Google Analytics custom features do not make transfers legal, according to CNIL

CNIL has announced that even with the use of Google Analytics custom features, transfers are still not legal. 

 

CNIL recently announced that even with the use of Google Analytics custom features, transfers are still not legal in the absence of a transfer deal between Europe and the US. This announcement was added in the Q&A on CNIL’s website, as a point of clarification, after numerous businesses hoped that the customization tool could be used to allow data transfers to the US from Europe through Google Analytics. However according to the CNIL, the use of this tool still does not comply with the GDPR despite the precautionary options now available. 

 

While efforts have been made to replace the invalidated Privacy Shield, authorities say there is still a long way to go.

 

Earlier this year, CNIL sent out formal notices to a series of companies after deciding that data transfers to the US via Google Analytics were illegal. This decision was based on the Schrems II decision which invalidated the Privacy Shield two years ago. While a decision to replace the deal was announced, there is still a long way to go. European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum earlier this month, that negotiations are “finalised”, however that “a lot of work remains to be done.” 

 

In the absence of the Privacy Shield, CNIL has addressed questions and concerns regarding other solutions that have been offered. 

 

While we await a replacement for the Privacy Shield, CNIL has been very vocal, providing clarification when necessary. The authority addressed a question on the possibility of configuring Google Analytics so as to avoid transferring personal data outside the EU. CNIL’s response to this was an unambiguous “no”, followed by an explanation that “the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data.” This remains the case even in the absence of a transfer, as Google has confirmed to CNIL that all data collected by Google Analytics is hosted on US soil.

 

Many of the proposed solutions are not deemed satisfactory as any personal data transferred to the US seems to be at risk. 

 

Google has proposed additional guarantees like anonymisation and encryption but none of these solutions are deemed satisfactory by the CNIL. CNIL acknowledges that Google offers an IP address anonymisation feature. However, this does not apply to all transfers, and Google has been unable to demonstrate that this anonymisation happens before data is transferred to the US. Unique identifiers are also not a great solution as their use can be identified through their association with other data. The CNIL states that the encryption solutions offered by Google were ineffective, as Google offers and saves encryption keys, allowing the company to access personal data if it so wishes. As a result, any companies or organisations who wish to use the tool need to obtain explicit consent from the individuals concerned.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The concept of “data exporter” clarified by the Danish DPA

In the light of the Schrems II judgment by the CJEU, questions relating to the concept of “data exporter” have been clarified by the Danish DPA. 

 

 Since the CJEU’s Schrems II judgment, the Danish Data Protection Agency has received an increasing number of questions relating to the transfer of personal data to third countries. Many of these questions are geared towards the concept of “data exporter” and who, in practice, is responsible for ensuring that the transfer of personal data takes place according to data protection regulations, especially regarding larger, complex data processing situations. While the term “data exporter” is not defined in the GDPR, the concept is defined in the EU Commission’s standard contract, which is one of the most widely used transfer bases in Chapter V of the GDPR. As a result, the Danish DPA has decided to provide clarification on the role and concept of a “data exporter.”

 

A data controller or processor in a third country to whom data is transferred under a standard contract is considered a “data importer.”

 

A standard contract can be entered into by an EU data controller who transfers personal data to a data controller or data processor in a third country. The third country data controller or processor would be considered the “data importer”. This situation has created a few doubts as to which party is responsible for ensuring the legality of the transfer under the GDPR, particularly in cases where one or more of the sub-data processors are outside the EU / EEA. 

 

The GDPR stipulates that both parties (whether exporter or importer) are responsible for establishing a legal basis for the transfer. 

 

According to GDPR Article 44, “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.” The Danish Data Protection Agency interprets this article of the GDPR to be applicable as an obligation for both the data controller and the data processor. Both parties are therefore obliged to ensure that a transfer basis is provided that is effective in the light of all the circumstances of the transfer. 

Under the GDPR, both the controller and processor are expected to take necessary measures to establish substantial security of the data. 

 

Article 32 of the GDPR states that the controller and the processor must establish an appropriate level of processing security. The Danish Data Protection Agency regards both the data controller and any potential data processors as independent subjects with regard to this obligation. This means that the data controller and the data processor are each expected to take the necessary technical and organizational measures to establish an appropriate level of processing security. In cases where the data processor provides most or all of the technical infrastructure, the task of the data controller is to ensure – and be able to demonstrate to the Danish DPA – that the data processor has established a satisfactory level of security for the data being processed.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New agreement on EU-US data transfers

For companies which depend on cross border data transfers, some needed relief may come in the form of a new agreement on EU-US data transfers. 

The European Union and the U.S. recently announced that they had reached an agreement  “in principle” on a new framework for cross-border data transfers. This is expected to bring some much-needed relief to tech giants like Meta and Google, which have been severely affected by the invalidation of the Privacy Shield in July 2020. Several companies have faced legal issues over EU-US data transfers, and have had to find alternative ways of doing business which would not require such transfers. This was easier for some companies than others. One in particular, Meta (formerly Facebook) even recently considered shutting down operations in Europe, in the absence of a framework for cross-border data transfers. The new agreement is expected to make a major difference for these companies. It will “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties,” Ursula von der Leyen, President of the European Commission said recently. 

