Amazon facing lawsuit in Germany after being accused of breaking EU’s privacy laws against the EU-US Privacy Shield.
The global giant Amazon is currently facing a lawsuit and has been accused of breaking the privacy laws in Europe, according to this recent article from Politico. The company has been accused of using the infamous Privacy Shield despite its previous invalidation in Europe which has led to this lawsuit. The basis is that the Court of Justice of the European Union made clear that transferring data through the Privacy Shield was no longer allowed following July’s Schrems II judgment. This ruling invalidated the EU-US privacy shield. The reason for the invalidation was that the CJEU decided that shipping data outside of the EU put it at risk. According to the CJEU, US surveillance customs are more intrusive than they should be and go beyond what is acceptable for privacy. While Amazon understands that the Privacy Shield is invalid, it appears that they have continued to use this invalidated transfer mechanism.
Standard Contractual Clauses are still a viable option for companies needing to transfer data.
Standard Contractual Clauses (SCCs) are another option for the technological giants and are used by the likes of Google and Facebook. The difference is that exporting data from the EU using the SCC requires more supervision, and better ensures the safety of the data. While the SCC gives these companies an alternative, the clauses come with caveats, and are not entirely free of problems. Right now, the giant Facebook stands against the Irish data regulators regarding their use of the clauses.
EuGD takes legal action against Amazon.
EuGD (Europäische Gesellschaft für Datenschutz) decided to take action putting forth the formal legal complaint that escalated the conflict. The recent article by Vincent Manancourt, features a statement from Johann Hermann, the current head of EuGD, the group behind the legal complaint. “The [Court of Justice of the European Union] has made it clear that data transfers to the U.S. on the basis of the Privacy Shield are no longer permitted. If the world’s leading cloud company and largest e-commerce provider remains inactive for more than two months and ignores consumer rights, that is unacceptable,” said Mr Hermann, head of Europäische Gesellschaft für Datenschutz (EuGD). Moreover, the founder of EuGD, Thomas Bindl, said that taking the legal route was a decision made taking into consideration similar conflicts.
Despite the noise and controversy surrounding the conflict and impending lawsuit, it is still necessary to wait and see the developments in court. However, regardless of the result in the ruling, this will likely inspire greater vigilance and compliance on the part of companies who may also be transferring data out of Europe.
Recent preliminary ruling from the Court of Justice of the European Union, taken in relation to a decision against Telenor Telecommunications company, interprets net neutrality rules for the first time.
The CJEU issued their preliminary ruling after the Hungarian National Media and Communication Office found the ‘zero tariff’ packages offered by Telenor, an internet service provider, breached Article 3 (3) of Regulation 2015/2120 of the EU Parliament, with regard to the general obligation of equal and non-discriminatory treatment of traffic , or net neutrality as it is more commonly known.
Under the law, neither restrictions, nor special access can be applied on the basis of one’s internet package.
This ruling will prevent Telenor from providing these separated packages and all applications are to be treated equally under the law. Neither restrictions, nor special access can be granted or denied on the basis of one’s internet package. The CJEU deemed in its preliminary decision that to achieve this, the application of Article 3 (2) makes it so that these policies implemented by companies are subject to review by national authorities and courts to maintain net neutrality and lawful practice.
Data plan policies like these create unfair market advantages and also violate the rights of the end user.
The unfair advantage of only certain apps being limited while others were considered ‘zero tariffs’ infringes on the open internet concept and skews the market share of internet applications towards the zero tariff applications. This affects the market significantly, as the repercussion of not using zero tariff applications results in higher expenditure on internet services or limited access to the internet. This is in clear violation of the rights of the ‘end user’ and the agreements and contracts constructed by the internet company would have to be restructured to be inclusive of all apps.
Article 3 (3) states that the blocking or limiting of an app, may be somewhat viable if a technical or objective reasoning behind the limitation can be provided, on the basis that it is done fairly, however it was found that the choices made by the Telenor company were strictly on a commercial/financial basis making it a clear violation of Article 3 (3)
The purpose of net neutrality is to eliminate unnecessary advantages being given to or taken away from companies or end users.
