Austrian Privacy Group Accuses Google of ‘Unlawfully’ Transferring EU Data to US

This post was originally published on DP News

By Robert Bateman

Austrian authorities are checking out allegations that Google unlawfully is transferring data through the EU to the U. S i9000. — and some experts informed Digital Privacy News how the investigation presented a fundamental issue for the company’s business model.

In a May five letter to Austria’s data-protection authority, the European Middle for Digital Rights (None of Your Business — NOYB), headed by Austrian attorney and activist Max Schrems, alleged that Google broken strict EU rules made to protect Europeans’ data through interference by U. S i9000. intelligence services.

“The Google case is certainly far-reaching, ” said Magnus Westerlund, principal lecturer info technology at Arcada University or college of Applied Sciences in Finland.  

“If the particular courts find that Google will not comply with the GDPR (the EU’s General Data Defense Regulation) and the human directly to privacy, it essentially identifies the end to the platform design as we know it. ”

Google did not react to a request for comment through Digital Privacy News. The business denied the allegations within an April 10 letter addressing questions from the Austrian expert.

“If the particular courts find that Google will not comply with the GDPR as well as the human right to privacy, this essentially defines the end towards the platform model as we know this. ”

Magnus Westerlund, Arcada University associated with Applied Sciences, Finland.

“Europe must step-up the strategic leadership considerably and drive home the digital-sovereignty strategy if we are usually to have laws that problem the status quo this clearly, ” Westerlund told Digital Personal privacy News.

Targeting Google Analytics

The problem takes aim at Search engines Analytics, a service used by greater than 28 million websites based on BuiltWith, which tracks software program used on the internet.

NOYB’s claims follow final July’s landmark “Schrems II” decision, in which the Court associated with Justice of the European Union (CJEU) invalidated “Privacy Shield, ” a mechanism enabling Search engines and other companies to openly transfer personal information from the EUROPEAN to the U. S.  

The courtroom said the scheme did not prevent U. S. government bodies from snooping on EUROPEAN UNION citizens under such laws and regulations as the Foreign Intelligence Monitoring Act (FISA).

Following the ruling, Google considered another data-transfer mechanism called “standard contractual clauses, ” which remained lawful — as long as exported data furthermore was protected by any kind of “supplementary measures” necessary to avoid intelligence agencies from getting at it.

‘Technical, Legal’ Measures

In its reaction to the Austrian complaint, Search engines says it takes “technical, lawful and operational” supplementary steps to protect Google Analytics information.

However , NOYB’s Schrems told Digital Personal privacy News that, because of Google’s U. S. legal responsibilities and the nature of its providers, no mechanism could allow Google to lawfully exchange personal data from the EUROPEAN to the U. S.

“In short: We all do not know of any ‘supplementary measure’ that would help right here, ” he said.

Schrems pointed towards the European Data Protection Panel (EDPB)’s recommendations on data exchanges, drawn up last November within the aftermath of the Schrems II judgment.  

“For FISA companies, I do not really know of any solution functions for ‘live’ data. ”

Max Schrems, NOYB.

The EDPB suggested that particular companies could rely on regular contractual clauses to assist in data transfers — possibly because they were not covered by condition surveillance laws or simply because they could take supplementary procedures to protect the data.

But the board also mentioned that no suitable ancillary measures were available for specific non-EU companies whose providers involved processing unencrypted information, which Schrems said integrated Google.

“For FISA companies, I do not really know of any solution functions for ‘live’ data, ” he told Digital Personal privacy News. “Supplementary measures really are a very exceptional situation. ” 

A judgment against Google could result in an excellent of up $7. 3 or more billion — 4% associated with company revenues — also it would have profound implications for most other U. S. businesses operating in Europe.

“Consider what this means just for mobile phones, ” Arcada University’s Westerlund said. “Google’s Google android and Apple’s iPhone depend on collecting data about customers and storing this since processable data in any of the data centers. ” 

Possible Options

Ian Brown, visiting professor in FGV Law School within Rio de Janeiro, proffered two possible solutions to the problem of EU-U. S. data transfers.

In the long term, Brown stated democracies should agree on human being rights compliant standards with regard to access to personal data simply by intelligence services.

Discussions are underway involving the U. S. and EUROPEAN to find an alternative to the invalidated Privacy Shield framework, based on a joint statement within March from the European Percentage.

“I don’t think it is nearly as difficult because they make out. ”

Ian Brown, FGV Regulation School, Rio de Janeiro.

But the more instant solution for Google, Dark brown suggested, could be creating “EU-only data centers” and offering “guarantees that it will not procedure EU data outside the EUROPEAN UNION or give access to the American owner. ”

Brown called this “ludicrous” to suggest that localizing data-processing operations in European countries would be operationally impossible to get Big Tech firms such as Google.

“The EU is the richest individual market in the world, with some from the world’s most-valuable companies, ” he told Digital Personal privacy News. “I don’t believe it’s nearly as hard as they make out. ”

Robert Bateman is a writer in Brighton, U. K.

Sources:

Leave A Comment

14 + 3 =