Facebook is facing the prospect of not being able to move data about its European users to the United States, after European regulators raised concerns that such transfers do not adequately protect the information from American government surveillance.
The social network said on Wednesday that the Irish Data Protection Commission had begun an inquiry into its movement of data on European users to the United States. The Irish regulator oversees Facebook’s data practices in Europe and can fine it up to 4 percent of its global revenue for breaking European data protection laws.
The Silicon Valley company may now have to overhaul its operations to keep data on Europeans stored within the European Union, an immensely complicated task given the way that Facebook moves data among data centers around the world.
The inquiry, earlier reported by The Wall Street Journal, is the first major fallout of a European Union high court decision in July that invalidated a key trans-Atlantic agreement called Privacy Shield. That agreement between the United States and European Union had allowed businesses to send data between the two regions, but the court struck it down, saying Europeans did not have sufficient protections from American spy agencies.
The ruling affects thousands of businesses, but Facebook’s data-sharing practices have been under particular scrutiny by European authorities. Facebook had argued that the court allowed certain kinds of legal contracts to continue transferring data, but Irish regulators disagreed and said those arrangements were invalid.
Facebook has until later this month to respond to Ireland’s complaint, then the Irish regulator will make a final decision toward the end of the year. Facebook could challenge that judgment in court.
“A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the E.U., just as we seek a recovery from Covid-19,” Nick Clegg, Facebook’s vice president of global affairs, said of the moves. “The impact would be felt by businesses large and small, across multiple sectors.”
Ireland’s Data Protection Commission declined to comment.
Facebook’s experience will be closely watched by other major tech companies, like Google, that also depend on transferring data between the United States and Europe.
American and European officials have expressed a desire to work out a new data-sharing agreement. But legal experts have said complying with the European court ruling will require substantive changes to American surveillance laws to give Europeans added privacy protections.
In the wake of yesterday’s landmark ruling by Europe’s top court — striking down a flagship transatlantic data transfer framework called Privacy Shield, and cranking up the legal uncertainty around processing EU citizens’ data in the U.S. in the process — Europe’s lead data protection regulator has fired its own warning shot at the region’s data protection authorities (DPAs), essentially telling them to get on and do the job of intervening to stop people’s data flowing to third countries where it’s at risk.
The original complaint that led to the Court of Justice of the EU (CJEU) ruling focused on Facebook’s use of a data transfer mechanism called Standard Contractual Clauses (SCCs) to authorize moving EU users’ data to the U.S. for processing.
Complainant Max Schrems asked the Irish Data Protection Commission (DPC) to suspend Facebook’s SCC data transfers in light of U.S. government mass surveillance programs. Instead, the regulator went to court to raise wider concerns about the legality of the transfer mechanism.
That in turn led Europe’s top judges to nuke the Commission’s adequacy decision, which underpinned the EU-U.S. Privacy Shield — meaning the U.S. no longer has a special arrangement greasing the flow of personal data from the EU. Yet, at the time of writing, Facebook is still using SCCs to process EU users’ data in the U.S. Much has changed, but the data hasn’t stopped flowing — yet.
Yesterday the tech giant said it would “carefully consider” the findings and implications of the CJEU decision on Privacy Shield, adding that it looked forward to “regulatory guidance.” It certainly didn’t offer to proactively flip a kill switch and stop the processing itself.
Ireland’s DPA, meanwhile, which is Facebook’s lead data regulator in the region, sidestepped questions over what action it would be taking in the wake of yesterday’s ruling — saying it (also) needed (more) time to study the legal nuances.
The DPC’s statement also only went so far as to say the use of SCCs for taking data to the U.S. for processing is “questionable” — adding that case by case analysis would be key.
The regulator remains the focus of sustained criticism in Europe over its enforcement record for major cross-border data protection complaints — with still zero decisions issued more than two years after the EU’s General Data Protection Regulation (GDPR) came into force, and an ever-growing backlog of open investigations into the data processing activities of platform giants.
In May, the DPC finally submitted to other DPAs for review its first draft decision on a cross-border case (an investigation into a Twitter security breach), saying it hoped the decision would be finalized in July. At the time of writing we’re still waiting for the bloc’s regulators to reach consensus on that.
The painstaking pace of enforcement around Europe’s flagship data protection framework remains a problem for EU lawmakers — whose two-year review last month called for uniformly “vigorous” enforcement by regulators.