These preliminary hearings are to be finalized by the national courts of Hungary despite the clauses being defined in the European parliament. However the decisions are more than likely to be based on the recommendations in accordance with the 2015/2150 Regulations of parliament. Net neutrality seeks to make it so that there are no unnecessary advantages given to or taken away from companies or end users. To achieve this accordance the constant reexamining of companies such as the Telenor Telecommunications are built into the legislation to provide the framework for constant and regulated change, and proper balance within the EU member states between consumer protection and economic/commercial freedom.
“Whereas zero rating does not result in the technological discrimination of traffic while the user has their data allowance available, the Court of the EU correctly pointed out that such discrimination might be exactly what happens after the allowance has been used up,” comments Dr Bostjan Makarovic, Aphaia Managing Partner.
Complaints against Google and Facebook lead to investigations by the European Center for Digital Rights, for data transfers which violate the GDPR.
Complaints were filed against Google and Facebook in several EU countries for an alleged violation of the GDPR. As a result, the European Center for Digital Rights (noyb) has launched a series of investigations into allegations against Data Giants Facebook and Google as they appear to be infringing on the digital rights outlined by the EU charter of Fundamental rights. It is postulated by the noyb, that despite previous court rulings from the CJEU, the information moguls have not ceased in their use of, and processing of EU data, under US servers and by extension adhering to US surveillance protocols.
Investigations were launched after complaints against Google and Facebook were filed in all 30 EU and EEA member states.
Complaints were filed against Google and Facebook, as well as 101 European companies that still forward data about each visitor to Google and Facebook. In previous rulings, Google and Facebook were asked to stop using the Google Analytics and Facebook Connect features altogether where it pertained to EU citizens and data. However it seems despite these rulings smaller states in the EU were unaware that these terms and conditions that they were adhering to via the EULA from these companies were unconstitutional and were in direct violation of the EU charter. These companies have not been giving express and explicit instructions that the data collected is being processed in the US and no consent is ever sought out by the End User.
The onus is on respective DPAs to take action in addressing this issue, according to the GDPR.
The issue lies in the fact that the GDPR requires each member state’s individual Data Protection Authority to enforce and to police these complaints in their respective territories. This can range from prohibition notices to serious penalties, including hefty fines. Due to a lack of information the noyb has made legal guidelines regarding this type of interaction free to all member states and also encourages individual members to act more diligently when it comes to the enforcement of these protocols. The investigations and monitoring of these companies will continue and complaints will continue to be filed as long as they keep using their current data processing protocols which clearly break the terms dictated by European Courts and more action is surely to be taken in the future, especially concerning mobilising certain DPAs such as the Data Protection center in Ireland which is currently inactive at the current time .
Certain laws within the US create a challenge to the GDPR, and to companies which transfer data across borders.
Certain programmes enabling access by US public authorities to personal data transferred from the EU result in limitations on the protection of personal data which do not satisfy GDPR requirements. Laws such as the FISA 702 or EO 12.333 are pieces of legislation which hold these companies liable to provide personal data of persons in the EU to the US government. This is deemed as especially problematic due to the fact that these companies are obligated to share information with the NSA which is a direct conflict of interest regarding the privacy and data rights of EU citizens.
Ireland’s Data Protection Commission has ordered Facebook to stop sending user data to the US.
The Wall Street Journal recently reported that the EU privacy regulator has sent Facebook a preliminary order to suspend all data transfers on its EU customers to the US. This preliminary order was sent late last month, as the DPC’s first significant step to enforce July’s ruling by the European Court of Justice. This ruling restricts how Facebook and other tech giants can send personal information of EU individuals to the US. Facebook would need to re-engineer it’s service to isolate data collected from EU users, or stop serving them at least temporarily, in order to comply with Ireland’s preliminary order. The company could face up to $2.8 billion (4% of annual revenue) in fines, if it fails to comply with this order. Ireland’s DPC has given the company until mid-September to respond to the order, and informed Facebook of its intention to send a new draft of the order to the 26 privacy regulators in other EU countries for joint approval under a cooperation provision of the bloc’s privacy law.
In September the European Court of Justice ruled on refusal to grant reimbursement of the charges paid for government licences under subscription contracts for mobile telephony service, and the limitation of emissions of volatile organic compounds due to the use of organic solvents in certain activities and installations.
Read more “Regulatory case law, September 2015: atmospheric pollution and reimbursement of government licences”