A years-long saga over tech firms transferring data from Europe to the US re-erupted on Thursday, days after Austrian officials slapped down Google for failing to respect EU privacy rules.
Austrian data privacy group NYOB (none of your business) filed dozens of complaints across Europe in 2020 after an EU court decision struck down a deal with the US on transfer of data.
Last week, the group claimed its first victory when Austria’s Data Protection Authority ruled that the Google Analytics tool transferred users’ data to the US, where it could be subject to snooping by security agencies.
It was not clear what sanctions Google might face in Austria or how the ruling would affect companies that use Google Analytics. AFP has contacted the authority for comment.
Google responded on Wednesday with a blog post playing down the ruling and calling for the EU and US to quickly negotiate a new data transfer framework.
The blog provoked a furious response on Thursday from NYOB’s Max Schrems, an Austrian lawyer whose campaigning led to previous US-EU data agreements collapsing.
He wrote on Twitter that Google was engaging in “Bullshit PR” and accused the firm of swerving the question of US surveillance law reform.
“It’s not about @EU_Justice moving, it’s about the US legislators providing stable protections to customers of @Google, @Microsoft, @AWS, @Apple, @Meta, once their data is processed by US industry,” he wrote, suggesting that otherwise customers would take their business elsewhere.
The battle over privacy is part of a multi-layered series of spats between US tech giants and European authorities, which also covers tax issues, competition practices and hate speech.
– No ‘inflexible standard’ –
The current cases filed by NOYB relate to a ruling by the European Court of Justice (ECJ) in July 2020, which invalidated an EU-US deal over transfer of data across the Atlantic.
Judges ruled that the deal, known as Privacy Shield, failed to allow people in the EU remedies in the courts against US authorities.
The EU and US have held sporadic talks since in a bid to replace Privacy Shield, but have not yet agreed a deal.
The cases filed by NOYB say tech firms have not acted on the 2020 ruling, meaning they are failing to comply with GDPR, an EU-wide data protection regime.
“Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” Schrems said after the Austrian decision.
On Wednesday, Google’s head lawyer Kent Walker wrote that the Austrian ruling had envisaged the type of request from security agencies that was unlikely to ever happen.
And he said the 2020 court ruling “did not impose an inflexible standard under which the mere possibility of exposure of data to another government required stopping the global movement of data”.
Walker said business on both sides of the Atlantic wanted a quick deal to resolve the issue.
EU commission spokesman Christian Wigand said on Thursday talks had intensified in recent months but the issues at play were “complex” and negotiations “take some time”.