02-02-2022

Every year on the 28th of January we celebrate Data Protection Day, but for many companies there was not much cause for celebration last week, as several rulings have been published in this first month of 2022 putting transfers of personal data to the US further into question.

Ever since the European Court of Justice ruled the EU-US Privacy Shield invalid in the summer of 2020 (known as the “Schrems II”-ruling), data transfers to the US have become increasingly more difficult. In June 2021, the EU Commission modernised its Standard Contractual Clauses (“SCCs”), taking into account the “Schrems II”-ruling, but only using the new SCCs is not considered sufficient. A Data Transfer Impact Assessment (DTIA) and extra safeguards for transfers outside of the EU are needed, even when using the new SCCs, and this is where things become complicated for most companies using one or more of the many tech products provided by US companies.

This is confirmed by the several rulings (and many more to come) across the EU, analysing the use of tools like WhatsApp, Google Analytics, Stripe and others, coming to the conclusion that the transfer to the US connected to the use of these tools was done in an illegitimate way. This has now become very clear by the recent rulings of the EDPS (the DPA for EU institutions) and the Austrian DPA.

In a first case before the EDPS concerning a Covid-19 testing website of the European Parliament, a complaint was made about a.o. the Google and Stripe cookies used on the website, through which personal data was (or could be) transferred to the US. The European Parliament could not provide a proper answer to the question if additional safeguards were taken besides the use of the SCCs, thus violating art. 46 and 48.2.b of the EUDPR (the data protection regulation for EU institutions similar to GDPR).

In a second case questions were raised in August 2020 about a website in Austria using Google Analytics. Again, it was established that personal data was transferred to the US when using this service (as also the user IDs attributed by Google, together with other info collected, allow identification of the user), and that also in this case the transfer to the US was incorrectly safeguarded. Here the DPA went more into detail regarding the measures Google (and the website owner) implemented and considered these as standard measures ineffective to properly safeguard the transfer to the US. None of the measures prevented Google, and mostly the US authorities, from identifying and accessing the personal data of the website user, leading to the conclusion that the transfer to the US was illegitimate and had to be stopped.

Important to note in this last case was that Google LLC (based in the US) provided Google Analytics at the time of the complaint, but this changed afterwards (when Google Ireland became the provider). This makes that the data importer (Google Ireland) is no longer located in a third country, considered as a condition to classify as a data transfer outside of the EU according to the provisional guidelines of the EDPB on this matter. Possibly Google will also change the measures it foresees, so all these elements together make that a future decision could be different and it will be a case-by-case evaluation that needs to be done.

That personal data get transferred when you least expect it, is also shown by an even more recent decision on Google Fonts by a Court in Munich (20 January 2022), where it was established that through the use of Google Fonts on a website, the IP address of the user is sent to Google, whereas the user had no choice in sharing the IP address or not, leading to a violation of GDPR (the data transfer question was not a point of discussion in this case).

So what to take away from all this?

- Be careful with the use of tools or features provided to you by non-EU-companies: check where the data transfers to and opt for a EU-alternative if possible (there are a lot these days, you would be surprised) to avoid data transfers outside of the EU.

- If you start or continue using a non-EU-product you will need to perform a DTIA and take sufficient and above all effective measures to safeguard the transfer of personal data, next to the use of SCCs.

Our data protection team is happy to assist you with any questions you may have regarding data transfers.