Big U.S. Tech Firms Fail to Comply with Europe Privacy Data Laws

Technology firms' compliance with European restrictions on transatlantic data transfers is shockingly poor, Austrian privacy campaigner Max Schrems said on Monday, publishing a survey of companies including Facebook and Netflix.

Source: Reuters | Published on September 28, 2020

The Court of Justice of the European Union (CJEU) ruled in July that the data arrangement set up in 2016, called Privacy Shield, was invalid under Europe's privacy framework because of concerns about U.S. surveillance.

The ruling effectively ends the privileged access that U.S. companies such as Facebook had to personal data from Europe. It puts the country on a similar footing to other nations outside the EU, meaning data transfers are likely to face closer scrutiny.

The survey, conducted by Schrems' digital rights group NOYB - short for None of Your Business - covered 33 companies. Most were American, but some were based in the EU and Britain.

Exercising the right of customers to ask companies how their data is handled under the EU's General Data Protection Regulation (GDPR), the survey drew a mixed bag of responses - some firms did not respond and others gave misleading answers.

"The responses ranged from detailed explanations, to admissions that these companies have no clue what is happening, to shockingly aggressive denials of the law,” said Schrems.

NOYB said that rental platform AirBnB, streaming service Netflix and Facebook chat app WhatsApp didn't reply, while other companies referred to privacy policies that did not address the questions asked.

Business collaboration platform Slack said it would not "voluntarily" pass on user data to the U.S. authorities, failing to address concerns that Washington has the legal power to conduct targeted surveillance of non-U.S. citizens overseas.

“Overall, we were astonished by how many companies were unable to provide little more than a boilerplate answer," said Schrems.

"The companies that did provide answers largely are simply not complying with the CJEU judgment. It seems that most of the industry still does not have a plan as to how to move forward.”