Last summer, the European Court of Justice (CJEU) ruled - already for the second time - that US surveillance laws generally make the transfer of personal data from the EU to the US illegal. Google continues to ignore this decision and now argues before the Austrian DSB (PDF) that it may continue to transfer data on millions of visitors of EU websites to the US - in blatant contradiction to the GDPR. The Austrian data protection authority (DSB) now has the option to fine Google up to €6 billion under the GDPR.

Submission by Google
Submission by noyb

noyb complaints against Google. After the so-called “Schrems II” ruling on 16.07.2020, Max Schrems’ organization noyb, filed 101 complaints against EU websites in August 2020 that continued to pass data on every visitor to Google and Facebook. All complaints are also directed against the US parent companies of Google and Facebook. As a result, the European Data Protection Authorities formed a “Task Force” in September 2020. The first one of these complaints could soon be decided by the Austrian Data Protection Authority (DPA) - and could lead to a massive fine against Google.

Google: “signs” and “fences” against US law. Google primarily argues that it uses “supplementary measures” that are supposed to help against NSA surveillance (see pages 23 to 26). However, none of the measures are new, nor somehow effective: Google even argues with signs and fences around data centers and average HTTPS encryption which is just a minimum standard even for small websites. That these measures have no impact on US surveillance laws is already evident in Google’s own “transparency report”: in 2019 alone, more than 201,000 requests under the US surveillance law “FISA” were answered by Google. More recent statistics are missing.

“Google has to hand over all data under US law. It’s grotesque that they argue to have fences and signs - US survillance laws are also applicable behind fences. Standard encryption doesn’t help either, as Google is required to hand over encryption keys too. In 2019 alone, they gave the US government data on foreigners more than 201,000 times.” – Max Schrems, Honorary Chairman of noyb.eu

noyb’s submission filed. The Austrian data protection authority has asked noyb to respond to Google’s opinion. In the statement of 36 pages, noyb elaborates on the obvious violation of the GDPR. The legal submissions of noyb (German, English Translation) were filed today.

“Google largely admits their GDPR violations and the evidence is overwhelming. The authority get this case on a silver platter.” – Max Schrems, Honorary Chairman of noyb.eu

Penalty of more than € 6 billion possible. Since the complaint targets Google LLC which operates separately from its European subsidiary (Google Ireland Ltd) any data protection authority in the EU can impose a penalty under the GDPR. In this specific case, the Austrian Data Protection Authority (DPA) can impose 4% of Google LLC’s global turnover - a record sum of just over €6 billion.

“It is a unique opportunity to do something for the protection of fundamental rights and for a county’s budget simultaneously. Under the GDPR, there is even an obligation for authorities to issue appropriate penalties and Google really fulfills every condition to make full use of the penalty range.” – Max Schrems, Honorary Chairman of noyb.eu

noyb’s submission also points out the legal instruments to enforce any ruling by the DSB throughout the EU and seize any assets of Google LLC also with third parties (like international banks).

Background: The CJEU has ruled in two cases (known as “Schrems I” and “Schrems II”) that EU data can no longer be stored with U.S. companies if they fall under U.S. surveillance laws (specifically 50 USC § 1881a, also known as “FISA”). Google indisputably falls under these US laws and the CJEU ruling. Large parts of the US industry however continues to ignore the clear case law to avoid costly upgraded to their systems.

  • Ephera
    link
    fedilink
    93 years ago

    I imagine they’re stalling for time. 6 billion is probably a small sum compared to their whole business being ripped in two halves.
    In the meantime, yet another questionable agreement will likelt be made between the EU and US, which has to be challenged separately again. That doesn’t undo the current law violation, they would (hopefully) still get fined for that, but it means they can continue operating like they currently do.

    • Sr Estegosaurio
      link
      fedilink
      23 years ago

      I hate that they can fine them with like 6B and they still doing the same bc that.

      • Ephera
        link
        fedilink
        33 years ago

        Well, if the law doesn’t change until the ruling is official (i.e. can’t be challenged at a higher court anymore), then that ruling is also a determination that Google is currently violating the law, which does mean they must stop doing that.

        If they continue anyways (and that is found to be the case in yet another court ruling), that’s a felony, which can lead to much higher fines or even bans.

        Please note that I’m not a lawyer, but the above at least makes sense to me.

        What doesn’t make sense to me, is whether there’s no protection against politicians passing the same illegal laws over and over again?
        I guess, we do theoretically have that thing called “democracy” and those politicians’ parties could be voted out, but yeah, it just feels like an every-day-occurence that politicians push extremely questionable laws and don’t get punished for it. And I’m talking nationally. Democracy on the EU-level is questionable anyways.