EU websites use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints
Among the entities listed in its complaint are ecommercecompanies, publishers & broadcasters, telcos & ISPs, banks and universities including Airbnb Ireland, Allied Irish Banks, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Tele2, to name a few.
A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union despite both companies clearly falling under US surveillance laws, such as FISA 702, the campaign group writes on its website.
Google still claims to rely on the Privacy Shield a month after it was invalidated, while Facebook continues to use the SCCs , despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.
Weve reached out to Facebook and Google with questions about their legal bases for such transfers and will update this report with any response.
His updated complaint ended up taking down the EU-US Privacy Shield last month although hed actually targeted Facebooks use of a separate data transfer mechanism , urging its data supervisor, Irelands DPC, to step in and suspend its use of that tool.
The regulator chose to go to court instead, raising wider concerns about the legality of EU-US data transfer arrangements which resulted in the CJEU concluding that the Commission should not have granted the US a so-called adequacy agreement, thus pulling the rug out from under Privacy Shield.
The decision means the US is now whats considered a third country in data protection terms, with no special arrangement to enable it to process EU users information.
Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now, said Schrems, honorary chair of noyb.eu, in a statement.
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place, the EDPB added.
We use cookies and analyse traffic to this site. By continuing to use this site, closing this banner, or clicking "I Agree", you agree to the use of cookies. Read our privacy poplicy for more information.