Frequently asked questions regarding EU rules for data transfer and the use of analytics services
More than 6 months have passed since the CJEU revised the rules for transferring personally identifiable information (PII) from the EU to the US. In that time, it’s become clear that there exists a great level of uncertainty as to how the new rules are meant to be interpreted and applied.
In this article, you’ll find the questions we most frequently come across, along with answers based on information taken from the EU, the Swedish Authority for Privacy Protection (IMY), and statements from experts in the field. In the context of this article, the term ”data transfer” and its derivatives refer specifically to the transfer of personally identifiable information (PII).
Please note that these answers apply primarily to companies and organisations based in Sweden, and to an extent those based in the EU. Also note that while the answers presented in this article are based on information from official and reputable sources, they do not constitute binding legal advice.
Question 1: Can we still use Google Analytics in the EU?
Answer: No. There’s no doubt that Google Analytics is a very competent analytics toolset. Unfortunately, it transfers PII, in the form of IP addresses, to the US, and does so in a way that, at time of writing, violates EU regulations for data transfer.
Question 2: Why did the EU revise the rules for data transfer?
The short answer: To ensure EU citizens’ right to privacy.
The longer version: On the 16th of July 2020, the CJEU presented a ruling which terminated the so-called ”Privacy Shield” framework. The framework was designed to simplify the requirements for transferring PII from the EU to the US. However, as part of their ruling, the CJEU stated that the Privacy Shield agreement did not provide sufficient safeguards to ensure that EU citizens’ right to privacy were protected when their data was transferred to the US; something that the General Data Protection Regulation (GDPR) requires for data transfer to be permitted.
As a result of the court’s decision, software and other services that transfer PII to the US must now comply with new, much stricter, regulations.
Question 3: What analytics services are we allowed to use under the new rules?
Answer: Unfortunately, there is no exhaustive list of which services are approved for use in the EU. However, you can avoid many potential problems by choosing a service provider/supplier based in the EU, that also doesn’t transfer PII to countries outside of the union.
Question 4: Our service provider is based outside the EU, but the data is transferred to a subsidiary or branch located in a EU member state. Is that OK?
Answer: That depends entirely on which country the service provider is based in. If the country in question has laws that makes it impossible for the provider to live up to the data protection requirements in the GDPR, then the answer is likely to be ”No”.
If the provider is based in the US, you also have to take US electronic surveillance legislation into account, as it generally applies to all the provider’s subsidiaries and affiliates, even if they are located in the EU. It was partly because of this type of legislation that the Privacy Shield framework was terminated.
Question 5: Are only analytics services and software affected by the new rules?
Answer: No. Many types of software and services are affected, such as cloud storage services, and advertising and marketing toolsets.
Question 6: Does this mean we can’t use SaaS-/web-based software and services at all?
Answer: You can still use SaaS-/web-based services. You just have to ensure that any transfer and handling of PII is done in a manner which is approved within the EU. However, do note that the ultimate responsibility for the security of such data rests with you, even when it is being handled by a third party on your behalf.
Question 7: What are the possible consequences if someone continues to use software and services that are no longer allowed?
Answer: Violating the GDPR can lead to fines. As an example, the Norwegian data protection authority, Datatilsynet, recently fined a US-based company approximately $11.7 million for GDPR violations.
The Swedish Authority for Privacy Protection (IMY), previously known as the Swedish Data Protection Authority, is, at time of writing, conducting an investigation of several Swedish companies as a result of their use of Google Analytics after the CJEU court ruling in July 2020.
Do you have questions that were not covered in this post? Or would you like to know more about our services and analytics software, all approved for use in the EU? Email us at firstname.lastname@example.org, or call us at +468 545 888 60. We look forward to hearing from you!