02. October 2020 7-minute read
An overview of regulations after Schrems II and the Privacy Shield invalidation
Especially since GDPR has become effective on May 25, 2018, the focus on online privacy all over the world, not just the EU, has kept growing. Similar legislation has been passed in several countries across (at least) 4 continents and other historical rulings have been passed.
If a data processor, such as the owner of a website, had been in a coma for the past 2 ½ years or so, they would be waking up to a totally different world. A lot has happened, culminating with the Schrems II decision at the European Court of Justice, which ruled in favor of Max Schrems and against the EU-US Privacy Shield, on July 16, 2020.
Schrems II is the logical consequence of Schrems I, a case which started as far back as 2013, with a complaint filed by Max Schrems at the Data Protection Commissioner in Ireland, the country where Facebook’s European headquarters were found. The Austrian activist claimed that the personal data on his Facebook profile could not be guaranteed right of privacy, because of it being transferred from the EU to the United States.
We covered this case before, right after the court decision regarding EU personal data. In few words, it is no longer legal for any type of data processor to use services from the USA that would give those services access to the personal data of EU citizens, without fully explaining the risks. The implications are huge and the topic is still making headlines, now that there are talks of Facebook withdrawing from the EU altogether.
In light of all of this, let us look at the effects of Schrems II and the fall of the Data Privacy Shield, combined with other current regulations. Also, we provide an overview of what you, as a website owner, are required by EU law to ensure.
- IPs are considered personal data.
- IPs and, potentially, other personal information attached to them, are many times gathered and sent by websites to various services, through the use of scripts and pixels that website owners add to their websites (e.g. Facebook Ads Pixel, Google Analytics tracking code etc.)
- Every time a user from the EU accesses a public website, hosted anywhere in the world, his IP is being processed and, therefore, personal information is being sent to the aforementioned service providers
- Some of these service providers may be located in the USA.
- US Service providers that receive such personal data from the EU no longer have any legal grounds to have access to it, store it or use it. It has become illegal!
Consequences of ECJ Schrems II ruling
...unless the laws of that country can provide an adequate level of protection for this data. The USA is no longer an exception to that rule and is specifically targeted by this. Check where your hosting provider is and what data is being collected and where it is stored. If you find that it is in the US and you do collect personal data of EU visitors on it, change providers.
Website owners should check all of the third party services they use and the (type of) data they have access to. This potentially includes: website analytics tools (e.g. Google Analytics), user insight tools (e.g. Hotjar), customer chat tools (e.g. Livechat), customer relation management tools (e.g. monday.com), advertising services etc.
Any tool that has access to the personal data of people interacting with your website is a liability. Remember that the visitor IP is considered personal data. Check where these tools are located. Legally, they should be in the EU and offer a waterproof Data Protection Agreement (DPA) to sign, in order to be able to act as a subprocessor for you and your needs.
...if the business is still registered in the US, it means that it complies to US laws. And these laws allow the US government to access private data for matters of national security. Specifically, US companies must comply with the CLOUD Act bill, that basically enables federal law enforcement agencies to force them, via warrant, to provide any personal data, regardless of whether the data is physically stored on a server in the USA or elsewhere.
Regulations such as the Privacy Shield and the Standard Contractual Clauses (SCC) are overruled by the European Court of Justice decision. Read a list of all the companies affected here: https://www.privacyshield.gov/list. Giants such as Facebook, Google, Amazon are on the list of 5239 companies who suddenly face this serious and severe legal problem.
Make sure your website does not give any of the services on this list access to any personal data of your visitors from the EU, or you can check that there is no European alternative as exception for this kind of service and you’ve let your users opt-in before sending any data to the external service.
...unless all visitors are fully informed in advance of the potential risks and give their explicit consent.
This implies the use of a consent banner/box before any tracking begins, which must provide information on the possible risks of data transfer to a third country, because there are no adequate measures to safeguard the data, as described in Article 46 of the GDPR (general data protection regulation).
The way cookie consent must be obtained has been described in detail by the Federal Court of Justice (BGH) in Germany and it has been sanctioned by the ECJ (European Court of Justice). See the ruling by the ECJ on case number C-673/17 here.
Consequence 5.1: pre-ticked consent banners are not legal.
Consequence 5.2: consent banners need to have separate consent boxes for all of the cookies being placed, grouped by purpose.
This informs the user about the purpose of the cookies. There should be separate consent for analytics/statistics cookies, marketing cookies, cookies for storing user preferences, and so-called “necessary” cookies (e.g. the cookies that allow the website to hold your products in your cart while you are browsing).
Option A (recommended) - use only service providers from the EU
Option B - (only if you do not operate in the EU) - block visits to your website from all IPs in the EU, so that no personal data is imported from there. However, this will (1) limit your audience and market and (2) fail to keep you safe from similar legislation being developed in other parts of the world.
Option C - make sure your visitors are fully aware of the implications of data transfer to the USA and give them the possibility to give consent. This should be done very thoroughly and only after consulting with an attorney, to avoid any legal action against you. PLEASE NOTE! If a user does not give consent, you must make sure that he/she is not tracked. This will result in truncated data. For example, in terms of analytics, a potentially large batch of users will not be counted at all in your website stats.
Option D (recommended for analytics services) - use a compliant and consentless solution and get rid of these annoying cookie banners. Learn more here.
Explain and get consent for your purpose as website owner for using the tool. What personal data you gather and what for (e.g. I agree that the website uses Google Analytics to aggregate traffic data and stats about visited pages, that enable us to make decisions about adapting the website to the general needs of our public. Personal data such as your IP is being processed.).
Explain and get consent for the purposes of Google for gathering data. (e.g. I agree to Google Analytics using my personal data for their own interest, in order to create a personal profile and allow me to receive personalized ads or other types of custom content.)
Explain and get consent for data transfer and associated risks (e.g. I agree that my personal data collected while using this website may be transferred to Google Inc. in the USA and processed there. I understand that the same level of protection of personal data as the one applied in the EU cannot be guaranteed. I am aware that US authorities will be able to access my personal data, stored by Google, without my consent.)
So this is how Option C would need to look like if you don’t want to give up using Google Analytics. Rather complicated and a delicate matter in terms of legality. The choice of words here must be done very carefully.
As far as website analytics is concerned, options A and D are far better solutions. You can use a provider from the EU, instead of Google Analytics.
That provider is Visitor Analytics.
is based in Germany and only hosts data within the borders of Germany, so there will be no personal data transfer outside the EU
does not use hosting at Amazon, nor Google, nor other US cloud hosting providers with German subsidiaries, so the Cloud Act cannot apply to it
is a service provider that offers a mode where user consent is no longer needed, as absolutely no personal data will be processed (see Consentless Tracking)