Websites or profiles on social networks, as well as online advertising campaigns, practically cannot do without the tools of two global giants: Google and Meta. Be it Google Analytics, Google Ads or YouTube on the one hand, or profiles and campaigns on Facebook or Instagram on the other. Their use is closely related to the transmission of data to the United States, which is carried out by the service itself and the user cannot fundamentally prevent this.

At first glance, recent decisions by European supervisory authorities seem to prohibit the use of these tools. At the same time, it is possible to set up analytics and marketing on the Internet, not to spend a lot of money unnecessarily on lawyers, and at the same time maintain the usual scope of activities.

Why is the data transferred?

Although most marketers and social network administrators would be emboldened not to transfer any data to the United States, the problem is what really counts as a transfer. Indisputably, it happens if the website operator enters data about its customers into the business targeting tool (for specific people). However, the supervisory authorities have recently held responsible even those operators who “just” put a third-party analytics tool on the site. So, for example, the Facebook plug-in is sufficient to create a responsibility to obtain data through these means and continue to deal with it, including its collection by Facebook and its transmission to the USA.

Another frequent scenario would be the creation of a profile on a social network with traffic monitoring and the implementation of campaigns on this network. Here, too, a joint responsibility was introduced for handling user data, for analyzing their behavior and transferring relevant data for processing abroad.

The attorney warns that “even if the operator of a particular tool is likely to be based in an EU country, namely Ireland for Meta and Google, it will pass the data on to the US parent companies for processing, often at your own risk.” Lucy Palova Specialist in IT law from the law firm Žižlavský.

How is the transfer legally intercepted?

Data can currently be transferred outside the European Economic Area (EEA) on the basis of so-called standard contractual clauses (Standard Contractual Clauses – SCC), which is a contractual tool for the transfer of personal data outside the European Economic Area. However, their appearance changed after the decision of the Court of Justice of the European Union (CJEU) in the Schrems II [Rozsudek Soudního dvora Evropské unie ze dne 16. července 2020, Data Protection Commissioner v. Facebook Ireland Limited a Maximillian Schrems, C-311/18]. In it, the court concluded that US surveillance programs are not limited to what is “absolutely necessary” and run counter to the EU’s understanding of the proportionality principle.

According to CJEU, the SCC clause itself, as a mere contractual instrument, cannot sufficiently guarantee that the data will not be accessed by US authorities. Therefore, the Court of Justice has ordered to check when personal data is intended to be exported to countries outside the European Union using clauses as to whether the law or practice in that country does not conflict with the protection provisions of small security companies. “Therefore, it is necessary to implement the so-called Transfer Impact Evaluation (TIA), i.e. assessment of the impact of the transfer on data protection,” Palova adds. If this occurs, the operator must implement additional measures (supplementary measures)which would fill these deficiencies in data protection and ensure compliance with the level of data protection required by European Union law.

The new specialized chambers, which are based on the results of the court’s decision, must be adopted by December 28 this year. So time is running out. At the same time, in addition to the conclusion of these clauses, it is also necessary to take additional measures to protect data.

How do I do it?

Initially, it is necessary to validate the SCC templates for data transmission to the United States, whether they are already from 2021. Moreover, whether they are completed in the correct configuration. The clauses contain 4 modules that organize all possible combinations of data controllers and processor locations. “Two scenarios usually come to mind. If you use Universal Analytics, you are more likely to be an admin. If you put an advertising plugin on a website, or if you run a page on a social network, it will be a joint admin position,” says the attorney Bohuslav Lichnovsky From Gali Legal and adds that there are often SCCs prepared by the tool provider as part of the contract, which solves this step.

The next step will be an internal assessment of the impact of the transfer on the protection of personal data, that is, the assessment of the impact of the transfer mentioned earlier. This document will need to describe the scope of the data transfer and assess whether there are regulations or practices in the destination country outside the EEA that could reduce the impact of the data protection measures in the SCC clauses. And if they exist, it is necessary to describe adequate measures taken outside the SCC – if they can be taken effectively at all. In addition, it is also necessary to determine who will be responsible for the transmission’s compliance with the GDPR and how it will be assessed that the procedures are still adequate. Lichnovsky describes the complexity of the process: “We spent about a month doing our first evaluation.” The EDPC recommendation could help, but it would be much easier to turn to someone who already has similar experience.

If the evaluation shows that data can be transferred on the basis of the SCC, it is necessary to verify that all processing conditions are well described in the appendices of these addenda (who is the controller and the processor, what data is transferred, and how the data is transmitted is protected). Here, too, the SCCs prepared by the tool provider can be used as part of the contract.

The response of the regulatory authorities

To make it not so simple, the aforementioned tech giants as tool providers have suggested adequate measures not to protect data, but to protect their business model. The Austrian supervisory authority, and later the French supervisory authority, concluded that in the case of Google Analytics, the SCC and the data protection measures described in it are not sufficient to ensure the necessary level of protection for transmitted data. According to the regulators, the proposed measures do not prevent US authorities from accessing processed European data. Therefore, the use of this tool in the specified configuration is prohibited.

However, these tools can still be used if adequate protection measures are taken. For example, using the Google Analytics tool, it is possible to implement anonymization of forwarded IP addresses, turning off the options “data exchange” And the “Signals”, or even using personal identifiers. Thanks to them, it will not be possible to identify them retroactively. At the same time, such actions taken by the website operator shall follow the actions in accordance with Clause 10.4 and Appendix No. 2 of the Google Terms and Conditions, which are taken by Google by default.

This eliminates the transfer of data within Google Analytics. However, if a website uses multiple tools, it would be more appropriate to perform a Transfer Impact Assessment (TIA) more generally, explaining for each tool used the specific data protection measures being taken. And it’s partly a legal question (you need to know where the danger is and what to avoid), and partly a technical question (how the tool works and how to reduce the risk).

In the case of sensitive data on health, financial data or data on the exact location of subjects, an impact assessment on the protection of personal data should also be carried out (Data Protection Impact Assessment) in accordance with Article 35 of the General Data Protection Regulation. In this case, it will not be evaluated whether the data protection measures are adequate, but whether it is legitimate to carry out the considered processing.

One last tip

The use of global analytics and marketing tools, as well as social networks, is critical to digital business these days. However, there are relatively strict rules for using these tools, which especially large organizations must respect.

You might not expect the Czech Office for Personal Data Protection to pursue a startup that is starting a business and want to know who is visiting their website, or creating a basic Facebook profile. However, if it is an established company operating in the B2C sector and reliant on digital marketing, with tens of thousands of users, it is certainly not worth underestimating compliance in this area and thus putting the entire company at risk of a stop sign by the regulatory authorities.

There is another important caveat. The measures described refer to tools in force in the United States of America. If you are playing around with the idea of ​​a business with the TikTok tool, you need to be extra careful. TikTok doesn’t even say where to transfer the data. Given the interest of the regulatory authorities, which he gained not only through this approach, it seems that he does not quite deal with it in gloves. And that’s something you definitely don’t want to be responsible for.

#Companies #conclude #amendments #crossborder #transfer #personal #data #December