With his NGO “NOYB” (short for “None of Your Business”), data protection activist Max Schrems has Complaint against 101 companies collected from the EEA. The companies concerned were still using Google Analytics or Facebook Connect on their websites. Max Schrems considers a transfer of personal data to recipients outside of the EEA through these services, according to the lawsuit filed by his Judgment Schrems II of the ECJ for inadmissible.
With Judgment from 16 July 2020 the ECJ declared the EU-US Privacy Shield invalid with immediate effect. The ECJ based its decision essentially on the access possibilities of U.S. intelligence services to the data of EU citizens transferred under the Privacy Shield. The standard contractual clauses, which also provide a legal basis for transatlantic data transfers under the European General Data Protection Regulation, are still considered valid by the ECJ. However, when they are used, there is an obligation – depending on the risk assessment – to supplement them with additional contractual clauses to ensure an appropriate level of data protection. In this respect, the standard contractual clauses are no longer necessarily a standard.
NYOB reports Google is still relying on the Privacy Shield. Facebook does use standard contractual clauses, but without sufficiently strengthening them against access under U.S. security laws, in line with the ECJ ruling. Last However, Google announcedThe company also intends to use standard contractual clauses in the future.
To the companies, against which there is now a complaintThese include large companies such as Airbnb, Decathlon and Coop. But the complaints will probably not be enough. According to its own statement, NYOB wants to gradually increase the pressure on “big players”.