The European Data Protection Supervisor (EDPS) made a similar call today, in the wake of the Schrems II ruling — which only looks set to further complicate the process of regulating data flows by piling yet more work on the desks of underfunded DPAs.
“European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country,” writes EDPS Wojciech Wiewiórowski, in a statement, which warns against further dithering or can-kicking on the intervention front.
“The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data,” he goes on, calling for more joint working by the bloc’s DPAs.
Wiewiórowski’s statement also highlights what he dubs “welcome clarifications” regarding the responsibilities of data controllers and European DPAs — to “take into account the risks linked to the access to personal data by the public authorities of third countries.”
“As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge,” he adds.
Part of the complexity of enforcement of Europe’s data protection rules is the lack of a single authority; a varied patchwork of supervisory authorities responsible for investigating complaints and issuing decisions.
Now, with a CJEU ruling that calls for regulators to assess third countries themselves — to determine whether the use of SCCs is valid in a particular use-case and country — there’s a risk of further fragmentation should different DPAs jump to different conclusions.
Yesterday, in its response to the CJEU decision, Hamburg’s DPA criticized the judges for not also striking down SCCs, saying it was “inconsistent” for them to invalidate Privacy Shield yet allow this other mechanism for international transfers. Supervisory authorities in Germany and Europe must now quickly agree how to deal with companies that continue to rely illegally on the Privacy Shield, the DPA warned.
In the statement, Hamburg’s data commissioner, Johannes Caspar, added: “Difficult times are looming for international data traffic.”
He also shot off a blunt warning that: “Data transmission to countries without an adequate level of data protection will… no longer be permitted in the future.”
Compare and contrast that with the Irish DPC talking about use of SCCs being “questionable,” case by case. (Or the U.K.’s ICO offering this bare minimum.)
Caspar also emphasized the challenge facing the bloc’s patchwork of DPAs to develop and implement a “common strategy” toward dealing with SCCs in the wake of the CJEU ruling.
In a press note today, Berlin’s DPA also took a tough line, warning that data transfers to third countries would only be permitted if they have a level of data protection essentially equivalent to that offered within the EU.
In the case of the U.S. — home to the largest and most used cloud services — Europe’s top judges yesterday reiterated very clearly that that is not in fact the case.
“The CJEU has made it clear that the export of data is not just about the economy but people’s fundamental rights must be paramount,” Berlin data commissioner Maja Smoltczyk said in a statement [which we’ve translated using Google Translate].
“The times when personal data could be transferred to the U.S. for convenience or cost savings are over after this judgment,” she added.
Both DPAs warned the ruling has implications for the use of cloud services where data is processed in other third countries where the protection of EU citizens’ data also cannot be guaranteed too, i.e. not just the U.S.
On this front, Smoltczyk name-checked China, Russia and India as countries EU DPAs will have to assess for similar problems.
“Now is the time for Europe’s digital independence,” she added.
Some commentators (including Schrems himself) have also suggested the ruling could see companies switching to local processing of EU users’ data. Though it’s also interesting to note the judges chose not to invalidate SCCs — thereby offering a path to legal international data transfers, but only provided the necessary protections are in place in that given third country.
Also issuing a response to the CJEU ruling today was the European Data Protection Board (EDPB). AKA the body made up of representatives from DPAs across the bloc. Chair Andrea Jelinek put out an emollient statement, writing that: “The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.”
Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.
In the wake of the CJEU ruling, data exporters and importers are required to carry out an assessment of a country’s data regime to assess adequacy with EU legal standards before using SCCs to transfer data there.
“When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR,” Jelinek writes.
“If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.”
Again, it’s not clear what “additional measures” a platform could plausibly deploy to “fix” the gaping lack of redress afforded to foreigners by U.S. surveillance law. Major legal surgery does seem to be required to square this circle.
Jelinek said the EDPB would be studying the judgement with the aim of putting out more granular guidance in the future. But her statement warns data exporters they have an obligation to suspend data transfers or terminate SCCs if contractual obligations are not or cannot be complied with, or else to notify a relevant supervisory authority if it intends to continue transferring data.
In her roundabout way, she also warns that DPAs now have a clear obligation to terminate SCCs where the safety of data cannot be guaranteed in a third country.
“The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer,” Jelinek writes.
One thing is crystal clear: Any sense of legal certainty U.S. cloud services were deriving from the existence of the EU-U.S. Privacy Shield — with its flawed claim of data protection adequacy — has vanished like summer rain.
