Solve Schrems II with server-side tracking

Privacy for humanity

With the introduction of the General Data Protection Regulation (GDPR), the EU strengthened and formalized its position on data privacy and protection. The GDPR emphasizes that the right to the protection of personal data is a fundamental human right and the processing of personal data should be designed to serve this right.

Surveillance for national security

The U.S. places stronger emphasis on national security over individual’s right to privacy. Through FISA and the CLOUD Act, national security agencies can access data stored by American companies independent of the servers’ global location. Edward Snowden is often associated with the revelation of these practices.

Fall of Privacy Shield confirms insufficient level of personal data protection in the U.S.

In July 2020, the CJEU annulled the Privacy Shield, the protection mechanism enabling data transfers between the EU and the U.S.. It found that EU controllers must assess the risk of personal data transfers to the U.S. and that Standard Contractual Clauses may be a legitimate mechanism to transfer data to the U.S. if additional safeguards are in place to protect data from access by the U.S. national security authorities.

Companies ignore regulatory changes. Max Schrems exemplary sues 101 of them.

A month after the fall of the Privacy Shield, companies changed nothing to the marketing stack. American tools like Facebook and Google products were (and still are) implemented as before, relying on outdated data transfer mechanisms. To challenge this willful inertia, Max Schrems sues 101 companies for the illegal practices.

Google Analytics found non-compliant in Austria.

On 13.1.2022, the Austrian DPA published its decision concerning the compliance of the standard client-side Google Analytics implementation. IP addresses and other personal identifiers were transmitted to Google servers based on the standard Google SCCs and even with the alleged ‘IP anonymisation’ these measures were found to be not sufficient to protect personal data from the possibility of access by the U.S. secret service agencies.

Domino effect: European DPAs follow suit with recommendations/judgements.

In addition to the Dutch and Danish DPAs, the Norwegian also recommends (no decision yet) companies to start looking for alternatives to the default client-side Google Analytics implementation. They add “We know that there will also be more decisions about Google Analytics from other European data regulators.”
UPDATE: As predicted, CNIL comes to a similar decision in France and requires company to find a solution within 30 days.

International data transfer – GA is the first tool but others are impacted as well.

In the Austrian GA case the tool was found non-compliant because personal data was sent to the U.S. and was processed/stored on the servers of an American company – not because the DPA didn’t like the design and color. It is critical to understand that while there is no judgment for other tools yet, they are impacted as well and need a solution.

Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter. JENTIS Data Capture Platform enables future-proof GDPR-compliant tracking, regardless of the data privacy framework and potential challenges.