When it happened, it went surprisingly silent. On 16.07.2020, the Court of Justice of the EU (CJEU) announced that the Privacy Shield agreement is ruled out and due to that not active anymore.
Yes, business as usual, it was taken up and written about all news outlets but not in great depths. It was more like extending what news agencies like Reuters were written. There were no debates, long opinionated articles, and no real analysis of what this means for companies and users.
And that’s surprising. The end of the privacy shield can be more significant than GDPR. But let’s wait a bit before we look into that.
Privacy Shield is an agreement the EU and US signed that enables companies to share user data across each region. It means that you can track user data with Google Analytics in Europe, and the data can be sent and rest on US servers. And vice versa.
For all you who are young and restless and maybe can’t remember this, Privacy Shield is not the first of this kind of agreement. It had a predecessor called Safe Harbour. And you might guess it, Safe Harbour went the same way like Privacy shield now. It was ruled out by the EUGH (also initiated by Max Schrems).
After Safe Harbour was ruled out in 2015, the EU commission and the US government sat down and crafted Privacy Shield. It became active six months afterward. Everyone in the ad or data business was sighing in relief. But to be honest, most of them did not notice that there was a ruling out and something new replacing it.
So what now?
First of all, take some time and read this: https://researchinstitute.at/files/583-memory-business/text/empfehlungen_stellungnahmen/RI_Recommendation_EuGH_Schrems%20II_Privacy%20Shield+SCC_29.07.2020_EN.pdf
And don’t skip through it, read it slow and well. It is a well-written text from a legal perspective I can’t give because I have no legal background.
And trust me, I wouldn’t say I like to read about legal subjects either. But now you have to because it might affect your daily business dramatically.
Citing this paragraph:
“These are now illegal according to the ECJ judgement and should be replaced as soon as possible. This applies in particular to “Google Analytics”, also in the “anonymised” variant.”
Using any analytics service that sends data into the US (or other countries outside of the EU – hello the UK) gets you at least in a grey area, if not further. These services include tools like Google Analytics, Adobe Analytics, Mixpanel, Amplitude, Segment, Hotjar, you name it.
Yes, there is that part with the contractual clauses, but as written in the post:
“Many US services are currently still justified by SCC after the annulment of the “privacy shield”, e.g. Microsoft or Apple. In our opinion, this justification will be removed by the EU data protection authorities in major cases within 6-12 months.”
We are definitely in uncharted waters at the moment.
The EU Commission announced that they would take up the talks with the US government to come up with a successor of Privacy Shield (as we know that went well the last time).
But it’s not 2015 anymore. There is no Obama administration they can talk to. There is a government that manages economic relationships in deal-terms.
And let’s be honest. The EU commission might not have the highest motivation to offer something big for such a deal. The EUGH verdict fits into the EU strategy to bolden user rights over their data. It also sends a strong signal to China (yes, I know TikTok data don’t end up there – as far as we know it).
One thing is waiting for what will happen to the contractual clauses. If the CJEU rules them out as well, you very likely can’t send user data to US servers.
So what will happen to the US-based analytics services?
When it comes to the big ones like Google Analytics, I predict they do the same they have done for GSuite. They will offer that analytics data is saved on EU servers. They have the infrastructure with the Google Cloud already. Compared with other services, it will be a snap for them. The EU option will be available for 360 customers. What about the free ones? I don’t know. And it’s just my prediction. I have no internal insights.
What about the other tools. They have to go the same way. Establishing EU server options is the safest way for a future-proof setup. Will it be easy for them. That depends a lot on how they have built their stack. Most likely, all of them are on the big cloud services. All clouds offer EU based servers. So the basement is there, but you have to create a mirrored service that will serve the EU customers and the rest of the world.
What should you do?
First of all, don’t ignore the topic. Follow the news, speak with your vendors, and at some point, get legal advice from people who know this stuff.
Include data ownership as an item in your data strategy. Make research what could be analytics stacks that are 100% future-proof. What would a migration mean? Maybe start with some test setup. Begin to build a proofed second stack beside the existing one.
The dawn of data ownership analytics services
Services like Snowplow Analytics or Matomo have been niche products until today. Snowplow for the sophisticated companies that wanted 100 control over data handling and quality. Matomo for all organizations that wanted a high level of data privacy standards.
Why are they no tool for the masses, so far?
Both need more involvement and resources than just putting a script on a website. Yes, Piwik Pro (offering a fork of Matomo (aka the former Piwik) as managed service). But coming from Google Analytics, working with Matomo/Piwik is still 1-2 steps down.
But all this can change now.
If you want to create a future-proof analytics setup, you should have a look at both services. Snowplow for mid to big-size companies and Matomo for small ones.
Even when there will be a successor of Privacy Shield or the analytics services offer an EU based service, there is always the risk that it will be ruled out again.