Transfer of personal data: Google in the sights of activists after an unfavorable decision in Austria

The Austrian NGO NOYB (for "None of your business": "it's not your business") is once again at work.

It was she who had snatched in 2020 the invalidation of the legal mechanism allowing the transfer of personal data from the EU to the United States (named Privacy Shield) by the Court of Justice of the EU (CJEU)

She had subsequently filed numerous complaints in Europe to denounce the circumvention strategies put in place by the major web companies.

Last week, the organization scored its first victory when the Austrian data protection authority ruled that the industry-leading and ubiquitous Google Analytics audience measurement tool was transferring data from European users in the United States, thereby exposing them to surveillance programs set up by American intelligence.

Contacted by AFP, the authority did not specify Thursday whether this decision could lead to sanctions or how it intended to apply it to the millions of websites that use Google Analytics.

In a blog post published on Wednesday, the US group tried to play down the decision and called on the EU and the US to negotiate a new legal framework for data transfers as soon as possible.

"Bullshit language elements" ("Bullshit PR"), stormed Thursday on Twitter Max Schrems, the activist at the head of NOYB, who accuses Google of deflecting the subject of American intelligence reform.

According to him, it is not up to European justice to adapt, but to American legislators to better protect consumers of Google, Microsoft, Amazon, Apple and Meta (parent company of Facebook), as soon as their data is processed. in the USA.

"Otherwise your customers will leave sooner or later, the same way they don't trust Russian or Chinese cloud providers," he added.

Max Schrems, the activist at the head of NOYB, on April 16, 2021 in Vienna JOE KLAMAR AFP / Archives

The battle over privacy is one of many tussles between the US digital giants and European authorities, who also accuse them of evading taxes, perpetuating anti-competitive practices, or failing to not fight hate speech effectively enough.

No "inflexible rule"

The 101 cases launched by NOYB in different countries concern either Google Analytics or its Facebook Connect counterpart.

Since the invalidation of the Privacy Shield in July 2020, which was already the second agreement on the subject, the EU and the United States have only held sporadic meetings without reaching an agreement to define a new framework allowing Combine European Personal Data Regulation (GDPR) and US regulations.

American companies that used the Privacy Shield, such as Facebook, fell back on another European data transfer mechanism, the "standard contractual clauses" (SCC), which offer fewer legal guarantees.

American companies that used the Privacy Shield, such as Facebook, fell back on another European data transfer mechanism Kirill KUDRYAVTSEV AFP/Archives

“Instead of actually adapting their services to be GDPR compliant, US companies have simply tried to add text to their privacy policy and ignore the Court of Justice ruling,” commented Ms. Shrems after the Austrian decision.

According to Google's chief lawyer, Kent Walker, author of the blog post, requests from US security agencies regarding the statistical tools are very unlikely and, moreover, the CJEU's decision should not impose a "inflexible standard" that would block the global flow of data.

However, "it is time to find a new framework" for these exchanges, expected by companies on both sides of the Atlantic, he pleaded.

European Commission spokesman Christian Wigand said on Thursday that talks had intensified in recent months, but the issues were "complex" and negotiations "would take time".

© 2022 AFP