LONDON — In the southeast corner of Ireland, Brian Byrne’s event-planning business was confronting a calamity. It was the middle of March, and the coronavirus pandemic was nearing peak lethality. As the government barred gatherings like music festivals, his revenue disappeared, forcing him to consider laying off his four full-time workers.
But a swiftly arranged government program spared their jobs. It provided 70 to 85 percent of their wages, enabling Mr. Byrne to keep them employed.
“It oddly hasn’t been a stressful time,” he said. “I can keep the team together, keep them motivated. We’re basically doing everything we can to be ready for when the restrictions are eased.”
Across the Atlantic in New York, the pandemic cost Salvador Dominguez his job selling Manhattan real estate. He eventually qualified for an emergency expansion of federal unemployment benefits, but not before 72 agonizing days of waiting. He borrowed from friends and family members to pay his rent, and he harvested food from the trash at a high-end grocery store.
“How can I describe it?” said Mr. Dominguez, 39, taking a breath. “It was very tough.” He added, “I didn’t feel alone, because I knew a lot of people like me were doing it.”
The pandemic has ravaged Europeans and Americans alike, but the economic pain has played out in starkly different fashion. The United States has relied on a significant expansion of unemployment insurance, cushioning the blow for tens of millions of people who have lost their jobs, with the assumption that they will be swiftly rehired once normality returns. European countries — among them Denmark, Ireland, Britain, France, the Netherlands, Spain and Austria — have prevented joblessness by effectively nationalizing payrolls, heavily subsidizing wages and enabling paychecks to continue uninterrupted.
As cases increase at an alarming rate in much of the United States, the reliance on an overwhelmed unemployment system — the next infusion of money perpetually subject to the whims of Washington — leaves Americans uniquely exposed to a deepening crisis of joblessness. Europe appears poised to spring back from the catastrophe faster, whenever commerce resumes, because its companies need not rehire workers.
“You just send an email, and that’s it — you’re ready to go,” said Jonathan Rothwell, principal economist at Gallup, the American polling firm, and a nonresident senior fellow at the Brookings Institution. “There’s no recruitment or negotiation.”
Some have argued that the differing approaches are functionally equivalent. European taxpayers are writing checks to employers who wind up paying workers. American taxpayers are furnishing relief through unemployment payments.
“I think it’s a real open question,” said Jason Furman, an economic adviser to President Barack Obama, “which of those will be better in the long term. They might be more similar than everyone thinks.” He was speaking during a recent discussion with Stephanie Flanders of Bloomberg.
But conversations with recipients of government relief in Europe and the United States reveal one substantial difference: In many European countries, wage subsidies have enabled paychecks to continue without a hitch, sparing people the anxiety of managing bills while awaiting relief. For Americans, hellish tangles with bureaucracy have become legion as tens of millions of people have deluged the unemployment system, crashing websites, tying up phone systems and standing in parking lots for hours outside benefits offices.
Far from an accident, this reflects the values animating American capitalism, in which social safety nets are minimal, leaving people to struggle with scant relief. The pandemic “exposes the fact that we have a system problem,” said Joseph Stiglitz, the Nobel laureate economist. “A system where 50 percent of the people are on the edge is not a resilient system.”
The American Paycheck Protection Program has similarities to Europe’s wage subsidy programs. It has directed $520 billion in loans through private banks to small businesses. If American employers limit layoffs, they do not have to repay the money. Five million businesses have received funding, but bewildering rules and technical glitches have limited broader participation.
Washington also increased standard unemployment benefits by $600 a week, often giving recipients more than they earned in their jobs. But in requiring that workers transition from payrolls to the unemployment system, the government effectively consigned people to torturous delays.
Jobless data reveals how the pandemic has assailed American workers with exceptional force. The unemployment rate in the United States has soared nearly eight percentage points since February — it registered 11.1 percent in June — while France, Germany, Ireland and the Netherlands have all limited increases in the jobless rate to less than one percentage point.
“By and large, the European social model has proved quite adept and robust for this kind of crisis,” said Jacob F. Kirkegaard, a senior fellow at the Peterson Institute for International Economics in Washington.
None of this offers guarantees about the future. In many countries, the United States included, pandemic aid programs are set to expire in coming months. Given persistent fears about the virus, an abrupt elimination of relief would be damaging.
In Britain, nine million workers have officially been furloughed while continuing to draw paychecks under a government program. But as many as a fourth are at risk of being fired when the government reduces the subsidy in September, according to Bloomberg. In the United States, extra jobless benefits expire at the end of July, prompting worries that the removal of this aid will spell a loss of spending, further damaging businesses and producing another spike in unemployment.
