Bloomberg Law
Aug. 18, 2020, 5:21 PM

Facebook, Google Data Sent From EU Violates Privacy, Group Says

Daniel R. Stoller
Daniel R. Stoller
Senior Legal Editor

Companies that send data from the European Union to Facebook Inc. and Alphabet Inc.‘s Google violate the bloc’s privacy law because the information is subject to U.S. surveillance, privacy advocates alleged.

None of Your Business, a group set up by Austrian activist Max Schrems, filed more than 100 complaints with EU privacy offices alleging that companies, including Airbnb Inc. and Sephora SAS, violate the General Data Protection Regulation (GDPR).

The group cites the the EU Court of Justice’s July 16 decision to allege that the companies lack a legal basis to transfer data. The decision invalidated the EU-U.S. Privacy Shield mechanism for moving information and also placed restrictions on the use of standard contractual clauses to transfer data.

The complaints show the legal scrutiny companies face for transferring data from the EU to the U.S. without a successor plan to Privacy Shield that alleviates concerns about American surveillance practices.

Facebook declined to comment: “We don’t comment on individual cases,” a spokesperson said. A Google spokesperson didn’t immediately comment. Representatives for Airbnb and Sephora didn’t immediately respond to requests for comment.

The EU court invalidated the Privacy Shield because of American surveillance concerns and because of what it saw as insufficient data protections for EU subjects. The over 5,000 companies that relied on the program, including Facebook and Google, were left scrambling to figure out how to transfer their data.

The EU’s top court in its July decision also made transferring data through standard clauses harder by requiring case-by-case assessments on how U.S. laws might limit European residents’ privacy protections.

Companies like Facebook and Google that use standard contractual clauses (SCCs) are also in violation of the GDPR, according to the Schrems group. The EU court “was explicit that you cannot use the SCCs when the recipient in the U.S. falls under these mass surveillance laws,” Schrems said.

“Under the SCCs the US data importer would instead have to inform the EU data sender of” the U.S. surveillance laws “and warn them,” Schrems said. “If this is not done, then these US companies are actually liable for any financial damage caused,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: John Hughes at; Keith Perine at