left-caret

PH Privacy

The Battle Continues: 101 Complaints are Filed Against Companies Transferring Data to the United States

August 21, 2020

Sarah Pearce and Ashley Webber

The dust hasn’t even settled since the Court of Justice of the European Union (“CJEU”) declared Privacy Shield invalid and called into question the use of the Standard Contractual Clauses (“SCCs”) (further details can be found here), but already Max Schrems and noyb have filed 101 complaints across EU member states regarding personal data transfers in contravention of the law and the recent CJEU decision.
The complaints have been filed against many well-known organisations in the EU, the full list of which can be seen on the noyb website.  (noyb, which stands for “none of your business”, is a non-profit that was formed to litigate for privacy rights in Europe.)

In a statement, noyb explained that following a “quick analysis of the HTML source code of major EU webpages”, it was apparent that many companies still transfer personal data to two leading tech companies in the US one month after the decision by the CJEU, despite the relevant companies “clearly falling under US surveillance laws, such as FISA 702”.  In noyb’s views, whilst both recipient organisations in question intend to rely on the SCCs to receive the personal data in the United States, this cannot be lawful following the CJEU decision because the US surveillance laws to which they are subject violate the rights granted under EU law. According to the statement, in addition to filing 101 complaints in the EU, complaints have also been filed against the relevant tech companies in the United States for continuing to accept the data despite the breach of the GDPR.
It’s clear from the reasoning in their issued statement that Schrems and noyb are leveraging the decision by the CJEU to seek further to restrict transfers of personal data to the United States, although one might ask what the next move would have been if the CJEU had also declared the SCCs invalid…

It is now up to the relevant data protection authorities to investigate the complaints and determine whether to take action against the exporting companies. Given the number of data protection authorities involved, a common and consistent approach, although preferable, may be difficult to achieve.  Regardless, one should not expect a quick resolution to this matter.  If the decision in Schrems II is any indicator, it will be some time before the relevant data protection authorities come to a decision (or decisions), by which time the new SCCs may even have been released by the European Commission.  If this is the case and the new SCCs are implemented to transfer the personal data related to the 101 complaints, this could have an impact on the complaints, particularly if the new SCCs are, in fact, deemed to offer adequate protection when transferring personal data to the United States.

In any event, one benefit to come from these complaints is that the data protection authorities will be under pressure to provide further guidance on the use of the SCCs going forward, notably with respect to transferring personal data to the United States, which will be extremely beneficial in helping better to understand the implications of the CJEU’s judgment.