It has been almost a year and a half since Schrems II called into question and subsequently declared inadequate, the EU-US ‘Privacy Shield’, supposedly clarifying ‘clouded legal uncertainty’ and changing the nature of EU-US data transfers. Despite this landmark case, recent decisions by Data Protection Authorities across Europe have highlighted continuing challenges surrounding data transfers to the US, most notably surrounding Google Analytics software.
Google Analytics allows website owners to track and report web traffic, how users interact with websites, as well as being used for marketing and advertising purposes. This is achieved through tools that track the user’s IP address to determine their geographical location or place a cookie on the user’s website browser. Although the data may be captured in within the EEA and stored in Google’s European Servicers, it is ultimately sent onto Google’s storage servers within the US.
As explored within the Schrems II decision, it is well-known that US authorities’ ability to screen and process personal data which enters its jurisdiction, and as a result, the data privacy regime within the US is not compatible with the rights and freedoms of their data subjects in the EU; hence, data transfer to the US is deemed high risk under the GDPR, and there is no adequacy decision afforded to the US. To combat this, Schrems II now requires companies to take additional steps to verify the privacy laws of the recipient country, and introduce additional safeguards, rather than relying on Standard Contractual Clauses alone.
This being said, there have been two recent examples of less than adequate security measures in data transfers to the US. The first, surrounded the European Parliament after it was revealed that the Parliament’s internal COVID-19 testing appointment website, was transferring data to the US through the placement of cookies by Google and another US-based firm, Stripe. The second surrounded a health focused site that had been using Google Analytics software. The latter case ended up with the Austrian Data Protection Authority (DPA) ruling that the use of Google Analytics in this case constituted a breach of GDPR.
For the significance of EU-US data transfers and the use of cookies and Google’s Analytics features, two key issues are highlighted in this case. The first is a lack of regulatory enforcement surrounding data transfers to the US since Schrems II. The second is the reluctance of EU firms to take action to implement additional technical and organisational measures when transferring data to the US. Both of which suggest an industry-wide ‘strategy of ignoring the problem until it goes away’.
US firms are not blameless themselves; having been accused of ‘simply adding some text to their privacy policies’, rather than making substantial changes to ensure they are GDPR compliant. However, the Austrian DPA did take a step in dismissing this ‘prevailing tactic’ of US Cloud-Based firms, which in future could make it more difficult for them to excuse the lack of GDPR compliant polices.
Privacy campaigner, Max Schrems, expects ‘similar decisions to drop gradually in most EU member states’ following the ruling in Austria. Collective unity on US-EU data transfers across the bloc will be a step further in clarifying the ‘clouded legal uncertainty’, and obtaining further supplementary measures in this area of data privacy law.
In terms of the future of Google Analytics, there are several opinions. The anonymisation of IP addresses could be a step in the right direction (albeit a small one), which is an approach legally required in Germany. However, the process of anonymisation poses data protection risks of its own, and requires the anonymisation function to be successfully implemented, which as Google has recently demonstrated, does not always happen.
Schrems on the other hand takes a more drastic view, suggesting that until there is ‘proper privacy legislation introduced in the US’, then there ‘should be completely separate online services for the US and the EU’. It is difficult to imagine a future, at least a near future (until US firms take steps to ensure their processes are GDPR compliant) without US-based Cloud services. However, without supplementary measures to provide clarity and proper enforcement in combination with the willingness on the part of US firms to amend their policies to meet GDPR requirements, it is difficult to see what alternative route this area of data protection law will take. Future cases which are brought to respective European Data Protection Authorities will continue to pave the way for the landscape, and will certainly be worth keeping an eye out for over the coming year.