EU and US officials have been trying to find an appropriate replacement framework since the invalidation of the Privacy Shield in 2020. 

Since the invalidation of the Privacy Shield in July 2020, Facebook and other companies that had relied on the mechanism for their EU-US data flows struggled to adapt their business operations to the restrictions in the EU-US data flows. The CJEU ruled in favor of Max Schrems, a privacy activist who argued that the existing framework did not protect Europeans from US surveillance. Since then, officials on either side of the Atlantic have been trying to negotiate a new deal to replace the previously held Privacy Shield, which allowed firms to share data from the EU to the US.

This update will likely bring much needed relief to large tech companies which have faced legal issues since the invalidation of the Privacy Shield almost two years ago. 

News of the agreement will undoubtedly be welcomed by tech giants like Meta and Google who have been gravely affected by the invalidation of the Privacy Shield. Companies were being urged to find alternatives to Google Analytics, while Meta considered pulling Facebook and Instagram out of Europe. Meta’s president of global affairs, Nick Clegg, said the deal “will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.” He took to Twitter stating that “With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” In addition, Google’s president of global affairs, Kent Walker, was also quoted as saying “People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders,” in a recent report from CNBC. He went on to say “We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”

Max Schrems, the Austrian privacy activist who initially questioned the level of protection provided by the current framework, says he is prepared to challenge any discrepancies in the new agreement as well. 

Many officials believe that it is too early to say whether the new agreement will stand the test of time. Privacy Shield, which replaced Safe Harbor, an earlier EU-US data pact, was found to offer insufficient protection and was challenged and later invalidated. Schrems, who was instrumental in challenging both the Privacy Shield and Safe Harbor, said that he expects the “final text” of the new agreement to take more time to come together. However, he added he’s prepared to challenge it as well “if it is not in line with EU law.” According to Schrems,“In the end, the [EU] Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” 

“While this is a most long-awaited update and a significant step forward, businesses should not forget that there is no agreement officially approved yet, therefore a valid mechanism under the GDPR/ UK GDPR such as the Standard Contractual Clauses and a Data Transfer Impact Assessment are still required for any data transfers to the US, as it is the case with data transfers to any other third-country” points out Cristina Contero Almagro, Partner in Aphaia.

Does your company rely on the transfer of personal data to third countries? Aphaia can help. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, data transfer impact assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Meta considers EU shut down

Meta considers EU shut down in the absence of a framework for the storage of EU data on US servers.

 

Representatives from Meta have spoken up about the possibility of the company having to shut down Instagram and Facebook services in the EU, unless a framework is implemented which allows them to store EU data on US servers. A recent annual report from the company made mention that unless there is an option to store, transfer, and process data from its European users on the US based servers which it has always used, Facebook and Instagram may be shut down across the EU. 

 

Meta representatives call for clear global rules to protect transatlantic data flows over the long term.

 

With current frameworks to enable transatlantic data transfers under heavy scrutiny in Europe, the company is in need of a new framework in order to allow continued operations in the EU. Several businesses have been called to question for their practices of transatlantic data transfers. As a result, Standard Contractual Clauses or SCCs have been used by some companies in order to facilitate these transfers, however it has been suggested that SCCs cannot be used in practice for EU-US transfers. According to a report from City AM, Nick Clegg, VP of Global Affairs and Communications at Meta said “Businesses need clear, global rules, underpinned by the strong rule of law, to protect transatlantic data flows over the long term.”

 

Since the invalidation of the Privacy Shield, many companies have had to change the way they operate in an effort to remain in compliance. 

 

Since the invalidation of the Privacy Shield in July 2020, the impact has been felt by businesses all across Europe, which previously used US servers, or used the services of US based companies, which involved the transfer of data from EU users to the US. Due to US laws, European user data which has been transferred to the US may be accessed by US intelligence. As a result several companies have been ordered to cease their use of US cloud services and other US-based service providers. Many companies turned to the use of Standard Contractual Clauses or SCCs in order to facilitate these transfers. Unfortunately, in many cases, this has been found inappropriate as a solution, as SCCs themselves do not protect the data from being accessed by US intelligence. Meta is one of several companies which have been investigated for unlawful data transfers to the US. 

While the investigation by the Irish DPC is ongoing, this watchdog has previously ruled against the use of SCCs to facilitate transatlantic data flows.

 

The Irish DPC communicated with Facebook in August 2020 that the use of Standard Contractual Clauses was not in line with the GDPR. This meant that Facebook had to stop processing European data on American servers. However this preliminary conclusion has been appealed by Facebook and therefore, change has yet to come about. Judges ruled that the investigation by the Irish DPC can continue, with a final verdict expected within the first half of this year. Since the Schrems II decision of the Court of Justice of the EU, an adequate data transfer impact assessment is required for the transfers of the data based on SCCs. The current situation faced by Meta is that it may no longer be feasible to offer its services in the EU, should the use of Standard Contractual Clauses be deemed illegal in their case at the end of the investigation. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.