Schrems II Compliance

Schrems II is a legal case in which the Court of Justice of the European Union (CJEU) ruled on the validity of the EU-US Privacy Shield framework, which is a mechanism used by companies to transfer personal data from the European Union (EU) to the United States (US). The case was brought by Austrian privacy activist Max Schrems, who argued that the Privacy Shield does not provide adequate protection for EU citizens' personal data when it is transferred to the US.

In July 2020, the CJEU ruled that the Privacy Shield is invalid, stating that the level of protection it provides is not sufficient to ensure that the personal data of EU citizens is adequately protected when it is transferred to the US. The ruling has significant implications for companies that rely on the Privacy Shield to transfer personal data from the EU to the US.

What Does That Even Mean?

Under the Schrems II decision, companies must ensure that they have appropriate safeguards in place to protect the personal data of EU citizens when it is transferred to countries outside of the EU. This includes ensuring that the data is adequately protected against access or processing by unauthorised parties, and that individuals have appropriate rights in relation to their personal data.

Web analytics companies that operate in the EU must take these requirements into account when collecting and processing data from EU citizens. This may involve implementing additional measures to ensure that data is properly protected, and obtaining explicit consent from individuals for the transfer of their personal data. Companies that fail to comply with the requirements of Schrems II may face significant fines and legal consequences.

How Proxima Analytics Complies with Schrems II?

As a Greek company located within the European Union and hosting our services with EU-owned companies within the EU, Proxima Analytics is fully compliant with the updated regulations established by Schrems II.

We have made the conscious decision to not transfer any data outside of the EU and do not utilize any third-party services that engage in such practices. As a small, self-funded company, we prioritize hosting our infrastructure with companies that are fully compliant with all relevant laws and regulations, including Schrems II. This ensures the protection of personal data and our commitment to compliance with all applicable privacy regulations.

To ensure compliance with Schrems II, we have implemented the following measures:

• We use Bunny, a DNS and CDN provider located in Slovenia, to route traffic to our hosted services. Their servers are spread across the globe, but no personal data is exchanged during this process.
• Our dashboard, databases, and services are hosted on servers located in Germany and France, owned and operated by Hetzner and Scaleway, respectively.
• No third parties are involved in the hosting and processing of our monitoring script for our paid customers.

Is Google Analytics Shrems II Compliant?

According to the Austrian Data Protection Authority (DSB), the use of Google Analytics by companies may violate the "Schrems II" decision made by the Court of Justice of the European Union (CJEU). The DSB has stated that the transfer of personal data to the United States through Google Analytics, a web analytics service provided by Google, may not be compliant with EU data protection laws, including the General Data Protection Regulation (GDPR).

The DSB's assessment is based on the fact that the United States does not provide an adequate level of data protection according to EU standards, as determined by the CJEU in the Schrems II case. As a result, companies using Google Analytics should carefully evaluate whether their use of the service is in compliance with EU data protection laws.

Are Other Analytics Companies Schrems II Compliant?

It is difficult to determine the Schrems II compliance of other analytics companies. We cannot accurately assess their practices and cannot confirm whether they adhere to the regulations set forth by the EU. It is possible that companies that utilise US-owned data processors, such as AWS, may not be fully compliant with Schrems II. For example, Amazon, the parent company of AWS, has been fined for a GDPR violation by the Luxembourg National Commission for Data Protection (CNPD). Even if it is assumed that AWS handles data differently or more transparently, it is not clear if they store, process, or link data through their services when used as a cloud provider.

Additionally, some analytics companies are not open source, which makes it impossible to determine if they are sending personal data like IP addresses to external services hosted or owned by companies outside the EU when used. It is important to carefully consider the privacy practices of any analytics provider to ensure compliance with Schrems II and protect the personal data of website visitors.