This article was published by Data Guidance.
With the new scenario following the Court of Justice of the European Union’s (‘CJEU’) decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘the Schrems II Case’), the legitimation of international data transfer flows has changed, directly impacting the regulation of the different technologies and vendors in the online advertising field. Dmitry Alekseev and Javier Arnaiz, Senior Associates at ECIJA, discuss this issue and its nuances.
In July 2020, the CJEU in the Schrems II Case invalidated the European Commission’s Privacy Shield Decision on account of invasive US surveillance practices. After this recent ruling, most companies have faced an ambiguous and uncertain situation regarding the performance of international transfers.
The use of technologies such as cookies, pixels, tags, etc. is directly impacted by data protection and electronic commerce legislation. Both the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and Directive 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services in Particular Electronic Commerce in the Internal Market (Directive on Electronic Commerce) (17 July 2000) (‘the e-Commerce Directive’) are the most relevant European rules currently covering this topic, without prejudice to future developments, such as the ePrivacy Regulation.
In the vast majority of cases, the implementation of trackers implies the engagement of providers that are normally located in the US. Personal data collected through such technologies is either transferred to or accessed from the US, implying an international data transfer outside of the EEA. Thus, the online advertising market is likely one of the most affected by the consequences of the Schrems II Case.
It is well known that Facebook, Google, or Amazon are US-based and the usage of their products (e.g. Sizmek, DV360) certainly implies international data transfer. However, other important players, such as Xandr (formerly AppNexus) or OpenX for SSPs; The Trade Desk or MediaMath for DSPs; or Lotame or Snowflake for DMPs, also have one common denominator: the companies providing the services have their headquarters or central offices located in the US. This means that either for the provision of services (if there is no representation in the EU) or for bureaucratic purposes, personal data will be sent to the US, and neither users of the services, nor data subjects, can factually object to such transfer. In all or the majority of cases, the transfer is a non-negotiable condition of a service designed in a take-it-or-leave-it approach.
This does not mean that US-based providers should not be used or that, conversely, only EU providers are to be engaged. International data transfers are still allowed, and there are mechanisms that are perfectly valid for doing so. However, there are certain matters that must be taken into account by entities who are to transfer data outside the EEA. To provide a proper guidance to exporters of personal data to third countries outside the EEA, the European Data Protection Board (‘EDPB’) has published recommendations aimed at solving the present situation, through a list of steps1 to be taken to verify that the transfers to be made outside the EEA comply with the GDPR, identifying additional guarantees to be applied.
These recommendations define a roadmap to be followed by the companies when performing international data transfers. In the framework of the online advertising activity, these steps should be considered by the companies as one of the few ‘official’ mechanisms to comply with the GDPR. Nevertheless, some of the recommended measures to be adapted could cause challenges in implementation.
Step 1 – Know your transfers
To guarantee the level required by the GDPR and to apply additional guarantees, a record of all international transfers must be kept, from those made directly by the exporter to those made by the importer to its suppliers who may be located in another third country. Having an updated register of processing activities is mandatory to achieve this point, and in addition the controller must identify the processors attached to its processing activities.
Step 2 – Identify the transfer tools you are relying on
Once the transfers are identified, the data exporter must identify the most appropriate mechanism to legitimise the transfer; these tools are defined in Article 45 and following of the GDPR.
During the months following the Schrems II decision, many providers relying on the Privacy Shield to transfer data to the US had to make a switch to Standard Contractual Clauses (‘SCCs’), which is the most common mechanism currently used. These changes have already been reflected in privacy policies; however, there are also cases where the change has not been expressly included in the legal text although, in practice, providers are no longer making use of the invalidated Privacy Shield decision.
However, it is important to highlight that SCCs are not the only tool for the transferring of data outside of the European Economic Area. Along with the SCCs, Binding Corporate Rules (‘BCRs’) can also be used to transfer data abroad within a group of companies, which is (or should be) a good option for those cases where some information needs to be sent to the US for accounting, legal review, conservation, invoicing, or any other similar purpose.