Promoted feature: Keeping your martech set-up GDPR hassle-free post-Schrems II

Legislation and regulation are nothing new to igaming, and if you operate a service provider in this vibrant industry, you live it and you breathe it. However, what we saw last summer with Schrems II took almost everyone by surprise. And due to our rich experience working with the igaming vertical, we were able to adapt – and adapt fast – to a post-Schrems II world.

Some back story…

Picture this: the CJEU (Court of Justice of the European Union) has invalidated the EU-US Privacy Shield with immediate effect, meaning companies can no longer transfer personal data to the US on the basis of Privacy Shield. Not only that, American-owned companies operating on European soil and hosting data in Europe are also considered non-compliant under GDPR. From one day to the next, it is no longer legally possible to use cloud services or hosting facilities that are affiliated with American companies, for storage or transfer of personal data. If you are operating in the European market and handling personal data on behalf of your European customers, you may be in the wrong here.

It all started with Maximilian Schrems, an Austrian lawyer and arguably the number one GDPR disruptor who, in what can only be described as the David and Goliath of modern times, campaigned against Facebook for privacy violation and the alleged transfer of personal data to the US National Security Agency as part of the NSA PRISM programme and won.

With Schrems II, it is abundantly clear that transferring personal data to a third party, which in this case can’t guarantee the safety of said data, is in direct violation of the GDPR.

There are currently over a hundred complaints filed against companies based in the EU because they continue to use Google Analytics and Facebook Connect on their websites – and, in doing so, are transferring data to Google and Facebook in the US. According to the ruling from July 2020, such transfers are illegal as both Facebook and Google are subject to US surveillance laws and thereby must disclose data of European users to US intelligence services. The price may turn out to be quite costly, given the data protection authorities can impose fines of up to €20m or 4% of annual turnover for a violation of the GDPR rules on data transfer. And that’s in addition to possible claims for damages by affected users.

Outcome moving forward

So, will you be affected by this? Well, that question has principally been answered by the CJEU which essentially struck down the very premise of the Privacy Shield, arguing that the US still does not limit surveillance of EU citizens to that which is “strictly necessary”. The ruling is so binary in nature that it’s hard to answer the question with anything but a roaring “yes”.

Will you remain GDPR compliant if you continue to store personal data on a cloud service or platform owned by an American company, albeit hosted within the EU? The answer, in light of this ruling, is no.

“So far, large US data companies are repeating like a mantra that they are evaluating the situation and ensuring that user data is protected on the basis of standard contractual clauses (SCCs). These empty phrases do not change the fact that US surveillance laws give authorities such as the NSA the right to access vast amounts of data that are transferred to the US. So far, there is nothing but silence on this conflict between contracts with EU customers and US laws,” said Marco Blocher, data protection lawyer at noyb.

At Symplify, we value the integrity of personal data, and have, based on the ruling from the CJEU, made changes to how we store our customers’ personal data, keeping it safe and out of reach from unauthorised third parties. We call it Symplify Protect. If you want to know more about how we keep your personal data safe, feel free to reach out.

Robert Kimber has spent more than a decade at the helm of Symplify Group, growing organically – from local to global reach. His strategy has always been to build a team that complements him – and each other – in knowledge, skillsets and capabilities. Kimber has built his leadership on this simple, yet effective, strategy.