Data transfers from the EU to the US are no longer valid under the Privacy Shield agreement. If you use American based services like Google Analytics or Facebook, then the EU Court’s decision also applies to your website. Here’s how to check, if your website sends data to unsecure third countries and the US.
You may have heard.
On July 16, 2020 the European Court of Justice (CJEU) declared the EU-US Privacy Shield invalid.
But what does that really mean for you if you use third-party cookies on your site? And how can you check if these cookies send data from the EU to the US?
What does the Privacy invalidation mean for you?
It means that you can no longer rely on the EU-US Privacy Shield agreement for any transfers of personal data from the EU to the US.
It means that you need to find other appropriate safeguards for transferring data to the US.
It means that you should determine which cookies on your websites are sending personal data back to their US based owners.
What should you do now?
First of all, if you use any type of software, cloud service, cookie setting service on your website which share data with its US based provider, the CJEU decision applies to you.
Looking specifically at website cookies, it’s important first to get an overview of the cookies your website places on your users’ computers.
What to do?
- Get an overview of where your cookies send data to
- Decide measures for data transfers to US and other third countries
This can be your own (first-party cookies) but also from programs, add-ons and services you use on your website, e.g. Google Analytics, Facebook Pixel, social media share/like buttons etc.
When you know exactly where all cookies send data, you can decide whether to use SCC for data transfers or stop using the US based services.
How can you monitor which cookies send data to the US?
Cookie Information has developed a tool to monitor where your website cookies send data to.
With our Compliance Dashboard, you can easily get an overview of all your cookies on all your websites. You can get insights on illegal data transfers and act on them.
Are you already a customer with Cookie Information, contact us to learn how you can monitor data flows more easily.
Already a customer?
Get the Compliance Dashboard
If you are looking for a consent solution which is both GDPR compliant and give you insights into data transfers which pose a compliance risk to your company, don’t hesitate to contact us.Contact us
Why can’t you transfer data to the US?
It all started with an Austrian lawyer who in 2013 complained to the Irish Data Protection Authority that Facebook Ireland transferred his personal data to the US for processing.
The lawyer, Schrems, was not satisfied that his personal data not protected from the substantial surveillance of the US authorities.
So, after the European Court of Justice (CJEU) in 2016 declared the Safe Harbor to be an invalid data transfer method, the European Commissions approved Privacy Shield as a replacement for data transfers between the EU and US.
However, the CJEU have now ruled that Privacy Shield is not a valid mechanism for data transfers between Europa and the United States of America.
Because American based data processors cannot guarantee that data will not be subject to US surveillance. The US does not provide EU residents the same level of protection required in the GDPR.
In the same act, the CJEU approved Standard Contractual Clauses to be valid for data transfers, yet it’s still unclear whether this alternative transfer mechanism can be used since the US authorities continue to have the same access to EU citizens’ personal data.
It will not be sufficient merely to use the Standard Contractual Clause (SSC) as a method of data transfers between EU-US and go about your business.
Data controllers, i.e. website owners, need to conduct in-depth due diligence in relation to security standards adopted by the US based data importer and the make sure the privacy laws in the third country secure EU citizens’ data the same way as the GDPR.
The European Commission is reviewing the Standard Contractual Clauses (SSC) and we expect a clarification on data transfers to the US will be forthcoming. Until that point, using the current SCC can be risky and you need to assess the risks of sending personal data to the US.