Following the invalidation of Safe Harbor in 2015, organizations have based their decisions to allow data transfer to US entities on the conditions prescribed in the Privacy Shield Agreement. Unfortunately for many private and public organizations (but luckily for EU citizens’ privacy), the Privacy Shield Agreement was invalidated on July 16th, 2020 in a case referred to as Schrems II, led by Max Schrems, a lawyer and activist who was a student at the time of the initial challenge.
The consequence for organizations that are out of compliance with GDPR is the risk of being heavily fined if they transfer data to the US on the now invalidated legal basis of the Privacy Shield Agreement or Standard Contractual Clauses (SCCs).
More specifically, data controllers cannot use joint controllers / processors / sub-processors which are located in the US or controlled by a US entity. There are exceptions, but the local controller must check legitimacy on a case-by-case basis.
Most common US providers are targeted by FISA. This includes US “electronic communication service providers” and any data flowing to or through the US unless it is secured against wire-tapping by the NSA. Servers that are located in the EU and have ties with a US company fall into the same category.
More information is provided by Max Schrems and NOYB on their website which federates consumer rights groups, data activists, and data protection initiatives: https://noyb.eu/en/next-steps-eu-companies-faqs
Still, public organizations and companies today obviously continue to use these services, without users explicitly consenting to the transfer of their personal data or agreeing that such data would be subject to US mass surveillance programs.
Even the monopolistic office suite giant has been caught tracking users and transferring data to the US through “telemetry”, explaining that economic harm would result if “off” is the default setting for the “Connected Experience”. Clearly, it would not be worth safeguarding users’ privacy in their eyes.
Because of their responsibility towards citizens and their accountability in protecting personal data, public institutions have a critical part to play. They need to set the example for all organizations by choosing EU-based suppliers which not only offer local data residency, but are also privacy-friendly.
The Swedish Privacy Protection Agency even advises companies against using Microsoft’s popular cloud services, Azure AD and Teams.
The Swedish Tax Agency and the Swedish Enforcement Agency decided in May 2021, as part of the Swedish member-led organization eSam, to analyse collaboration platforms as alternatives to Teams. They concluded that: “Although it has not been possible to describe the entire market in an exhaustive way, we can clearly see that there are suitable and legal alternatives to US cloud services. Some solutions even seem to perform better and are already used today by several organizations in the public sector, some for a few years now while others have been used during the pandemic”.
According to the Austrian data protection authority, the guarantees given by Google Analytics are insufficient to effectively prevent US intelligence services from accessing personal data, as the European Union’s GDPR requires.
NOYB, the NGO mentioned above, has submitted about a hundred privacy cases in almost every country in the EU. It is highly probable that similar decisions will be made in other countries in the months ahead.
If you’re reading this article, you may be interested in checking whether your Digital Experience Monitoring solution is fully GDPR compliant and making sure your data is not subject to US surveillance.
When it comes to monitoring the experience provided to users of digital services, there’s clearly a temptation to collect data about users’ behaviour; nevertheless, the focus should be on the website or application and the performance it delivers.
Soon after the Schrems II decision, the city of Stockholm in Sweden looked for alternatives to measure the experience delivered to users as well as the response times of its e-services. While Google Analytics was being used prior to the invalidation of the Privacy Shield Agreement, the city of Stockholm found in Ekara extra benefits to further improve their application lifecycle and development processes.
In the Nordics region, Ekara is already a supplier to such major public organizations as the city of Helsinki, the Finnish electronic social and health care record (Apotti), the regional public transportation authority of the Skåne region, the Swedish Civil Contingencies Agency (MSB), and many others.
Together, we believe that we can help all organizations, whether public or private, to protect the privacy of their users in the European Union and beyond.