On the 16th July 2020, the EU Court of Justice invalidated the Privacy Shield mechanism allowing for adequate protection in the transfer of personal data between the European Union and the United States of America.

A month on and the subject is still very much in the spotlight, both among data protection experts and users of US digital solutions.

What are the key points to remember from this decision? What are the consequences on the compliance of your Analytics solution? What alternatives are available to minimise the risks?

Background information on the mechanisms for transferring personal data between the European Union and the United States

Over the last twenty years, US companies wishing to transfer personal data from the European Union have been able to take advantage of two certifications allowing them to operate without additional special conditions.

  • The Safe Harbor (2001 -2015): guidelines for the protection of personal data negotiated between the US Department of Commerce and the European Commission on the basis of Directive 95/46/EC of the 24th October 1995.
    These guidelines included: information to individuals, the possibility for the data subject to object to a transfer or use of the data for different purposes, explicit consent for sensitive data, or the right of access and amendment.
    This adequacy mechanism was invalidated by the Court of Justice of the European Union on the 6th October 2015.
  • The Privacy Shield (2016-2020): following the same approach as the Safe Harbor, and after new negotiations, the US Department of Commerce and the European Commission reached a new agreement that came into force on the 1st August 2016. American companies looking to use this mechanism had to renew their certification every year, a certification that was referenced on https://www.privacyshield.gov/welcome. This allowed European data controllers to rapidly check their processor’s compliance with the guidelines.

Since 16th July this year, this mechanism for ensuring a default level of adequacy between the European Union and the United States is therefore no longer valid.

First complaints directly related to the invalidation of the Privacy Shield

The first effects of this invalidation are already becoming apparent. The European privacy NGO noyb, founded by Max Schrems, has already taken legal action against around 100 European websites using Google Analytics and Facebook Connect solutions.

On the noyb website, he states:

“Neither Facebook nor Google seem to have a legal basis for the data transfers. Google still claims to rely on the ‘Privacy Shield’  a month after it was invalidated, while Facebook continues to use the ‘SCCs’ [Standard Contractual Clauses], despite the Court finding that US surveillance laws violate the essence of EU fundamental rights.”

Max Schrems’ complaint concerns companies such as Airbnb Ireland, Allied Irish Banks, Auchan, Danske Bank, Fastweb, MTV Internet, Sky Deutschland, Takeaway.com and Coop (among others).

Invalidation of the Privacy Shield and consequences on your Analytics tool

The European Union Court of Justice has decided to no longer recognise the United States as a country providing a sufficient level of protection for personal data to comply with the General Data Protection Regulation (GDPR). This is primarily because of widespread surveillance put in place by the White House on the grounds of the Cloud Act on data collected and processed by US companies.

The CNIL provides the following interactive map showing the level of GDPR adequacy of countries around the world, based on the decisions taken by the European Commission:

Article 14.f of the GDPR states that “the controller (the company) that intends to carry out a transfer of personal data to a recipient (Analytics solution) in a third country or an international organisation, including the existence or absence of an adequacy decision by the Commission” must provide its users with information on the place of processing and storage of its data.

For your Analytics solution to be in line with this requirement, it is therefore necessary to:

  • know where the Analytics data is processed and stored
  • inform the end-users of the exact location of the transfer if data is transferred outside the European Union

In addition, in case of transfer to the United States and in light of the invalidation of the Privacy Shield, it is now necessary to implement a new transfer mechanism to ensure the lawfulness of the processing of your Analytics data, in order to avoid:

  • complaints, claims, class actions by data subjects…
  • letters of formal notice, suspension of processing or financial penalties from the supervisory authorities

In its decision of the 16th July this year, the European Court of Justice clarified that standard contractual clauses (SCCs) continue to be a legitimate mechanism for transferring data. It should be noted here that these clauses may, in certain situations, not be sufficiently protective. The data controller (the subscriber to an Analytics solution) and the subcontractor (the Analytics solution) are responsible for negotiating any additions.

Indeed, the European Data Protection Board indicates in its early responses to frequently asked questions that standard contractual clauses cannot be given precedence over a national law and that, therefore, SCCs “are not sufficient” if the national law of the third country concerned by the transfer does not comply with the GDPR.

Where does AT Internet stand on international data transfers?

Since 1996, AT Internet has been independently processing and storing all its customers’ analytics data within the European Union.

This commitment is contractual via the Data Processing Agreement (DPA) signed between AT Internet and its customers, which is also in compliance with article 28 of the GDPR.

This means the following for users of our Analytics Suite:

  • no issues on the adequacy of a third country
  • no transfer mechanism to be put in place
  • no additional information to be provided to the users of their platforms
  • GDPR compliance with regard to chapter V of the regulation is ensured by default
  • minimisation of the risk of illegal processing of Analytics data, and therefore no risk of complaints, fines, etc.

For more than 20 years, AT Internet has held data confidentiality and the respect for user privacy as core values and founding principles. By meeting the highest standards of data protection and confidentiality, we are determined to set the best possible example for our clients and other actors in the sector. We guarantee the fullest transparency regarding the collection, processing and use of data, both on our sites and on those of the clients of our digital analytics solution.

We are also committed to the belief that an analytical approach based on ethics and data protection can be a real growth driver for brands.

To learn more and discover the other compliance benefits of our Analytics Suite, download our latest guide and request a free trial.

Linkedin Data Privacy Guide EN
Author

Louis-Marie joined AT Internet in 2011 as Technical Consultant, then Team Manager in 2015, before taking the position of Strategic Project Manager in January 2019. He is also appointed Data Protection Officer, initially in Germany, then at group level. Louis-Marie has been in charge of the company’s Data Privacy issues and expertise since 2017.

Comments are closed.