There is a disturbing, yet unsurprising, trend coming out of the courts and data protection authorities of Europe recently. One they may ultimately determine what web development and software as a service offerings in the European Union look like going forward.
Note: I am not a lawyer, consult own legal team to discuss risk, etc for your own specific scenarios.
A Brief History Lesson
Most people in the analytics and development space are aware of Europe’s landmark General Data Protection Regulation (GDPR) which went into effect in May of 2018. The regulations defined core privacy requirements for the use of personal data and what those requirements would be for organizations operating in the EU, or transferring data out of the EU to external countries.
In light of this regulation, the United States and the European Union formed the Privacy Shield framework, which defined how data flows between the two regions would have to work.
This all changed in 2020 when the framework was declared invalid on the grounds of GDPR.
Per the FAQ on the Privacy Shield website:
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.
https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update
The decision by the court left open the door for Standard Contractual Clauses (SCCs) to perhaps close the gap in the data adequacy provision of the GDPR. We then saw most brands operating in the EMEA update their contracts accordingly. This brings us to recent times where the standard operating model being employed was to ensure that users agreed to a SCC prior to shipping data from the EU to the USA in order to shield the data collection from running afoul of GDPR provisions.
Recent Cases
I have three cases which occurred recently which I believe may highlight the direction this is going.
Case 1: Consent Management under fire
A court ruling against a University from loading Cookiebot (a Consent Manager) because it used a Content Delivery Network which was owned by a USA based company (Akamai) and so could in theory be subject to the Cloud Act requiring the company to turn over data to the US Government.
Interestingly, the court never established the likelihood that the transfer would take place, nor ever establish that a transfer did take place, it seemed to settle for the fact it could take place as the basis for the ruling.
Citing the fact that IP Addresses are personal data based on the European Court of Justice and that the US Government could request them based on the Cloud Act, the “transfer” of data to infrastructure owned by a US based company ran afoul of GDPR.
An Injunction was issued against the University. The case may be appealed or proceed to trial.
Full Text of the Court Decision (German) can be found at: https://rewis.io/urteile/urteil/2tj-01-12-2021-6-l-73821wi/
Case 2: Using Google Fonts results in a fine
In another German case revolving around IP Address usage and International Data Transfers, a website was fined 100 Euro for loading Google Fonts without consent of the user.
Legitimate Interest couldn’t be used as a defense, because the font had the option to be self-hosted on the website, which would have loaded the font without sending the visitors IP Address to Google.
Full Text of the Court Decision (German) can be found at: https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
Case 3: Google Analytics declared unlawful in Austria
The last case is still resolving, but it is again worth mentioning the ruling against Google Analytics in Austria. The decision cited that Google admitted to processing personal data in the USA regardless of where it was collected and the SCC imposed by Google as part of their Terms and Conditions were insufficient in light of the various laws the USA could in theory impose on Google to turn over data to the US Government.
While no remediation or fines have yet to be issued, the decision did state that the liability rested with the website and not with Google itself at this point in time. Google will be subject to an additional review to determine if it is liable.
Recent Developments
The recent decisions above have not gone unnoticed around the world.
The Dutch Data Protection Authority in the Netherlands issued a statement that the use of Google Analytics may soon no longer be allowed once it was finished reviewing the Austrian decision and concluding their own investigation. They expect to be complete in early 2022.
Google issued a call to lawmakers on both sides of the Atlantic urging them to re-establish a new international data transfer framework while it awaits the rest of the Austrian decision.
Facebook’s 10-K filing to the SEC for investor guidance had this to say:
“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”
https://d18rn0p25nwr6d.cloudfront.net/CIK-0001326801/14039b47-2e2f-4054-9dc5-71bcc7cf01ce.pdf
Effectively everyone is waiting to see how a few of the above cases ultimately get resolved before investing massive amounts of work in rearchitecting services in order to be compliant with the recent interruptions of the regulations.
Final Thoughts
Personally, I understand the logic applied to the cases above. I am however, very concerned at the trend developing and what that means for the web overall. The concept of a IP Address as personal data is problematic in real terms, because that’s how the internet works, it’s a cornerstone of how webpages and data get moved around the internet. It may not even map to a real user.
You always submit your IP Address to the remote server before you ever see a consent manager prompt. You don’t have a choice because that’s how the internet works. The trending cases here indicate that if it’s not required for the site to functionally load – you’re better off not including it at all. If that holds to be the way forward EU companies are going to spend a lot of time reinventing the wheel in order to recreate or localize to Europe services they are presently loading from the United States.
But it may not even as easy as refusing to use 3rd party services directly.
The decisions above effectively state if taken to a logical conclusion that a website can only leverage external resources if they are located in the EU, or another country that has data adequacy to the GDPR and is not subject to foreign laws which may violate those standards even if consent is granted and the data is retained by a EU company the entire time and never actually leaves the EU at any point.
Obviously, this is problematic for a number of reasons, because should this line of logic be upheld and become the new standard of doing business in the EU that effectively bars may common development architectures and business models from being being compliant with GDPR law. It’s no wonder why companies such as Facebook are starting to issue such guidance to investors.
We may see more companies decide the bar is to high. Yahoo! Japan recently announced they are pulling out of Europe, citing the costs of compliance with GDPR. When the bar is set to the extreme that these cases hint at you are forced to wonder – is the EU attempting to moat themselves off from the majority of the internet? I see that as a real potential outcome even if it’s not the intent behind the laws. I am forced to wonder – Is that what will happen? Is that what people actually want?