Privacy Shield now illegal – What about cookies?

Blog
Data transfers from the EU to the US are no longer valid under the Privacy Shield agreement. If you use American based services like Google Analytics or Facebook, then the EU Court’s decision also applies to your website. Here’s how to check if your website sends data to unsecure third countries and the US.
Table of Contents
You may have heard.

On July 16, 2020 the European Court of Justice (CJEU) declared the EU-US Privacy Shield invalid.

But what does that really mean for you if you use third-party cookies on your site? And how can you check if these cookies send data from the EU to the US?
Questions about your Cookie Information Solution and Privacy Shield? Or are you looking for a professional Cookie Consent Solution to monitor data transfer to insecure third countries?

Then contact us at Cookie Information - contact us.

What does the Privacy Shield invalidation mean for you?

It means that you can no longer rely on the EU-US Privacy Shield agreement for any transfers of personal data from the EU to the US.
You need to find other appropriate safeguards for transferring data to the US.
And it means that you should determine which cookies on your websites are sending personal data back to their US-based owners.

What should you do now?

If you use any type of software, cloud service, or cookie setting service on your website that shares data with its US-based provider, the CJEU decision applies to you.
Looking specifically at website cookies, it’s important to get an overview of the cookies your website places on your users’ computers.
This can be your own (first-party cookies). But they can also come from programs, add-ons, and services you use on your website. E.g., Google Analytics, Facebook Pixel, social media share/like buttons, etc.
When you know exactly where all those cookies send data, you can decide whether to use SCC for data transfers or stop using the US-based services.

How can you monitor which cookies send data to the US?

Cookie Information has developed a tool that monitors where your website cookies send data.

With our Compliance Dashboard, you can quickly get an overview of all your cookies on all your websites. You can get insights on illegal data transfers and act on them.

If you are looking for a consent solution that is both GDPR compliant and gives you insights into data transfers that pose a compliance risk to your company, don’t hesitate to contact us.

Why can’t you transfer data to the US with Privacy Shield anymore?

It all started with an Austrian lawyer who, in 2013, complained to the Irish Data Protection Authority that Facebook Ireland transferred his data to the US for processing.
The lawyer, Schrems, was not satisfied that his personal data was not protected from the substantial surveillance of the US authorities.
After the European Court of Justice (CJEU) in 2016 declared the Safe Harbor to be an invalid data transfer method, the European Commission approved Privacy Shield as a replacement for data transfers between the EU and US.
However, the CJEU has now ruled that Privacy Shield is not a valid mechanism for data transfers between Europe and the United States of America.
Why?
Because American-based data processors cannot guarantee that data will not be subject to US surveillance. The US does not provide EU residents with the level of protection that GDPR requires.
In the same act, the CJEU approved Standard Contractual Clauses to be valid for data transfers. Yet, it’s still unclear whether this alternative transfer mechanism can be used since the US authorities continue to have the same access to EU citizens’ data.
Also, it will not be sufficient merely to use the Standard Contractual Clause (SSC) as a method of data transfers between the EU and US and go about your business.
Data controllers, i.e., website owners, need to conduct in-depth due diligence concerning security standards adopted by the US-based data importer. And make sure the privacy laws in the third country secure EU citizens’ data in the same way as the GDPR.
The European Commission is reviewing the Standard Contractual Clauses (SSC). We expect a clarification on data transfers to the US will be forthcoming. Until that point, using the current SCC can be risky, and you need to assess the risks of sending personal data to the US.