Schrems Iii Bis Civ
Management Summary
A total of 101 complaints were sent to 17 different supervisory authorities, reporting companies that continue to exchange data with Facebook and Google despite the ECJ ruling about a month ago on the invalidity of the EU-US Privacy Shield (C-311/18, “Schrems II”). According to noyb, the companies from all EU and EEA countries were selected “based on European TLDs (such as “.de” for Germany), two specific tracking codes and the rough number of visitors to the site […]” (https://noyb.eu/de/101-complaints-to-eu-us-transfers-submitted).
The aim of the complaint about violation of the GDPR by transferring data to the USA after the end of the Privacy Shield is effective, proportionate and dissuasive fines against the companies that use Google Analytics, for example. And of course also against Facebook and Google themselves.
What is interesting is that the companies concerned are also to be deprived of the use of standard contractual clauses – which were still considered valid under certain conditions in the ECJ ruling – as a legal basis. The reason for this is the surveillance laws in the USA, which are known to deny EU citizens the rights of those affected under the GDPR.
At this point it should be noted that, according to noyb’s complaints, the future data processing conditions of Facebook “which will come into force only 6 weeks after the judgment (!)” (quoted from https://noyb.eu/files/C29/complaint-46.pdf – point 1.10) in turn refer to this yes refer to the obsolete EU-US data protection shield. If this is actually the case, it is of course a mistake on Facebook’s part, which exposes their customers to legal risk and potential financial claims.
According to initial discussions, the complaints against Facebook appear to be more promising than those concerning Google Analytics. Because if all the requirements – no processing of personal data, IP anonymization – are adhered to, the attack surface should be small.
Important: If you haven’t done so yet, conclude the standard contractual clauses offered with Google. These should remain valid at least until a clear decision from the ECJ and therefore provide you with a functioning legal basis. The same applies to Facebook customers – and in addition, all processes and contracts should be subject to a detailed assessment. Absolute risk avoidance can probably only be achieved by stopping the (possible) transfer of personal data to the USA.
Finally, it remains to be said that these are currently “just” complaints – well argued – and until the decision of one of the data protection authorities involved, possible objections from Google and Facebook, clarifying requests to the ECJ and its decision, the legal situation remains unclear.
Our recommendation: Use a professional consent management platform to obtain consent for your online marketing activities. We have supported many large companies in implementing tailor-made and reliably functioning solutions!
Our white paper, which you can download free of charge here, gives you an overview of the various consent management platforms and further important and interesting information on the subject of consent management in general can be found here.
