17. July 2020 4 minutes read
EU Justice Court decision may prevent website owners from storing EU citizen website traffic data in the US
Yesterday, July16th 2020, several major media outlets announced that the European Court of Justice had struck down the so-called “Privacy Shield” agreement between the EU and the US. The Privacy Shield allowed companies, who could prove they complied to a set of regulations for data privacy protection, to transfer private data from the EU to the US. 5384 companies transferred data based on this protocol, and they include giants like Google, Facebook, Amazon and Microsoft.
This is the type of news that probably does not mean anything to the average individual, unless someone puts it into context. But rest assured, while you may not have even been aware of such an agreement and what it meant, your activity may be greatly affected by it. Read on to understand why.
But before you scroll to the end of the story, if you are using Visitor Analytics for your website traffic analytics, rest assured that you do not need to worry about the Privacy Shield being undone. We store data in Germany, within the EU, so the activity of all of the website owners who use our services will not be affected in any way.
If, on the other hand, you use another provider for website analytics, check where they store their data and consider switching to Visitor Analytics, to avoid any potential hassle about data privacy.
The EU does not trust the US to keep personal information private
In just a few words, this is the core of the issue. The European Union has been pushing strict laws to protect the personal data of its citizens in the past few years. You may be familiar with the law attempting to regulate this in Europe: GDPR. These are not matched by the laws in the US, which are a lot more relaxed about handling personal data. Which is a problem when you have US companies handling EU citizen data.
And you can see why Europeans are worried. Let’s just give a few reasons:
The 2013 revelations in the Edward Snowden case, which leaked the way the NSA followed personal activities of anyone they saw fit, without any concern for privacy (not to mention that there are allegations that the same US agency literally spied on the German Prime Minister for years).
More recently, it continued with the Hillary Clinton leaked emails controversy in 2016, which showed how top-ranking officials neglect to take action to protect even some of the most top secret information. We now know several more US government data was not properly protected against Russian hackers.
In 2018, the Cambridge Analytica scandal revealed how Facebook harvested user personal data without any consent, in order to use it for political advertising.
And the list could go on for many pages.
All of these cases have shown the EU that they cannot trust that data kept in the US can be held to the privacy standards we now have in Europe. And the privacy of its citizens needed to be protected overseas too.
GDPR and the Privacy Shield
One of the main components of GDPR is aimed particularly at internet privacy. It clearly states that companies are not allowed to work with any personal data of EU citizens without an informed consent from them. What is considered to be “personal data” extends to details such as IP addresses, user browsing history and other identifiers coming from their online activity, which are sometimes stored by browsers and third parties in small files called “cookies”.
By installing these cookies on the devices of internet users, companies are able to track users and, based on that, to send them customized ads and messages, based on their history. After GDPR, doing this without explicit consent for each cookie and without explaining what data they store, for what purpose and for how long, is not possible anymore. It makes website and app owners responsible for all the data gathered through their sites/apps, whether they are doing it, or a third party is doing it. An example of a third party would be an analytics app for monitoring website traffic.
The catch is that this should not only apply to EU websites, but also to sites anywhere in the world that may at some point have visitors from the EU. And this includes the US.
With the EU and US economies being somewhat connected, a workaround for this issue was found. Named the Privacy Shield, it set out a few privacy rules based on GDPR, that US companies had to comply with, in order to transfer data from the EU to the USA. Many companies applied to be part of the Privacy Shield, including some who have been in the spotlight for their user privacy infringement in the past, like Google and Facebook.
Under this regulation, they were still allowed to transfer data from the EU and host it in the US.
EU activists going after Facebook
That was the status quo until an Austrian activist named Max Schrems filed a case with the ECJ (European Court of Justice) claiming that the personal data from his Facebook profile could not be trusted to remain private, because the US government, where Facebook is located, did not provide proper legislation for this.
And the ECJ found that he was right, thus effectively nullifying the Privacy Shield regulation.
How does the invalidation of the Privacy Shield impact website owners?
We don’t know when and how the new regulations will be implemented, but, by the new standards, companies cannot store any EU citizen private data in the US by just relying on the Privacy Shield.
It puts companies, big and small, in a tough spot. Do you have your servers in the US? Are you using hosting providers based there? Are you using third party services that store data in the USA? These are now questions you should be asking yourself, if you don’t want to infringe the law and face heavy fines.
Privacy Shield and website analytics services
In particular, the way you track your traffic comes again into question. Website analytics is a sensitive subject precisely because it deals with personal data and has to do it carefully. Now, if, as a website owner, you use a third party application that stores this data in the US, you are at risk right now. So check to see where your provider is storing traffic data. If it is in the EU, you are safe from any hassle.
Fortunately, Visitor Analytics complies with GDPR standards and follows them accordingly. The data is stored in Germany, so Visitor Analytics is not among the more than 5300 companies affected by this decision.
You can always rest assured that the traffic data is safe with us. If you use the services of another provider, consider switching to us, as a safe alternative in terms of privacy.