Google and Apple report increase in user data requests from U.S. government, new German law imposes steep fines on social media companies, EU-US data transfer case referred to EU high court

Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.

Google and Apple report jump in U.S. government requests for user data

U.S. Department of Justice (Image via Wikipedia, licensed CC BY-SA 3.0)

Google and Apple both report a significant increase in U.S. government requests to hand over user information, according to the companies’ latest transparency reports covering a six-month period from January to June 2017. Apple reported an increase in U.S. government requests for user information, affecting 6,407 accounts, a 62 percent increase compared to the previous six-month period. Google reported that requests from U.S. government authorities for user data affected more than 33,000 accounts, a 23 percent increase. Both companies also reported an increase in government requests worldwide.

Internet and telecommunication companies often receive requests from governments to restrict content and to hand over user information. As noted in the Index, companies should publish information about their process for handling such requests, as well as the number of they receive and comply with. Companies should also disclose that they push back on overly broad requests so that the public can make informed decisions about potential freedom of expression and privacy risks associated with products and services they use. In the 2017 Corporate Accountability Index, although 15 of the 22 companies evaluated published some information on their processes for responding to government requests for user information, only 11 published any data about these requests.

New German law imposes steep fines on social media companies

Social media companies can be fined up to €50 million for not removing hate speech quickly enough, according to a new German hate speech law that came into force this month. The law, known as “NetzDG,” gives companies in some cases just 24 hours to remove the content or face enormous financial penalties. The OSCE Representative on Freedom of the Media, Harlem Désir, cautioned that “the scope of the law remains overly broad and its effect could be excessively restrictive on freedom of expression.” Civil society groups also have criticized the law, warning that companies would be incentivized to remove content, which would have a chilling effect on freedom of expression.

As noted in the 2017 Corporate Accountability Index, companies are not transparent enough about how they respond when governments and other third parties ask them to block, delete, or otherwise restrict content or users’ accounts, and disclose even less about such restrictions on content that violates the company’s own rules.

EU-US Facebook data transfer case referred to EU high court

A case over whether Facebook can continue to send information collected about its European users to the U.S. has been referred to the Court of Justice of the European Union (CJEU). The legal complaint against Facebook was brought by an Austrian privacy activist, Max Schrems. In 2015, a previous complaint brought by Schrems regarding Facebook’s EU-U.S. data transfer policies led the European Court of Justice to invalidate the “safe harbor” agreement that, at the time, allowed for EU-U.S. data transfers.

The current case challenges Facebook’s use of standard contractual clauses (SCCs) to transfer user information from the EU to the U.S. However, Schrems says the use of such SCCs fails to adequately protect European users’ personal data, largely due to U.S. mass surveillance programs. According to Reuters, the ruling could impact thousands of companies using such legal mechanisms to transfer personal data outside the EU.

As noted in the 2017 Corporate Accountability Index, companies do not tell users enough about how their information is collected, shared, used, and retained. Companies should provide users with a more comprehensive picture of the lifecycle of their personal information, and governments should also develop effective data protection regimes and privacy regulations to ensure user privacy is adequately safeguarded. Additionally, companies should demonstrate that they have clear mechanisms in place for people to file grievances and receive remedy if their human rights have been violated in relation to the company’s business. Companies should also ensure that users have a way of learning about these mechanisms.

Leave a Reply