5 Things to Know About Google Analytics, Transfers and Schrems II – JD Supra

Here are five things you should know about Google Analytics, transfers and Schrems II.

1. Down to Middle Earth We GoBrush up on your J.R.R. Tolkien because Datatilsynet in its new guidance on cloud providers, says you have to know all of your cloud provider processors and sub processors and sub-sub processors until you hit the hobbits in Middle Earth. This was expected based on the European Data Protection Boards Schrems II guidelines. Like a Keto diet, this is simple to understand but incredibly hard to do.

2. Supervisory Authorities Are People TooAnd they are having a hard time enforcing the Schrems II cases, in part because they are aware of how complicated compliance is and, in part, because it is also hard for them. They lack the resources to check if what the controllers said about the sub- and sub-sub- and sub-sub-subprocessors (you get the point) is actually true.

3. Trickle Down Schremsnomics:It is clear that compliance is hard. Right now, a lot of companies are relying on large processors and unable to get either the information or the compliance concessions they want. Maybe with cases like Microsoft and Zoom for the Netherlands government, DPIA and the new European Data Protection Supervisor MS 365 initiative, the work and changes made will start trickling down (or up) and be available up the chain to the SME processors or controllers who need it.

4. Keep Idealistic and Comply OnThere is no risk base in transfers and this is a key aspect of EU law (as opposed to the more pragmatic American approach). However, this does not mean you should just give up and do nothing. While the law doesnt allow for a risk-based approach, the enforcement by the supervisory authorities might. They could consider, for the purpose of issuing fines, the scope of the transfer, the nature of the data, the measures implemented, whether or not you have alternative services that you considered, etc. And this may result in a grace period to comply, reduce fines, no fines etc.

5. Better Accurate Than SorryThe worst thing you can do is say that you may be transferring personal data or you may be processing X or may be using marketing cookies when you really arent. This is a Chapter V GDPR transfers violation because, per the Court of Justice of the European Union and the European Data Protection Board, you need to know your transfers. Datatilsynet cloud guidance agrees. And its an Art 12 GDPR transparency violation (said Data Protection Commission Ireland in WhatsApp & Facebook cases). The California Attorney General and Federal Trade Commission dont like this very much in the US either.

[View source.]

View original post here:

5 Things to Know About Google Analytics, Transfers and Schrems II - JD Supra