As our European friends across the channel awaken from the pandemic, they’re starting to revisit and resolve issues such as the GDPR. And, right now – more specifically – the data sovereignty aspect of the regulation.
In a recent, ground-breaking decision, the Austrian Data Protection Authority (known as the DSB) announced that the use of Google Analytics violates the EU General Data Protection Regulation.
And following the judgement of the DSB – which is the equivalent of the UK’s independent authority, the ICO – other EU member states are following right behind. This has arisen since the ongoing fallout from the ‘Schrems II’ case, the consequences of which still continue to reverberate around Europe and the US.
In the wake of the European Court of Justice’s ‘Schrems II’ ruling – that the Privacy Shield no longer provides European businesses with the legal protection they require to share personal data to the USA, and other countries without an adequacy determination – EU and UK businesses have been left scrabbling to find alternative solutions to protect data sovereignty.
What Is Personal Data Sovereignty?
This refers to the fact that personal data collected and/or processed in a certain geographical location, must not be shipped, or exported to countries that don’t meet what is known as data protection adequacy.
These rules require countries to uphold data subjects’ rights and meet certain levels of data protection and security. The EU and the UK follow the GDPR and, while they may differ slightly on trade matters, both agree that unauthorised personal data transmissions outside their territories should incur the maximum fine.
The data sovereignty aspect of the GDPR says you must not ship data outside the European Economic Area (EEA) to any country that doesn’t meet adequacy standards. Simply put, the law is there to protect you. You wouldn't feel comfortable if your own personal data was being shipped to China, for example, because essentially the state owns all data held within its borders.
In the wake of 9/11, the USA passed a similar bill, meaning it has access to all data held within its borders. We can discuss the semantics, but the EU and UK have decided this policy sits more in-line with that of China's compared to that of the EU.
And Austria was the first to act with the DSB's decision that Google Analytics violates the general data protection regulation.
What Does This Mean For Austrian Businesses?
Well, it means specifically that the DSB has deemed the use of Google Analytics to be illegal, meaning Austrian businesses are left seeking EU or UK-based equivalent suppliers.
Is This Limited To Just Analytics Software?
No, in fact, analytics are probably the least likely to have been targeted, but also the biggest. Any application that holds personal information relating to EU and UK citizens – such as email addresses, contact information, and IP addresses – is covered by the GDPR.
But My USA/China-based Service Provider Has A Server In The EEA?
Unfortunately, Google does claim to use servers located within the EEA, but that doesn’t matter. Google's engineering and support teams, and core business operations work within and outside the USA, meaning it’s not possible for them to give absolute reassurance that at no point will the data collected – within the EEA or UK – be processed in the USA. It’s not good enough to simply say we have servers in the EU or UK any more.
How Likely Is It That The Rest Of Europe Will Follow This Decision?
The answer, unfortunately, is very likely. The European Data Protection Board (EDPB) – which oversees the EU member states – reached the exact same conclusion as the DSB on January 11, 2022, meaning other EU member states will soon follow suit.
What Does This Mean For UK Business?
Whilst we’re not a member state of the EU, the UK mirrors the GDPR, but it has been renamed ‘UK GDPR’. This is extremely important because for UK businesses to continue to transact with European organisations – and exchange personal identifiable data in a safe and acceptable manner – the UK was required to meet adequacy.
The ICO provides specific advice on its website regarding the transfer of data to and from the EU and the rules surrounding adequacy, which can be found here.
The EU UK adequacy decision in 2021 was monumental and a very big win for the UK. It’s therefore likely that we’ll act in unison with our European counterparts when it comes to dealing with the likes of Google.
What Should UK Businesses Be Doing Now?
As a UK organisation, we're taking note and watching very closely as to how this position plays out in the EU. We should also be selecting commercial suppliers that operate within our territory.
Data is not something that brands, and their marketing departments, should play fast and loose with. The ICO – under the UK GDPR – can impose considerable fines. Plus, non-compliance with data transfer provisions is one of the areas for which the maximum level of administrative fine can be imposed, which far outweighs the benefits of any risk.
Check out our 'Why Force24?' section to understand how we can fully support you, and your data. Or head over to our free, downloadable Compliance statement to underline the work we've carried out in order to follow the GDPR.
Force24 is a UK-owned and operated business, supporting over 5,000 marketeers every day in communicating with customers, and we circulate in excess of 20 million emails a month. Our GDPR-compliant environment gives you total peace of mind, so whatever the EU and the ICO decide, your data is in safe hands with us.
For more information about how our platform can help you secure your data, call 0845 272 5990 or email email@example.com