For Americans, the risks are heightened by the fact that the nation lacks a national medical system — a feature taken as a given in Europe — leaving most people reliant on their jobs for access to health care.
For now, European programs are insulating workers from the consequences.
In Spain, the terrifying spread of the virus prompted the government to order a halt to nonessential services in mid-March. That threatened the livelihood of Ana Ascaso, a mother of three who works as a waitress at a popular bar in the center of Zaragoza, a city of 700,000 people in the northeast of the country. Her husband had been out of work for more than a year.
Within hours of announcing the state of alarm, the Spanish government also approved an “act of God” wage subsidy program. Ms. Ascaso and the other eight employees at the bar would technically be furloughed — their jobs awaiting their return — while the government paid 70 percent of their wages.
“It was very sad seeing the rising death rate, but I felt lucky that the only thing I had to worry about was my health and the health of my loved ones,” she said.
The bar where Ms. Ascaso works reopened late last month. The tables are set farther apart than before. She wears a mask as she serves drinks and tapas.
“For me, the wage subsidy was a gift,” she said.
Isabel Santander, who has long worked in a Zaragoza factory that makes automobile dashboards, endured a two-month delay for her government-furnished wage subsidy. But her bank advanced the money while she waited.
“I was able to feel relaxed at home,” she said. She spent time with her two daughters. Her company plans to resume production in early July, bringing back all 200 employees.
A commentary published this month on the website of the British Journal of Sports Medicine points out that covering your face during exercise “comes with issues of potential breathing restriction and discomfort” and requires “balancing benefits versus possible adverse events.” Masks do alter exercise, says Cedric X. Bryant, the president and chief science officer of the American Council on Exercise, a nonprofit organization that funds exercise research and certifies fitness professionals. “In my personal experience,” he says, “heart rates are higher at the same relative intensity when you wear a mask.” Some people also could experience lightheadedness during familiar workouts while masked, says Len Kravitz, a professor of exercise science at the University of New Mexico.
I’ve heard about a treatment called dexamethasone. Does it work?
The steroid, dexamethasone, is the first treatment shown to reduce mortality in severely ill patients, according to scientists in Britain. The drug appears to reduce inflammation caused by the immune system, protecting the tissues. In the study, dexamethasone reduced deaths of patients on ventilators by one-third, and deaths of patients on oxygen by one-fifth.
What is pandemic paid leave?
The coronavirus emergency relief package gives many American workers paid leave if they need to take time off because of the virus. It gives qualified workers two weeks of paid sick leave if they are ill, quarantined or seeking diagnosis or preventive care for coronavirus, or if they are caring for sick family members. It gives 12 weeks of paid leave to people caring for children whose schools are closed or whose child care provider is unavailable because of the coronavirus. It is the first time the United States has had widespread federally mandated paid leave, and includes people who don’t typically get such benefits, like part-time and gig economy workers. But the measure excludes at least half of private-sector workers, including those at the country’s largest employers, and gives small employers significant leeway to deny leave.
Does asymptomatic transmission of Covid-19 happen?
So far, the evidence seems to show it does. A widely cited paper published in April suggests that people are most infectious about two days before the onset of coronavirus symptoms and estimated that 44 percent of new infections were a result of transmission from people who were not yet showing symptoms. Recently, a top expert at the World Health Organization stated that transmission of the coronavirus by people who did not have symptoms was “very rare,” but she later walked back that statement.
What’s the risk of catching coronavirus from a surface?
Touching contaminated objects and then infecting ourselves with the germs is not typically how the virus spreads. But it can happen. A number of studies of flu, rhinovirus, coronavirus and other microbes have shown that respiratory illnesses, including the new coronavirus, can spread by touching contaminated surfaces, particularly in places like day care centers, offices and hospitals. But a long chain of events has to happen for the disease to spread that way. The best way to protect yourself from coronavirus — whether it’s surface transmission or close human contact — is still social distancing, washing your hands, not touching your face and wearing masks.
How does blood type influence coronavirus?
A study by European scientists is the first to document a strong statistical link between genetic variations and Covid-19, the illness caused by the coronavirus. Having Type A blood was linked to a 50 percent increase in the likelihood that a patient would need to get oxygen or to go on a ventilator, according to the new study.
