There’s no denying that the (lack of) compliance with the General Data Protection Regulation (GDPR) has become the subject of heated discussion of late. Of course, data privacy might not be your favourite subject, but complying with the rules is of utmost importance. That’s why we made this page: to reiterate why it’s important, let you know what you can do, and tell you what resources we offer to help you.
What is GDPR?
The GDPR officially came into existence in 2018 and is now the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations on organisations anywhere, if they target or collect data related to people in the EU. All organisations are required to be compliant, and there are harsh fines for noncompliance. Read an easy-to-digest overview of what the GDPR is here, or take a look at the full GDPR report.
GDPR and data analytics tools
Of course, all data analytics tools (European and non-European) have to follow the strict GDPR rules too. Recently, the popular (and free) Google Analytics tool made the news when an Austrian court ruled that it was not GDPR compliant.
Our DPO (data protection officer), Darko, explains how this problem came to light: “It all started when the Privacy Shield was declared invalid thanks to Schrems II, a decision of the Court of Justice of the European Union (CJEU). The ruling stated that cloud services hosted in the US are incapable of complying with the GDPR and EU privacy laws, because of the US surveillance law. Following this, NOYB (a non-profit organisation called None of Your Business) filed 101 complaints regarding data transfers from EU-based websites to Google and Facebook in the US. Instead of adapting to the GDPR and EU laws, most US companies ignored the EU Court of Justice and relied on “Standard Contract Clauses” to continue data transfers between the Atlantic. So, the fallout from the Austrian ruling is an indication that GDPR is working in practice.”
So, the recent GDPR issues don’t only relate to Google Analytics, but in a much broader sense, relate to any company who is storing data outside the European Union.
Trans-atlantic data storage
So, what part of shipping data from Europe to the States is breaching the GDPR? Simply stated, when American companies ship personal data (like IP addresses) from EU civilians to the States, they have to make sure this data is protected against unauthorised and unlawful processing, as outlined by the European Union’s General Data Protection Regulation. However, it seems that this overseas-transmitted data is not protected because US intelligence agencies can potentially access huge amounts of it, all because data held on people living outside the US isn’t protected as well as data of those living within it.
Darko’s tip ↓
Smartocto and GDPR
We don’t have a crystal ball saying what the future of Google Analytics or non-European data transmissions will look like. Of course, as there is no clear conclusion yet, you could elect to sit it out and wait for a solution or verdict to appear.
However, if you are using Google Analytics (or any non-European data service for that matter) and it transpires they are not storing their data in Europe, you could be (unwittingly) breaking the law, so take a critical look at where your data provider stores data and maybe consider European alternatives. Switching analytics is time consuming and expensive, but ‘going European’ is likely the smart move and will save you issues in the long term.