Here are five things you should know about Google Analytics, transfers and Schrems II.
1. Down to Middle Earth We Go
Brush up on your J.R.R. Tolkien because Datatilsynet in its new guidance on cloud providers, says you have to know all of your cloud provider processors and sub processors and sub-sub processors until you hit the hobbits in Middle Earth. This was expected based on the European Data Protection Board’s Schrems II guidelines. Like a Keto diet, this is simple to understand but incredibly hard to do.
2. Supervisory Authorities Are People Too
And they are having a hard time enforcing the Schrems II cases, in part because they are aware of how complicated compliance is and, in part, because it is also hard for them. They lack the resources to check if what the controllers said about the sub- and sub-sub- and sub-sub-subprocessors (you get the point) is actually true.
3. Trickle Down Schremsnomics:
It is clear that compliance is hard. Right now, a lot of companies are relying on large processors and unable to get either the information or the compliance concessions they want. Maybe with cases like Microsoft and Zoom for the Netherlands government, DPIA and the new European Data Protection Supervisor MS 365 initiative, the work and changes made will start “trickling down” (or up) and be available up the chain to the SME processors or controllers who need it.
4. Keep Idealistic and Comply On
There is no risk base in transfers and this is a key aspect of EU law (as opposed to the more pragmatic American approach). However, this does not mean you should just give up and do nothing. While the law doesn’t allow for a risk-based approach, the enforcement by the supervisory authorities might. They could consider, for the purpose of issuing fines, the scope of the transfer, the nature of the data, the measures implemented, whether or not you have alternative services that you considered, etc. And this may result in a grace period to comply, reduce fines, no fines etc.
5. Better Accurate Than Sorry
The worst thing you can do is say that you “may” be transferring personal data or you “may be processing X” or “may be using marketing cookies” when you really aren’t. This is a Chapter V GDPR transfers violation because, per the Court of Justice of the European Union and the European Data Protection Board, you need to know your transfers. Datatilsynet cloud guidance agrees. And it’s an Art 12 GDPR transparency violation (said Data Protection Commission Ireland in WhatsApp & Facebook cases). The California Attorney General and Federal Trade Commission don’t like this very much in the US either.