How many people have lost their jobs due to coronavirus in the U.S.?
The unemployment rate fell to 13.3 percent in May, the Labor Department said on June 5, an unexpected improvement in the nation’s job market as hiring rebounded faster than economists expected. Economists had forecast the unemployment rate to increase to as much as 20 percent, after it hit 14.7 percent in April, which was the highest since the government began keeping official statistics after World War II. But the unemployment rate dipped instead, with employers adding 2.5 million jobs, after more than 20 million jobs were lost in April.
How can I protect myself while flying?
If air travel is unavoidable, there are some steps you can take to protect yourself. Most important: Wash your hands often, and stop touching your face. If possible, choose a window seat. A study from Emory University found that during flu season, the safest place to sit on a plane is by a window, as people sitting in window seats had less contact with potentially sick people. Disinfect hard surfaces. When you get to your seat and your hands are clean, use disinfecting wipes to clean the hard surfaces at your seat like the head and arm rest, the seatbelt buckle, the remote, screen, seat back pocket and the tray table. If the seat is hard and nonporous or leather or pleather, you can wipe that down, too. (Using wipes on upholstered seats could lead to a wet seat and spreading of germs rather than killing them.)
What should I do if I feel sick?
If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others.
In Ireland, the wage subsidy approach has not merely prevented workers from falling into arrears. It has also maintained their sense of cohesion.
Ian Redmond operates several nightclubs and bars in Dublin, employing over 100 people. He opened a tiki bar in January, right before the pandemic, assembling a team skilled in the art of cocktails. The wage subsidy program has spared him from having to start over.
“The government has been very proactive,” he said.
As Mr. Byrne, who runs the events, looks ahead to a new era of music performances and comedy shows with smaller crowds and social distancing, his employees have been able to carry on with their lives. One of his workers had been in the process of buying a house.
“If she was unemployed, she would have had a lot of difficulty getting a mortgage,” Mr. Byrne said. She was approved, and the sale is going ahead — presumably setting up future business for carpenters, electricians and a range of other services sustained by homeowners drawing paychecks.
The Irish government sought to protect jobs in two rapid bursts. First, in mid-March, it unleashed payments of 350 euros ($395) to all who were out of work, regardless of their earnings. Then, it followed up with the wage subsidy plan, agreeing to cover up to €410 in pay per week at companies whose revenues dropped by at least 25 percent.
“These two schemes,” Mr. Byrne said, “they have really kept the country open.”
The American approach, by contrast, has barraged the unemployment system with people in dire straits, exceeding its capacity to deliver.
Normally, Mr. Dominguez, the Manhattan real estate agent, would not have been eligible for unemployment, because he was a contract worker. But the pandemic prompted Congress to make benefits available to freelancers and self-employed workers.
When he initially applied, he was told that he had to be rejected for state benefits before he could qualify for the federal benefits — a cumbersome, time-consuming requirement.
After New York petitioned the federal government to change the rules, Mr. Dominguez applied again through the website and was told he would hear back within 72 hours.
Days turned into weeks and then months as his bills mounted. He dialed every state number he could find to plead his case. He joined Facebook groups with other jobless workers awaiting relief. He contacted his political representatives.
He did receive a $1,200 stimulus check from the federal government, supplementing that money with borrowed funds to cover the $2,800-a-month rent on his one-bedroom apartment.
He signed up for distribution at a food pantry. Then, a friend tipped him off to what passed for a gold mine in such times: Citarella, a famously expensive purveyor of fresh seafood and other gustatory treasure, tossed out expired food daily. He began stopping by the store after closing time, rooting through the trash for nourishing discards.
More than 10 weeks after he applied for unemployment benefits, Mr. Dominguez received word that he had qualified.
He was still awaiting his first check — $170 in state benefits, plus the $600 in expanded federal relief. And the money was effectively spent: He had to pay back what he had borrowed.
Peter S. Goodman reported from London, Patricia Cohen from New York, and Rachel Chaundler from Zaragoza, Spain.
France’s top court for administrative law has dismissed Google’s appeal against a $57M fine issued by the data watchdog last year for not making it clear enough to Android users how it processes their personal information.
The State Council issued the decision today, affirming the data watchdog CNIL’s earlier finding that Google did not provide “sufficiently clear” information to Android users — which in turn meant it had not legally obtained their consent to use their data for targeted ads.
“Google’s request has been rejected,” a spokesperson for the Conseil D’Etat confirmed to TechCrunch via email.
