Blog details

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights.

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights.

Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights, for data transfers which violate the GDPR. 


Complaints were filed against Google and Facebook in several EU countries for an alleged violation of the GDPR. As a result, the European Center for Digital Rights (noyb) has launched a series of investigations into allegations against Data Giants Facebook and Google as they appear to be infringing on the digital rights outlined by the EU charter of Fundamental rights. It is postulated by the noyb, that despite previous court rulings from the CJEU, the information moguls have not ceased in their use of, and processing of EU data, under US servers and by extension adhering to US surveillance protocols. 


Investigations were launched after complaints against Google and Facebook were filed in all 30 EU and EEA member states.

Complaints were filed against Google and Facebook, as well as 101 European companies that still forward data about each visitor to Google and Facebook. In previous rulings, Google and Facebook were asked to stop using the Google Analytics and Facebook Connect features altogether where it pertained to EU citizens and data. However it seems despite these rulings smaller states in the EU were unaware that these terms and conditions that they were adhering to via the EULA from these companies were unconstitutional and were in direct violation of the EU charter. These companies have not been giving express and explicit instructions that the data collected is being processed in the US and no consent is ever sought out by the End User. 

The onus is on respective DPAs to take action in addressing this issue, according to the GDPR.

The issue lies in the fact that the GDPR requires each member state’s individual Data Protection Authority to enforce and to police these complaints in their respective territories. This can range from prohibition notices to serious penalties, including hefty fines. Due to a lack of information the noyb has made legal guidelines regarding this type of interaction free to all member states and also encourages individual members to act more diligently when it comes to the enforcement of these protocols. The investigations and monitoring of these companies will continue and complaints will continue to be filed as long as they keep using their current data processing protocols which clearly break the terms dictated by European Courts and more action is surely to be taken in the future, especially concerning mobilising certain DPAs such as the Data Protection center in Ireland which is currently inactive at the current time .


Certain laws within the US create a challenge to the GDPR, and to companies which transfer data across borders.


Certain programmes enabling access by US public authorities to personal data transferred from the EU result in limitations on the protection of personal data which do not satisfy GDPR requirements. Laws such as the FISA 702 or EO 12.333 are pieces of legislation which hold these companies liable to provide personal data of persons in the EU to the US government. This is deemed as especially problematic due to the fact that these companies are obligated to share information with the NSA which is a direct conflict of interest regarding the privacy and data rights of EU citizens. 


Ireland’s Data Protection Commission has ordered Facebook to stop sending user data to the US.


The Wall Street Journal recently reported that the EU privacy regulator has sent Facebook a preliminary order to suspend all data transfers on its EU customers to the US. This preliminary order was sent late last month, as the DPC’s first significant step to enforce July’s ruling by the European Court of Justice. This ruling restricts how Facebook and other tech giants can send personal information of EU individuals to the US. Facebook would need to re-engineer it’s service to isolate data collected from EU users, or stop serving them at least temporarily, in order to comply with Ireland’s preliminary order. The company could face up to $2.8 billion (4% of annual revenue) in fines, if it fails to comply with this order. Ireland’s DPC has given the company until mid-September to respond to the order, and informed Facebook of its intention to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc’s privacy law.


Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance services. Contact us today.

Prev post
EDPS guidance on temperature checks during the COVID-19 pandemic
September 9, 2020
Next post
Una serie de quejas contra Google y Facebook han conducido a investigaciones por parte del Centro Europeo de Derechos Digitales (EDRi)
September 11, 2020

Leave a Comment