The end of the Privacy Shield Framework by the Schrems II ruling of the European Supreme Court causes enormous challenges for many companies, as US tools dominate in many marketing tech areas.
The ruling has implications not only for future illegal data transfers, but also for any historical data that has illegally transfered to the US or another unsafe EU third country based on this case law. These data must also be deleted, as explained in paragraph 143:
“If the recipient of personal data to a third country has notified the controller, pursuant to Clause 5(b) in the annex to the SCC Decision, that the legislation of the third country concerned does not allow him or her to comply with the standard data protection clauses in that annex, it follows from Clause 12 in that annex that data that has already been transferred to that third country and the copies thereof must be returned or destroyed in their entirety. In any event, under Clause 6 in that annex, breach of those standard clauses will result in a right for the person concerned to receive.”
Illegal data transfers can result in fines and even in compensations for the damage suffered from those affected. Companies are therefore well advised to put their tool landscape to the test and clarify where illegal data transfers are now taking place. To assess this, it is important to understand under what circumstances transatlantic data transfers can be maintained and whether US martech may continue to be used.
What about US services that operate servers in the EU?
If a tool provider is controlled by a US holding company or shareholder, or subcontractors have corresponding links to the US, US law can be indirectly enforced against them. The server location is thus not sufficient to ensure the protection of EU citizens’ rights. Because according to the Patriot Act, Foreign Intelligence Surveillance Act (FISA) and Clarifying Lawful Overseas Use of Data Act (Cloud Act), US authorities have access to absolutely all data of US companies. Even if this data is stored in the EU.
For this reason, the use of web analytics solutions from Adobe or mapp (formerly Webtrekk), for example, is extremely problematic within the EU.
Are standard contractual clauses the way out?
According to Article 45 of the GDPR, EU standard contractual clauses can in principle be considered as appropriate safeguards for the protection of personal data when transferred to an EU third country. However, the European Data Protection Board (EDPB) attaches additional data protection-related conditions to standard contractual clauses – even if the data is pseudonymised. In its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Adopted on 10 November 2020)” it states:
“A data exporter first pseudonymises data it holds, and then transfers it to a third country for analysis, e.g., for purposes of research.
3.disclosure or unauthorised use of that additional information is preventedby appropriatetechnical and organisational safeguards, it is ensured that the data exporter retains sole control of the algorithm or repository that enables re-identification using the additional information, and
4.the controller has established by means of a thorough analysis of the data in question taking into account any information that the public authorities of the recipient country may possess that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information,
then the EDPB considers that the pseudonymisation performed provides an effective supplementary measure.“
Accordingly, the data must be encrypted, with only the data exporter having the key, and re-identification must be technically excluded. Both conditions can hardly be fulfilled with cloud services such as Google Tag Manager, Google Analytics, Google DoubleClick, Facebook Pixel, etc., as the website operator cannot independently control the encryption or pseudonymisation. In addition, personal attribution cannot be ruled out by linking to Google or Facebook accounts.
Standard contractual clauses are therefore out of the question for US web analytics solutions, conversion and remarketing pixels.
Is data transfer with consent the solution?
According to Article 49 GDPR para. 1 a), data may be transferred to the US on condition that “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; “
However, this is restricted in the same article to the effect that consent can only justify the transfer of data “[…] if the transfer is not repetitive, concerns only a limited number of data subjects […]”. Both criteria are violated, for example, when using solutions such as Google Analytics: This is because the transmission is regularly designed to be permanent. And the number of data subjects is not limited, as every visitor to the website is affected, provided they consent and do not use an opt-out option.
Consents as well as standard contractual clauses are unsuitable to justify a data transfer to the USA or other unsafe EU third countries by using Google Analytics & Co.
As harsh as it may sound, anyone who wants to conduct legal web analytics or legally compliant conversion tracking in the EU can only do so with European providers who operate their data centre in the EU.
But – and this is the good news – the change is anything but difficult.