“The Council of State confirms the CNIL’s assessment that information relating to targeting advertising is not presented in a sufficiently clear and distinct manner for the consent of the user to be validly collected,” the court also writes in a press release [translated with Google Translate] on its website.
It found the size of the fine to be proportionate — given the severity and ongoing nature of the violations.
Importantly, the court also affirmed the jurisdiction of France’s national watchdog to regulate Google — at least on the date when this penalty was issued (January 2019).
The CNIL’s multimillion dollar fine against Google remains the largest to date against a tech giant under Europe’s flagship General Data Protection Regulation (GDPR) — lending the case a certain symbolic value, for those concerned about whether the regulation is functioning as intended vs platform power.
While the size of the fine is still relative peanuts vs Google’s parent entity Alphabet’s global revenue, changes the tech giant may have to make to how it harvests user data could be far more impactful to its ad-targeting bottom line.
Under European law, for consent to be a valid legal basis for processing personal data it must be informed, specific and freely given. Or, to put it another way, consent cannot be strained.
In this case French judges concluded Google had not provided clear enough information for consent to be lawfully obtained — including objecting to a pre-ticked checkbox which the court affirmed does not meet the requirements of the GDPR.
So, tl;dr, the CNIL’s decision has been entirely vindicated.
Reached for comment on the court’s dismissal of its appeal, a Google spokeswoman sent us this statement:
People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both. This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.
GDPR came into force in 2018, updating long standing European data protection rules and opening up the possibility of supersized fines of up to 4% of global annual turnover.
However actions against big tech have largely stalled, with scores of complaints being funnelled through Ireland’s Data Protection Commission — on account of a one-stop-shop mechanism in the regulation — causing a major backlog of cases. The Irish DPC has yet to issue decisions on any cross border complaints, though it has said its first ones are imminent — on complaints involving Twitter and Facebook.
On the GDPR one-stop shop mechanism — and, indirectly, the wider problematic issue of ‘forum shopping’ and European data protection regulation — the French State Council writes: “Google believed that the Irish data protection authority was solely competent to control its activities in the European Union, the control of data processing being the responsibility of the authority of the country where the main establishment of the data controller is located, according to a ‘one-stop-shop’ principle instituted by the GDPR. The Council of State notes however that at the date of the sanction, the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing, the company Google LLC located in the United States with this power alone.”
In its own statement responding to the court’s decision, the CNIL notes the court’s view that GDPR’s one-stop-shop mechanism was not applicable in this case — writing: “It did so by applying the new European framework as interpreted by all the European authorities in the guidelines of the European Data Protection Committee.”
Privacy NGO noyb — one of the privacy campaign groups which lodged the original ‘forced consent’ complaint against Google, all the way back in May 2018 — welcomed the court’s decision on all fronts, including the jurisdiction point.
Commenting in a statement, noyb’s honorary chairman, Max Schrems, said: “It is very important that companies like Google cannot simply declare themselves to be ‘Irish’ to escape the oversight by the privacy regulators.”
A key question is whether CNIL — or another (non-Irish) EU DPA — will be found to be competent to sanction Google in future, following its shift to naming its Google Ireland subsidiary as the regional data processor. (Other tech giants use the same or a similar playbook, seeking out the EU’s more ‘business-friendly’ regulators.)
French digital rights group, La Quadrature du Net — which had filed a related complaint against Google, feeding the CNIL’s investigation — also declared victory today, noting it’s the first sanction in a number of GDPR complaints it has lodged against tech giants on behalf of 12,000 citizens.
In a great example of what can happen when smart, technically-oriented people come together in a time of need, an open-source hardware project started by a group including Irish entrepreneur Colin Keogh and Breeze Automation CEO and co-founder Gui Calavanti has produced a prototype ventilator using 3D-printed parts and readily …
Facebook has been left red-faced after being forced to call off the launch date of its dating service in Europe because it failed to give its lead EU data regulator enough advanced warning — including failing to demonstrate it had performed a legally required assessment of privacy risks.
Late yesterday Ireland’s Independent.ie newspaper reported that the Irish Data Protection Commission (DPC) had sent agents to Facebook’s Dublin office seeking documentation that Facebook had failed to provide — using inspection and document seizure powers set out in Section 130 of the country’s Data Protection Act.
In a statement on its website the DPC said Facebook first contacted it about the rollout of the dating feature in the EU on February 3.
“We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out tomorrow, 13 February,” the regulator writes. “Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland.”
