By using web analytics tools you send data to the third parties providing the service, e.g. to Google LLC in the case of Google Analytics. If the third party provider is located outside the EEA, the operator acts as a data exporter and needs a special legal basis for international data transfers under the GDPR.
Can user consent provide a sufficient legal basis for international data transfers?
The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.
An adequacy decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does. The European Commission may issue an adequacy decision following a bilateral agreement between the EU and the third country, as was the case for international data transfers to the U.S. up until the invalidation of the EU-US Privacy Shield by the European Court of Justice.
Are standard contractual clauses (SCCs) a sufficient legal basis for international data transfers to the USA?
In 2020 the European Court of Justice invalidated the EU-US Privacy Shield with its prominent Schrems II decision.
Currently, in the absence of an adequacy decision or a bilateral agreement, website operators using U.S.-based third-party tools must now rely on "appropriate safeguards" for the transferred personal data as an alternative legal basis. Operators commonly conclude the so-called "standard contractual clauses" (SCCs) to ensure these appropriate safeguards.
SCCs are pre-approved model contract clauses by the European Commission. Website operators can incorporate them into their contracts with their third-party providers in order to demonstrate compliance with GDPR. The SCCs bind the parties to ensuring that data transferred to the third country is protected by the appropriate safeguards.
SCCs are a common instrument to ensure a high level of data protection. However, according to the Schrems II decision even if SCCs are in place, you must provide “supplementary measures” to protect the personal data against access by U.S. authorities.
Furthermore, the recent case-law in connection with the use of Google Analytics shows that the data protection authorities (in Austria, Italy and France) do not support a risk-based approach. This means that even if the risk of access by U.S. authorities is merely theoretical, the data exporter from the EU using Google Analytics (or other tracking tool from the U.S.) needs to make sure the recipient of data in the U.S. has no possibility to re-identify or single out a specific user. The EDPB in its recommendations confirms that pseudonymization can be an effective supplementary measure as long as singling-out or re-identification of individual users is not possible.
Under the section "Solving legal risks with JENTIS" you will find more information on the requirements for effective supplementary measures and how JENTIS is able to meet them.