The General Data Protection Regulation (GDPR) is intended to ensure a uniform level of data protection in the European Union (EU). To ensure that this protection cannot be undermined, it must be ensured that at least comparable requirements for lawful data processing are met when personal data are processed outside the EU. This requirement must be taken very seriously. The processing of personal data in third countries is – alongside compliance with data protection principles and the guarantee of data subjects’ rights – one of the offences that is subject to particularly heavy fines, namely up to € 20 million or 4 % of a company’s worldwide turnover, whichever is higher.
For processing in the United States, self-certification of providers under the Privacy Shield has so far been a sufficient guarantee of comparable data protection requirements in the EU. This has now been overturned by the European Court of Justice (ECJ). The consequence: for the processing of personal data in the USA, other suitable guarantees must be created and demonstrated by the person responsible for passing on the data there if he or she does not wish to expose himself or herself to the enormous threats of fines from the GDPR.
Probably the most relevant basis in practice could be the conclusion of an EU standard agreement. This is a model contract created by a decision of the European Commission, which a responsible person (data exporter) can conclude with a processor (data importer) and which stipulates that processing must be carried out in accordance with instructions and in an appropriate manner. However, even such an agreement would not change the fundamental problem that led the ECJ to declare the Privacy Shield ineffective, namely the largely unrestricted scope for US authorities to access such data.
Website visitors must also be explicitly informed about the risks of data transfer in content dialogues, according to the guidelines of the European Data Protection Board (EDPB). Article 64 states that:
“For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, the EDPB is of the opinion that at least the following information is required for obtaining valid consent:
i. the controller’s identity,32
ii. the purpose of each of the processing operations for which consent is sought,33
iii. what (type of) data will be collected and used,34
iv. the existence of the right to withdraw consent,35
v. information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)36 where relevant, and
vi. on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.37”
However, warnings in cookie banners are likely to further reduce compliance rates, making it almost impossible to collect data if legal compliance is achieved.
Those responsible should now analyse very carefully their processing operations, if they take place in the United States, and service providers with possible corporate involvement with appropriate technical connections to the USA, and check whether they can and want to meet the requirements that will apply in the future. In addition, those responsible should seek qualified advice and information on the risk situation. As things stand today, it is not even possible to legally integrate analytic tools such as Google Analytics, and this entails the risk of high fines.
etracker Analytics users are still on the safe side. This is because even against the background of the latest jurisdiction, such as the EDPB guidelines, the Federal Court of Justice ruling or the abolition of the privacy shield, etracker is 100% GDPR-compliant and can be used in the cookie-less version without any consent.