Facebook announced its plan to get into the dating game all the way back in May 2018, trailing its Tinder-encroaching idea to bake a dating feature for non-friends into its social network at its F8 developer conference.
At the time of its US launch Facebook said dating would arrive in Europe by early 2020. It just didn’t think to keep its lead EU privacy regulator in the loop — despite the DPC having multiple (ongoing) investigations into other Facebook-owned products at this stage.
Which is either extremely careless or, well, an intentional fuck you to privacy oversight of its data-mining activities. (Among multiple probes being carried out under Europe’s General Data Protection Regulation, the DPC is looking into Facebook’s claimed legal basis for processing people’s data under the Facebook T&Cs, for example.)
The DPC’s statement confirms that its agents visited Facebook’s Dublin office on February 10 to carry out an inspection — in order to “expedite the procurement of the relevant documentation”.
Which is a nice way of the DPC saying Facebook spent a whole weekstill not sending it the required information.
“Facebook Ireland informed us last night that they have postponed the roll-out of this feature,” the DPC’s statement goes on.
Which is a nice way of saying Facebook fucked up and is being made to put a product rollout it’s been planning for at least half a year on ice.
The DPC’s head of communications, Graham Doyle, confirmed the enforcement action, telling us: “We’re currently reviewing all the documentation that we gathered as part of the inspection on Monday and we have posed further questions to Facebook and are awaiting the reply.”
“Contained in the documentation we gathered on Monday was a DPIA,” he added.
This begs the question why Facebook didn’t send the DPIA to the DPC on February 3 — unless of course this document did not actually exist on that date…
We’ve reached out to Facebook for comment — and to ask when it carried out the DPIA. Update: A Facebook spokesperson has now sent this statement:
It’s really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market. We worked carefully to create strong privacy safeguards, and complete the data processing impact assessment ahead of the proposed launch in Europe, which we shared with the IDPC when it was requested.
We’ve asked the company why, if it’s “really important” to get the launch “right” it did not provide the DPC with the required documentation in advance — instead of the regulator having to send agents to Facebook’s offices to get it themselves. We’ll update this report with any response.
We’ve also asked the DPC to confirm its next steps. The regulator could ask Facebook to make changes to how the product functions in Europe if it’s not satisfied it complies with EU laws. So a delay may mean many things.
Under GDPR there’s a requirement for data controllers to bake privacy by design and default into products which are handling people’s information. (And a dating product clearly would be.)
While a DPIA — which is a process whereby planned processing of personal data is assessed to consider the impact on the rights and freedoms of individuals — is a requirement under the GDPR when, for example, individual profiling is taking place or there’s processing of sensitive data on a large scale.
Again, the launch of a dating product on a platform such as Facebook — which has hundreds of millions of regional users — would be a clear-cut case for such an assessment to be carried out ahead of any launch.
Europe’s new trade commissioner arrived in Washington on Monday on a mission to prevent the Trump administration from ruining the European economy.
But with trans-Atlantic relations already at a low point, Phil Hogan, a blunt-talking, physically imposing Irishman, will probably do well if he can simply prevent things from going any further downhill.
As Mr. Hogan begins a four-day visit, his first as trade commissioner, the list of reasons for the United States and Europe to be angry at each other is long and getting longer.
Punishing tariffs on European steel and aluminum remain in place. The administration continues to dangle the threat of duties on European cars, which would be economically devastating for the Continent. Europeans are deeply alarmed by what they regard as the president’s recklessness in the Middle East.
“The current state of E.U.-U.S. relations isn’t good and I don’t think it’s likely to get better anytime soon,” said Peter Chase, senior fellow at the German Marshall Fund of the United States in Brussels.
Mr. Hogan brings a different set of skills than Cecilia Malmstrom, whom he succeeded as the European Union’s top trade official at the beginning of December. Some in Brussels think his rawer style will make him a better match for the current occupant of the White House.
Mr. Hogan recently said, for example, that by leaving the European Union, the British people were trading in a Rolls-Royce for a used sedan. The statement was seen as particularly cheeky coming from an Irishman who will also be responsible for negotiating a trade deal with Britain as part of its withdrawal from the European Union, a herculean task.
“He is more direct,” said Luisa Santos, the director for international relations at BusinessEurope, an industry group. Gender may also play a role, Ms. Santos said. There is a widespread perception in Washington and Brussels that Trump officials were not comfortable with Ms. Malmstrom, an assertive Swede.
