with No Comments


Last month, Privacy News Online discussed another major win for the privacy activist Max Schrems. The Court of Justice of the European Union (CJEU), the EU’s top court, agreed with Schrems that the United States Privacy Shield framework, approved by the US and the EU a couple of years ago, one of the two main ways of sending personal data about EU citizens across the Atlantic for processing and storing, was invalid. The court also ruled that the other main method of transferring data, standard contractual clauses (SCCs), a 25 page agreement promulgated by the EU, could only be used where there was no risk that EU citizens’ personal data might be compromised once in the US.

Such judgments are important, but have little value if they are not enforced. To that end Schrems and his NOYB organization have announced that they have filed 101 GDPR complaints in 30 European countries, alleging that companies are not complying with the CJEU ruling:

“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) – despite both companies clearly falling under US surveillance laws, such as FISA. Neither Facebook nor Google seem to have a legal basis for the data transfers. Google stills claims to rely on the “Privacy Shield” a month after it was invalidated, while Facebook continues the to use the “SCCs”, despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

The complaints are against Google, Facebook, and major Web sites in European countries that use Google Analytics or Facebook Connect to track visitors to their sites. These systems send data about EU citizens to Google and Facebook, which then forward data to the US, thus contravening the GDPR in the light of last month’s CJEU ruling. The data protection authorities in EU countries now have a “duty to act”. That is, it is not optional whether they pursue companies that are violating the GDPR: the court says they must. That’s a crucial change from the present situation, where the authorities in some countries have decided to let things carry on despite evident GDPR infringements. In his latest legal action, Schrems has said that he will be putting pressure not just on companies, but also directly on the national data protection authorities that fail to act: “We will gradually take steps against controllers and processors that violate the GDPR and against authorities that do not enforce the Court’s ruling, like the Irish [Data Protection Commission] that stays dormant.”

This is a major escalation of NOYB’s fight to protect the personal data of EU citizens, but it is not the only one. One of the most problematic aspects of today’s online world is the use of real-time bidding for ad space on Web sites. During the few milliseconds that it takes for a Web page to load, information about the person who will view the page and its ads is sent to multiple advertisers or their agents so that they can calculate how much to bid in the automated real-time auction for the ad space on that page. That personal information is sent to tens, possibly hundreds of companies, without explicit permission, something that the GDPR forbids.

If successful, The Privacy Collective believes the compensation could be around 500 euros (about $600) per person. Anyone who has been the subject of tracking cookies and resident in the jurisdiction where the claims are being filed – essentially everyone who uses the Internet there – will be eligible to claim. The first two cases are being brought against Oracle and Salesforce, filed respectively in the UK and the Netherlands.


If you have any questions about this memo, please contact Christopher L. Rasmussen, Managing Partner, Inventus Law, PC., at chris@inventuslaw.com or Abhilipsa Panda, Commercial Law Clerk, Inventus Law, PC., at abhilipsa@inventuslaw.com.

Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.


2024 Inventus Law. All rights reserved. | Website Designed By Blue Astral