Visitor Analytics
  • Visitor Analytics
  • Blog
  • EU Justice Court decision may prevent website owners from storing EU citizen website traffic data in the US

EU Justice Court decision may prevent website owners from storing EU citizen website traffic data in the US

July 17, 2020

17. July 2020 4 minutes read

Yesterday, July16th 2020, several major media outlets announced that the European Court of Justice had struck down the so-called “Privacy Shield” agreement between the EU and the US. The Privacy Shield allowed companies, who could prove they complied to a set of regulations for data privacy protection, to transfer private data from the EU to the US. 5384 companies transferred data based on this protocol, and they include giants like Google, Facebook, Amazon and Microsoft.

This is the type of news that probably does not mean anything to the average individual, unless someone puts it into context. But rest assured, while you may not have even been aware of such an agreement and what it meant, your activity may be greatly affected by it. Read on to understand why.

But before you scroll to the end of the story, if you are using Visitor Analytics for your website traffic analytics, rest assured that you do not need to worry about the Privacy Shield being undone. We store data in Germany, within the EU, so the activity of all of the website owners who use our services will not be affected in any way.

If, on the other hand, you use another provider for website analytics, check where they store their data and consider switching to Visitor Analytics, to avoid any potential hassle about data privacy.

The EU does not trust the US to keep personal information private

In just a few words, this is the core of the issue. The European Union has been pushing strict laws to protect the personal data of its citizens in the past few years. You may be familiar with the law attempting to regulate this in Europe: GDPR. These are not matched by the laws in the US, which are a lot more relaxed about handling personal data. Which is a problem when you have US companies handling EU citizen data.

And you can see why Europeans are worried. Let’s just give a few reasons:

And the list could go on for many pages. 

All of these cases have shown the EU that they cannot trust that data kept in the US can be held to the privacy standards we now have in Europe. And the privacy of its citizens needed to be protected overseas too. 

GDPR and the Privacy Shield

One of the main components of GDPR is aimed particularly at internet privacy. It clearly states that companies are not allowed to work with any personal data of EU citizens without an informed consent from them. What is considered to be “personal data” extends to details such as IP addresses, user browsing history and other identifiers coming from their online activity, which are sometimes stored by browsers and third parties in small files called “cookies”.

By installing these cookies on the devices of internet users, companies are able to track users and, based on that, to send them customized ads and messages, based on their history. After GDPR, doing this without explicit consent for each cookie and without explaining what data they store, for what purpose and for how long, is not possible anymore. It makes website and app owners responsible for all the data gathered through their sites/apps, whether they are doing it, or a third party is doing it. An example of a third party would be an analytics app for monitoring website traffic. 

The catch is that this should not only apply to EU websites, but also to sites anywhere in the world that may at some point have visitors from the EU. And this includes the US.

With the EU and US economies being somewhat connected, a workaround for this issue was found. Named the Privacy Shield, it set out a few privacy rules based on GDPR, that US companies had to comply with, in order to transfer data from the EU to the USA. Many companies applied to be part of the Privacy Shield, including some who have been in the spotlight for their user privacy infringement in the past, like Google and Facebook.

Under this regulation, they were still allowed to transfer data from the EU and host it in the US.

EU activists going after Facebook

That was the status quo until an Austrian activist named Max Schrems filed a case with the ECJ (European Court of Justice) claiming that the personal data from his Facebook profile could not be trusted to remain private, because the US government, where Facebook is located, did not provide proper legislation for this. 

And the ECJ found that he was right, thus effectively nullifying the Privacy Shield regulation.

How does the invalidation of the Privacy Shield impact website owners?

We don’t know when and how the new regulations will be implemented, but, by the new standards, companies cannot store any EU citizen private data in the US by just relying on the Privacy Shield. 

It puts companies, big and small, in a tough spot. Do you have your servers in the US? Are you using hosting providers based there? Are you using third party services that store data in the USA? These are now questions you should be asking yourself, if you don’t want to infringe the law and face heavy fines.

Privacy Shield and website analytics services

In particular, the way you track your traffic comes again into question. Website analytics is a sensitive subject precisely because it deals with personal data and has to do it carefully. Now, if, as a website owner, you use a third party application that stores this data in the US, you are at risk right now. So check to see where your provider is storing traffic data. If it is in the EU, you are safe from any hassle.

Fortunately, Visitor Analytics complies with GDPR standards and follows them accordingly. The data is stored in Germany, so Visitor Analytics is not among the more than 5300 companies affected by this decision.

You can always rest assured that the traffic data is safe with us. If you use the services of another provider, consider switching to us, as a safe alternative in terms of privacy.

You might also like
Legal Website Marketing: Understanding Digital Regulations
Legal Website Marketing: Understanding Digital Regulations
Simon Coulthard
Telekom Prohibited from Sending Data to Google Servers in the USA
Telekom Prohibited from Sending Data to Google Servers in the USA
Simon Coulthard
Court of Justice Confirms No "Threshold" for GDPR Damages
Court of Justice Confirms No "Threshold" for GDPR Damages
Simon Coulthard
Insights in Your Inbox

Sign up to Our Newsletter for Regular Nuggets. And don’t worry, we won’t tell sales.

Share article