“The fact that he is a man” works in Mr. Hogan’s favor, Ms. Santos said. “He is probably the right person for this moment.”
But it’s unclear whether Mr. Hogan, who declined requests for an interview, will have any more success than Ms. Malmstrom at repairing the largest trade partnership in the world, worth $1 trillion a year.
His agenda includes meetings with Robert Lighthizer, the United States trade representative; Steven Mnuchin, the Treasury secretary; and Wilbur Ross, the secretary of commerce. To varying degrees, all support the president’s hard line on trade relations.
A 6-foot-5 former farmer from Kilkenny in southern Ireland, Mr. Hogan spent much of his political career in the trenches of Irish domestic politics, helping to build the centrist Fine Gael party into Ireland’s strongest bloc. He was Fine Gael’s director of organization in the early 2000s, and later head of the party’s national election campaign.
“Phil knew every candidate, he knew every constituency,” said Ciaran Conlon, a former Fine Gael spokesman who is now director of public policy for Microsoft in Ireland.
Mr. Hogan’s feel for retail politics served him well, Mr. Conlon said, when he later became the European commissioner responsible for agriculture, the job he held until December.
Mr. Hogan organized town meetings with farmers around Europe, and attended funerals of prominent farm leaders. His approach helped to combat the European Commission’s reputation for aloofness.
“Politics is about personal relationships and Phil understands that,” Mr. Conlon said.
As agriculture commissioner, Mr. Hogan was often involved in trade talks, and gained a reputation for being canny and well prepared. Farm products are typically the most politically sensitive component of trade deals. A plan to reach a more comprehensive trans-Atlantic trade deal early on in Mr. Trump’s tenure fell apart over disagreements about how to address agriculture.
“He’s a very, very good negotiator,” said Sorin Moisa, a former member of the European Parliament from Romania and former European trade official.
Ms. Malmstrom managed to prevent the president from carrying through on a threat to penalize European car imports, which would be devastating for the Continent’s economy.
But little remains of the optimism that followed a meeting in July 2018 between Mr. Trump and Jean-Claude Juncker, then the president of the European Commission.
The two men said they would work to reduce tariffs to zero and eliminate regulations that hinder trans-Atlantic trade. The European Union and the United States are each other’s largest trading partners, and there is general agreement that both sides would benefit from lower trade barriers.
Progress has been modest at best. In July, they agreed to recognize each other’s inspections of factories that produce pharmaceuticals. The agreement eliminates the need for duplicate inspections and should cut the cost of drug production.
But in most other ways, the relationship has only turned more sour.
The Europeans accuse the United States of crippling the World Trade Organization by blocking appointments of new members to a crucial panel that hears appeals in trade disputes. The panel effectively ceased to function in December when several members’ terms expired.
Without a system to enforce trade rules, Mr. Hogan told members of the European Parliament last year, “Well, then, there isn’t any point in having agreements.”
“We have asked the U.S. to engage with us and they have refused to do so,” he said.
As the norms that have governed world trade crumble, countries are responding to disputes with tit-for-tat retaliation and displays of power.
After France said it would impose a so-called digital tax on technology companies — a measure clearly aimed at Silicon Valley — the United States threatened 100 percent tariffs on French wine, handbags, cookware and other products.
“When sides take unilateral actions that harm the other side, that are inconsistent with international norms, the other side has a right to be angry,” said Clete Willems, a partner at the law firm Akin Gump who was an economic adviser in the White House until last year. “That’s where we are with the E.U. now.”
There is plenty of ire to go around. The Europeans are angry at the United States for imposing sanctions on companies helping to build the Nord Stream 2 gas pipeline between Russia and Germany.
Both sides are mad about what they say are illegal subsidies to their flagship aircraft manufacturers. The United States is putting $7.5 billion in tariffs on European products in retaliation for illegal aid to Airbus, and the Europeans are expected to retaliate in kind for what they say are illegal subsidies to Boeing.
Mr. Hogan will try to convince his American counterparts that Europe and the United States should work together to rein in China, in part by fixing the W. T.O. He also plans meetings on Capitol Hill, where his Irish-ness is likely to play well.
Nobody is expecting a major breakthrough, but there is some hope that the trip could signal the start of a gradual improvement in the trade relationship.
“I don’t think either side wants this to go back into a deep hole again and spiral into negativity,” said Susan Danger, chief executive of the American Chamber of Commerce to the European Union. “Both sides want to kick off in a positive way.”