Solve Schrems II

Through pseudonymisation on European servers you can keep using U.S. 3rd Party vendors.

Privacy for humanity

With the introduction of the General Data Protection Regulation (GDPR), the EU strengthened and formalized its position on data privacy and protection. The GDPR emphasizes that the right to the protection of personal data is a fundamental human right and the processing of personal data should be designed to serve this right.

Surveillance for national security

The U.S. places stronger emphasis on national security over individual’s right to privacy. Through FISA and the CLOUD Act, national security agencies can access data stored by American companies independent of the servers’ global location. Edward Snowden is often associated with the revelation of these practices.

Fall of Privacy Shield confirms insufficient level of personal data protection in the U.S.

In July 2020, the CJEU annulled the Privacy Shield, the protection mechanism enabling data transfers between the EU and the U.S.. It found that EU controllers must assess the risk of personal data transfers to the U.S. and that Standard Contractual Clauses may be a legitimate mechanism to transfer data to the U.S. if additional safeguards are in place to protect data from access by the U.S. national security authorities.

Companies ignore regulatory changes. Max Schrems exemplary sues 101 of them.

A month after the fall of the Privacy Shield, companies changed nothing to the marketing stack. American tools like Facebook and Google products were (and still are) implemented as before, relying on outdated data transfer mechanisms. To challenge this willful inertia, Max Schrems sues 101 companies for the illegal practices.

Google Analytics found non-compliant in Austria.

On 13.1.2022, the Austrian DPA published its decision concerning the compliance of the standard client-side Google Analytics implementation. IP addresses and other personal identifiers were transmitted to Google servers based on the standard Google SCCs and even with the alleged ‘IP anonymisation’ these measures were found to be not sufficient to protect personal data from the possibility of access by the U.S. secret service agencies.

Domino effect: European DPAs follow suit with recommendations/judgements.

In addition to the Dutch and Danish DPAs, the Norwegian also recommends (no decision yet) companies to start looking for alternatives to the default client-side Google Analytics implementation. They add “We know that there will also be more decisions about Google Analytics from other European data regulators.”
UPDATE: As predicted, CNIL comes to a similar decision in France and requires company to find a solution within 30 days.

International data transfer – GA is the first tool but others are impacted as well.

In the Austrian GA case the tool was found non-compliant because personal data was sent to the U.S. and was processed/stored on the servers of an American company – not because the DPA didn’t like the design and color. It is critical to understand that while there is no judgment for other tools yet, they are impacted as well and need a solution.

More information

Blog

The forgotten Data Protection regulation that started it all

Do you know the story of the groundbreaking EU data privacy regulation that threatened to disrupt data flow between the EU and the US? Hint: it’s not the GDPR.

Blog

The 3 biggest Challenges for Digital Marketing 2023

What will be important in the coming year? What will pose the most difficult challenges for digital marketing? An analysis from a marketer's point of view.

Blog

How DPAs determine the level of GDPR fines

The GDPR applies as a legal basis to all EU data protection authorities. But there is far less uniformity when it comes to the level of fines. How high can they get? A quick guide to what companies can expect.