THE EUROPEAN UNION PERSPECTIVE
Privacy for humanity
With the introduction of the General Data Protection Regulation (GDPR), the EU strengthened and formalized its position on data privacy and protection. The GDPR emphasizes that the right to the protection of personal data is a fundamental human right and the processing of personal data should be designed to serve this right.
THE AMERICAN PERSPECTIVE
Surveillance for national security
The U.S. places stronger emphasis on national security over individual’s right to privacy. Through FISA and the CLOUD Act, national security agencies can access data stored by American companies independent of the servers’ global location. Edward Snowden is often associated with the revelation of these practices.
PRIVACY 1 : SURVEILLANCE 0
Fall of Privacy Shield confirms insufficient level of personal data protection in the U.S..
In July 2020, the CJEU annulled the Privacy Shield, the protection mechanism enabling data transfers between the EU and the U.S.. It found that EU controllers must assess the risk of personal data transfers to the U.S. and that Standard Contractual Clauses may be a legitimate mechanism to transfer data to the U.S. if additional safeguards are in place to protect data from access by the U.S. national security authorities.
MAX SCHREMS VS 101 COMPANIES
Companies ignore regulatory changes. Max Schrems exemplary sues 101 of them.
A month after the fall of the Privacy Shield, companies changed nothing to the marketing stack. American tools like Facebook and Google products were (and still are) implemented as before, relying on outdated data transfer mechanisms. To challenge this willful inertia, Max Schrems sues 101 companies for the illegal practices.
PRIVACY 2 : SURVEILLANCE 0
Google Analytics found non-compliant in Austria.
On 13.1.2022, the Austrian DPA published its decision concerning the compliance of the standard client-side Google Analytics implementation. IP addresses and other personal identifiers were transmitted to Google servers based on the standard Google SCCs and even with the alleged 'IP anonymisation' these measures were found to be not sufficient to protect personal data from the possibility of access by the U.S. secret service agencies.
MORE PRIVACY INCOMING
Domino effect: European DPAs follow suit with recommendations/judgements.
In addition to the Dutch and Danish DPAs, the Norwegian also recommends (no decision yet) companies to start looking for alternatives to the default client-side Google Analytics implementation. They add “We know that there will also be more decisions about Google Analytics from other European data regulators.”
UPDATE: As predicted, CNIL comes to a similar decision in France and requires company to find a solution within 30 days.
UNDERSTANDING THE REAL PROBLEM
International data transfer - GA is the first tool but others are impacted as well.
In the Austrian GA case the tool was found non-compliant because personal data was sent to the U.S. and was processed/stored on the servers of an American company - not because the DPA didn’t like the design and color. It is critical to understand that while there is no judgment for other tools yet, they are impacted as well and need a solution.
PRIVACY HERE TO STAY
The elephant in the room: how to adapt to privacy regulations?
The answer is as always: It depends. There are two potential solutions to the problem. One way to solve the problem of international data transfers is through a mechanism that would allow you to keep using existing tools. Another way could be to evade international data transfers altogether by removing such tools or replacing non-EU tools with European vendors (if possible).
SERVER-SIDE TRACKING FOR THE WIN
Take control of your data with server-side tracking. From Europe for Europe
For us, all trends in online marketing like first party data, the end of third party cookies, compliance, tracking preventions, etc. point to the same solution: Be in control of your data collection - and only then forward data deliberately. That’s why we developed a fully European server-side tracking system.
BUILDING THE RIGHT FOUNDATION
For best-possible compliance your setup is hosted in the right cloud.
As described above, FISA and the CLOUD Act make hosting a very sensible topic. That’s why relying on our legal and technical experts, we optimized our cloud setup. We are proud to be able to host our SaaS with partners like Exoscale. At the same time, we ensure that the performance, scalability and reliability are always given.
THE REAL KEY
Pseudonymise personal data for international data transfer.
For us, “solving” international data transfers is the most resilient way into the future. Our infrastructure and data collection is one essential part of the equation. The second part is the technical possibility to pseudonymise each data field with the click of a button. This way, you can define the rules for international data transfers together with your compliance team - be in control.