Solve Schrems II

Through pseudonymisation on European servers you can keep using U.S. 3rd Party vendors.

Privacy for humanity

With the introduction of the General Data Protection Regulation (GDPR), the EU strengthened and formalized its position on data privacy and protection. The GDPR emphasizes that the right to the protection of personal data is a fundamental human right and the processing of personal data should be designed to serve this right.

Surveillance for national security

The U.S. places stronger emphasis on national security over individual’s right to privacy. Through FISA and the CLOUD Act, national security agencies can access data stored by American companies independent of the servers’ global location. Edward Snowden is often associated with the revelation of these practices.

Fall of Privacy Shield confirms insufficient level of personal data protection in the U.S.

In July 2020, the CJEU annulled the Privacy Shield, the protection mechanism enabling data transfers between the EU and the U.S.. It found that EU controllers must assess the risk of personal data transfers to the U.S. and that Standard Contractual Clauses may be a legitimate mechanism to transfer data to the U.S. if additional safeguards are in place to protect data from access by the U.S. national security authorities.

Companies ignore regulatory changes. Max Schrems exemplary sues 101 of them.

A month after the fall of the Privacy Shield, companies changed nothing to the marketing stack. American tools like Facebook and Google products were (and still are) implemented as before, relying on outdated data transfer mechanisms. To challenge this willful inertia, Max Schrems sues 101 companies for the illegal practices.

Google Analytics found non-compliant in Austria.

On 13.1.2022, the Austrian DPA published its decision concerning the compliance of the standard client-side Google Analytics implementation. IP addresses and other personal identifiers were transmitted to Google servers based on the standard Google SCCs and even with the alleged ‘IP anonymisation’ these measures were found to be not sufficient to protect personal data from the possibility of access by the U.S. secret service agencies.

Domino effect: European DPAs follow suit with recommendations/judgements.

In addition to the Dutch and Danish DPAs, the Norwegian also recommends (no decision yet) companies to start looking for alternatives to the default client-side Google Analytics implementation. They add “We know that there will also be more decisions about Google Analytics from other European data regulators.”
UPDATE: As predicted, CNIL comes to a similar decision in France and requires company to find a solution within 30 days.

International data transfer – GA is the first tool but others are impacted as well.

In the Austrian GA case the tool was found non-compliant because personal data was sent to the U.S. and was processed/stored on the servers of an American company – not because the DPA didn’t like the design and color. It is critical to understand that while there is no judgment for other tools yet, they are impacted as well and need a solution.

More information

News

Denmark: Google Analytics declared unlawful

Google Analytics can no longer be used in a legally compliant manner without further measures. With its decision, Denmark's agency joins other data protection authorities in Europe.

Blog

The Founder Story of JENTIS

Looking back to the foundation of a company

Blog

International data transfers

Was Sie über den internationalen Datentransfer im Rahmen der DSGVO wissen müssen