A new report indicates that US tech giants like Facebook and Netflix are failing to handle US-EU data transfers legally – but the US government is claiming that it shouldn’t be cause for concern.
Austrian privacy campaigner Max Schrems made use of his legal right to ask 33 companies how they handle personal data transfers such as which countries customer data is sent to and on what legal basis.
“The responses ranged from detailed explanations, to admissions that these companies have no clue what is happening, to shockingly aggressive denials of the law,” says Schrems.
Some companies, including Airbnb, Netflix, and WhatsApp didn’t reply to requests for information, while others simply redirected researchers to their privacy policies. Microsoft, says Schrems, answered every question – but claimed it could transfer personal data to the US under Standard Contractual Clauses, despite clearly providing data to the US government under FISA702.
“Overall, we were astonished by how many companies were unable to provide little more than a boilerplate answer,” says Schrems.
“The companies that did provide answers largely are simply not complying with the CJEU judgment. It seems that most of the industry still does not have a plan as to how to move forward.”
Transatlantic data transfers have been a thorny issue since July, when the EU ruled that the 2016 Privacy Shield agreement was invalid, as US government surveillance practices meant that privacy couldm’t be guaranteed.
Since then, while companies have attempted to use other legal mechanisms to keep data flowing, Schrems’s campaign group, noyb, has filed more than 100 complaints that companies are still sending European data to the US via Google Analytics or Facebook Connect.
However, with the release of a new white paper, the US government is now attempting to sideline the issue by suggesting that there’s really nothing to worry about in the first place.
In an accompanying letter, Department of Commerce deputy assistant secretary James Sullivan claims, somewhat surprisingly, that ‘the US legal framework for foreign intelligence collection provides clearer limits, stronger safeguards, and more rigorous independent oversight than the equivalent laws of almost all other countries’.
The paper also argues that, even if the government does have overly-broad surveillance practices, this shouldn’t be a concern, as most companies ‘do not deal in data that is of any interest to US intelligence agencies, and have no grounds to believe they do’.
The EU is unlikely to be entirely reassured.