Schrems II Compliance
Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.
Back in 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield framework. This meant that many companies across the world could no longer rely on the EU-US privacy shield as a legal transfer mechanism to bring EU data subject personal data to the USA (and remember, the IP address is considered personal data under the GDPR).
On this page, we’ll be speaking specifically about cookie-free analytics (like Fathom). We cannot comment about how the Schrems II ruling affects other businesses, as there is a lot of nuance around this area, but we can talk about how it affects analytics providers.
Other analytics companies have made huge errors in judgment, and have considered themselves compliant because they have infrastructure located in the EU. But if that infrastructure is owned by a US company such as Amazon Web Services (AWS), DigitalOcean, Linode, or Google Cloud, that cloud server can be compromised by the US government, making it impossible to comply with Schrems II.
For Fathom, we were processing IP addresses (personal data under GDPR) on our US infrastructure up until late 2021. Whilst we don’t store any Personal Data, it still touched those servers. To comply with Schrems II, we needed to stop processing pageviews from EU visitors on our US-owned servers.
We knew that we couldn’t simply deploy servers in Germany via AWS or DigitalOcean, as that wouldn’t solve the compliance challenge. Sure, the data doesn’t technically leave the EU, but the US government could compel a US cloud computing provider to provide access to that EU server, and that could put data subjects at risk.
We built a feature called EU Isolation, and here is what it does:
- We’ve moved all pageview/event collection to a content delivery network owned by an EU company (bunny.net). This company deploys servers in over 70 locations.
- We have deployed a new cluster of servers in Germany and Iceland, on servers owned by a German company (not a US company!).
- These servers are managed by our EU partners, and no US service or individual has any kind of access to these servers. We take this to the extreme, and we don’t even let services like GitHub (US owned) have access
- All EU traffic is routed to our EU servers by default. These servers then convert the IP address to a hash using a secret hash salt (similar to an encryption key except the hash cannot be decrypted). The only way to break our hash would be to gain access to our EU secret hash salt and then brute force the hashes. A sample of the hash: 6faf9f678f9e26e744488c6d7be13f894069c7a189d54df2ac46ff1d7687e494
- Brute forcing a 256 bit hash would cost 10^44 times the Gross World Product (GWP). 2019 GWP is US$88.08 trillion ($88,080,000,000,000). So Recital 26 is very relevant here
- The US servers only ever receive this hash, and the IP address of EU traffic is completely stripped away, meaning no Personal Data ever touches our US servers.
- The hash salt we use only exists on those EU servers, we don’t even hold it here in Canada
This is how we comply with the Schrems II ruling, and this is by far the best solution on the market, if we don’t say so ourselves. We did consider going “all-in” on EU infrastructure, but that would degrade performance for website visitors worldwide. With this solution, EU data subjects hit our EU infrastructure, and everyone else hits the US servers directly.
We are incredibly proud of our solution, and we put a lot of work into making this work. We know that a lot of companies outside the EU won’t be aware of the Schrems II ruling, but companies within the EU know that it’s essential to comply with this.
In addition, a lot of companies have internal legal rules that require them to use EU services to reduce legal risk. With EU Isolation, your EU website visitors’ IP addresses will never be processed outside of the EU and can’t be touched by US entities.