In July 2020, the Schrems II decision disrupted the flow of cross-border data transfers between the EU and the United States, effectively invalidating the EU-US Privacy Shield Framework.
The decision has left businesses scrambling to use other legal mechanisms, such as Standard Contractual Clauses (SCCs), to transfer data.
The Aftermath of Schrems II
Fast forward to the present. We are only a few weeks into the new year, and already two significant decisions have followed in the aftermath of the Schrems II ruling. The new decisions were issued by the Austrian Data Protection Authority (DPA) and the European Data Protection Supervisor (EDPS).
One of these cases was the first in a series of 101 coordinated complaints that were filed by NOYB (None of Your Business) — the company founded by Max Schrems, the Austrian lawyer at the center of the titular case — following Schrems II.
The Austrian DPA concluded that an Austrian-based health website had unlawfully transferred data from the EU to the US through the use of Google Analytics in violation of Chapter V of GDPR.
The second case was also among the series of 101 coordinated complaints that NYOB filed. In this instance, the EDPS found that the EU Parliament had violated the Schrems II ruling on data transfers between the EU and the US. The violation came through the use of Google Analytics and cookies from payment processing company Stripe on a website it had created to schedule COVID-19 testing.
A primary takeaway from these two decisions is that there is now clear guidance on the use of analytics and cookies in the EU following the aftermath of the Schrems II decision. Although the Austrian DPA released a guide on how to properly use Google Analytics in 2017-2018, that was before the Schrems II ruling and is therefore outdated.
The Dutch DPA will also soon issue a decision on a case similar to the one heard in Austria. Accordingly, we can expect to see an updated version of the Google Analytics guide for EU member states.
Google Analytics & Cross Border Transfers
The European Data Protection Board (EDPB) created a task force in 2020 to coordinate the decisions in these two cases. The task force intentionally selected these cases due to how — and with whom — the websites involved processed data.
While both websites used Google Analytics, neither website contained any obvious cross-border elements, ensuring that the supposed transfers would remain in the residential area of the party who submitted the complaint. This also helped ensure that the cases would have similar conclusions, which strengthens the likelihood of similar rulings in future cases.
The results of these cases contradict the risk-based-approach theory left over from the Schrems II decision. This theory was applied on a case-by-case basis, weighing whether the facts of an individual case would interest a US agency enough to surveil and access data being transferred from the EU.
After these cases, the facts of an individual case no longer matter — only that data should NOT be transferred from the EU to the US if there is ANY possibility that the US government could gain access to that data. This finding is relevant for all EU-US cross-border data transfers — and impacts any transfers that fall under the requirements of Article 46 of the GDPR.
Cookies & Personal Data
In the second case, the EU Parliament argued that Stripe cookies were inactive, and their sole purpose was to assist with processing payments — not with Covid-19 testing. The EDPS found that whether a cookie is active or inactive is irrelevant, so long as the ID number is placed to mark the end user.
Therefore, if a US-based company places a cookie on a website that is controlled by an EU entity, the action will constitute a data transfer, and a legal mechanism will be required pursuant to Article 5 of the GDPR.
SCCs and Supplemental Measures
Both the Austrian DPA and the EDPS found that whenever an international data transfer occurs between the EU and the US on the basis of SCCs, the parties must provide “supplemental measures” in addition to the SCCs. Suggestions as to what those measures might entail remain vague — as there is no documentation, evidence, or other information regarding the contractual, technical, or organizational measures required to ensure an essentially equivalent level of protection.
The Austrian DPA also specifically found that certain supplemental measures may be insufficient if they do not eliminate the possibility of surveillance and access to personal data by US agencies. Note that this is when the risk-based approach theory from Schrems II was officially rejected.
The EDPS did clarify, however, that transfers from the EU to the US could still occur under narrow conditions, such as when an entity can guarantee that personal data is completely anonymized.
Finally, these cases demonstrate that sometimes DSARs, transparency reports, consumer notifications, encryption technologies, and other security measures may not be enough to overcome the possibility of US government surveillance and access to data. In some cases — like the one brought against the EU Parliament — stopping transfers altogether is considered compliance with the GDPR and the Schrems II decision.
What’s Next for Cross-Border Data Transfers?
Google is turning toward major lobbying efforts in the EU — a move that has met with some skepticism. Time will tell if this turns out to be a worthwhile exercise or a fruitless endeavor.
DPAs in various EU member states — including Cypress, Malta, Poland, and Romania — are expected to issue a wave of decisions in the near future, which are likely on par with these recent decisions.
A possible issue that could arise from such decisions may include halting all data transfers between the EU and the US. Goodwin Procter Partner and IAPP Senior Fellow Omer Tene reflected that, “the decision casts a dark cloud over any conceivable method of legally transferring data between the continents,” adding that it will have “far-reaching implications.”
For now, entities using US companies for analytics purposes should approach each scenario with caution and bear in mind that even the mere possibility of a cookie ID number will qualify as a violation since it is considered personal information that carries a unique digital footprint. This is true regardless of whether an IP address or number is truncated or inactive. Such measures do not eliminate the possibility of surveillance tactics in the US.
How BigID Helps with Data Transfers Across Borders
BigID helps organizations identify, manage, and monitor all personal and sensitive data activity — including data transfers across borders. With BigID, organizations can:
- Report on and monitor third-party data sharing
- Detect out-of-policy, cross-border data transfers
- Tag and label data for legal purposes
- Label data attributes based on residency of data subject for intra-company transfers
- Anonymize techniques for necessary supplemental measures
Understanding your data holdings — such as knowing where personal data is stored and being able to tie its residency to an identity — is a great place to start for companies that may need to respond in the wake of these EU cross border transfer cases. Schedule a BigID demo to learn more.