US firms ignoring EU court ruling on data, Schrems warns

On Thursday (3 September), Schrems told the European Parliament big US electronic service providers will continue to harvest the data of EU citizens, despite the July ruling by the European Court of Justice.

"What is especially concerning in this context is these statements from the US industry," he told MEPs in the civil liberties committee via video-link.

"I was in on a couple of calls in the last couple of weeks, all of them were confidential, but basically the feedback is that we [US industry] are simply going to ignore what the Court of Justice has said," said Schrems.

"We got a letter from Facebook itself that says it will continue to transfer the data despite the second judgement saying they can't do that, so I think that is concerning."

He added the US firms do not believe European data authorities will do anything about it - highlighting issues with Ireland's data protection commission in its dealings with Facebook.

EU authorities have yet to impose any real fines since the launch of the EU's data protection regulation (GDPR) in 2018, despite numerous violations.

The lack of enforcement riled Dutch liberal MEP Sophie in't Veld, who said Schrems had done more to defend citizen rights "than all the supervisors put together."

US surveillance or EU rights

The court had over the summer scrapped Privacy Shield, the EU-US data-transfer pact. The self-certifying agreement was meant to ensure that European protection standards continue once citizens' data is transferred to the United States.

But a US surveillance law, known as FISA 702, up-ended those protections, which are a fundamental right in the European Union.

The European Commission had been warned about US surveillance for years, relying on written assurances from the US that the bulk collection of people's data would not be carried out.

The court had also declared that other legal data transfer methods, like standard contractual clauses (SCCs), remained valid.

Such clauses also fall outside the scope of FISA, are generally used by small companies, and pale in the amount of data transferred when compared to Privacy Shield.

The European Commission is now scrambling to get a new deal sorted, but is faced with a history of promises on data protection that have failed to deliver.

In 2015, the EU court invalidated their previous data transfer pact with the US, named Safe Harbour.

The commission then negotiated Privacy Shield as its replacement but that then met the same fate this summer.

Didier Reynders, the EU commissioner in charge of putting a new deal together, conceded that the US may have to change its own laws on surveillance for a new deal to work.

"It may be a necessity to have legislative changes," he said, noting that any such proposals would delay any future new framework.

Reynders had - during his presentation at the same parliament event on Thursday - insisted on reforming standard contractual clauses.

"We intend to launch the adoption process of the clause in the coming months and I hope finalise it by the end of this year," he said.

Meanwhile, the European Data Protection Board has promised to issue more recommendations to help companies figure out what to do in the wake of the court's July ruling.

The board is tasked to ensure the consistent application of data protection law across the EU, but has since received over 100 complaints over the lack of European enforcement.

The complaints were filed from Schrems and his team at the non-profit Noyb.

"Yesterday [2 September], the European Data Protection Board created a task force to look into the complaints," announced the board's chair, Andrea Jelinek.