National authorities clearly have a lot of work to do with regard to the General Data Protection Regulation (GDPR). At the same time that the Irish Data Protection Commission is struggling to close the cross-border Twitter case, Austrian lawyer Max Schrems has accused Google and Facebook of continuing to transfer personal data to the US illegally despite a ruling from the Court of Justice of the European Union.
The European Consumer Organisation (BEUC) stated in a recent position paper on the GDPR that “the lack of harmonised binding administrative procedures to deal with cross-border complaints and the slow pace of proceedings have a negative impact on the protection of millions of consumers across Europe”.
Twitter case referred to the EDPS
The Irish Data Protection Commission (DPC) is currently working on around 20 cases involving tech giants such as Apple, LinkedIn and Facebook. The Commission was planning to close its first cross-border case as a lead partner at the beginning of the year. The question in this instance is whether Twitter notified the regulator within the required timeframe once the bug in its app - which made a series of private messages public - was detected.
However, a news item published by Reuters on 20 August highlighted disagreements with the other national regulators involved in the case, which was opened in November 2018. Graham Doyle, Deputy Commissioner at the Irish DPC, acknowledged that “a number of objections were raised by CSAs” but did not specify whether these objections relate to the substance or the amount of the fine.
In accordance with Article 65 of the General Data Protection Regulation, the case was therefore referred to the European Data Protection Board (EDPB), which now has one month to reach a two-thirds majority. If it is unable to reach the required majority, the EDPB may make its decision based on a simple majority and, if this still does not produce a result, the Board’s Chair will make the decision.
Max Schrems again battling against transfer of data to the US
Another example relates to the transfer of personal data between the EU and the US, following the ruling of the Court of Justice of the European Union that invalidates the Privacy Shield (see EUROPE 12529/2 and 12536/9). Austrian lawyer Max Schrems and his organisation NOYB reported in mid-August that they had filed a complaint against 101 companies in 30 EU and European Economic Area (EEA) countries on the grounds that they continue to send data about every visitor to Google and Facebook (using Google Analytics and Facebook Connect). The organisation has also filed a complaint in the United States against Google and Facebook, as they continue to accept the data transfers.
NOYB’s statement said that “while we understand that some things may need some time to rearrange, it is unacceptable that some players seem to simply ignore Europe’s top court. This is also unfair towards competitors that comply with these rules”, suggesting that the organisation intends to gradually introduce a tougher stance. (Original version in French by Sophie Petitjean)