The Schrems II Judgement (Privacy Shield invalidation)
The Court of Justice of the European Union (EUCJ) has ruled on the Privacy Shield certification for US businesses, effectively making it invalid as of July 16, 2020.
July 24, 2020
Update: In response to Schrems II, we've now launched EU Isolation.
Another update: In response to Schrems II, the Austrian DPA ruled that Google Analytics is illegal.
We have closely followed the Court of Justice of the European Union (EUCJ) ruling on the Privacy Shield certification for US businesses, effectively making it invalid as of July 16, 2020. The ruling has a significant impact on numerous businesses across the world.
Several data protection authorities (DPAs) across the EU have provided statements on the ruling. However, there is no unified conclusion or advice on how to manage it on a practical level. The ICO, the UK's DPA, advises for example to "please continue to (rely on the Privacy Shield) until new guidance becomes available".
What is Fathom Analytics doing?
We constantly monitor relevant changes to privacy regulations with a global impact, such as the GDPR and the coming ePrivacy Regulation. We also did a thorough GDPR review in May-June this year and appointed a Privacy Officer. We reviewed all data processors (including sub-processors), data flows, the personal data we process, legal grounds, retention periods and more, to ensure we comply with the GDPR in the best way possible.
Today, we process some personal data in the US (we now process EU visitor data on EU servers owned by EU companies). We will pay close attention to what European DPAs and the European Data Protection Board will advise going forward.
In the meantime, we have taken the following immediate actions
- We have familiarized ourselves with the ruling and the background for it
- We're in close dialogue with our Privacy Officer, a European based GDPR and privacy consultancy, on the practical implications for our company
- We're reviewing our current personal data inventory and data processors (including sub processors)
- We're reviewing our privacy risk assessments and will update these according to the ruling
- We have reached out to data processors we know are affected by this, and are awaiting their feedback
- We're reviewing other necessary actions continuously
As always, privacy is at the core of everything that we do at Fathom Analytics, and you can be certain that we take this ruling seriously. We will update this page going forward with further actions that might be necessary.
If you have any questions, feel free to contact us.
- Court of Justice of the European Union press release site where you can download a copy of the judgement
- The European Data Protection Board Statement on the judgement
- Max Schrems' privacy organization noyb with resources and FAQ's for both users and companies