectionâ for the transferred data. So Facebook et al would do well to lobby the US government on reform of FISA.Â
Click here for more...
from #Bangladesh #News aka Bangladesh News Now!!!
No comments:
Post a Comment