GDPR: How to optimize your Snowplow strategy and future-proof your company

Adopting multiple data pipelines to comply with EU privacy laws

• A proactive approach to data sovereignty can help create a long-term plan for data management and growth

• EU and US data laws have taken a different approach, and the EU Commission is increasingly seeking to enforce the principles of the GDPR

• The Austrian and French Data Protection Authority (DSB and CNIL) deemed that Google Analytics does not comply with GDPR - as a result of storing non-anonymised EU citizen data in the United States without explicit consent

• Snowplow can help adapt your data strategy to minimize the risk of any data transfers and conflicts between different data privacy laws by creating separate data pipelines for each territory

How have US and EU data laws evolved since GDPR?How to manage data in multiple locations 

GDPR is being more strictly enforced in the EU, so we set out to answer the question ‘how can companies take a proactive approach to data sovereignty?’ 

Our first step was to look at where data law sits on companies’ current list of worries. In a recent poll, by Enterprise Storage Forum, 76% of respondents said data security was a concern, while only 17% cited an ‘inability to comply with government regulations’. So in short: many companies still see it as low down on the list.

Despite not being a top priority for many companies, however, it does appear that the legislation is being increasingly enforced. Large fines have been issued for not going far enough to protect personal identifiable information (PII) in the EU. Examples include Amazon, which paid out a staggering €746m for non-compliance with general data processing principles, and WhatsApp, which paid €225m million for “insufficient fulfillment of information obligations''. And it’s not just multinational megacorps that are being investigated by regulators; in December 2021, Lisbon City Council received a fine of €1.25m for “insufficient legal basis for data processing”. 

How have US and EU data laws evolved since GDPR?

The following sections are a quick run through how data laws have changed over the last few years. Feel free to refer to the timeline above and skip to the solution section at the end of the article, if preferred.

Since the GDPR came into force in 2018, EU citizens have had far reaching rights, such as the right to access copies of their personal data held by any company or entity, to know where and how it’s being used as well as the “right to be forgotten” (i.e., to request the permanent deletion of personal data). 

The general aim of the regulation is to protect the PII of data subjects from external threats. The legislation was groundbreaking and extensive in scope and set a new standard which has been crucial to shaping the way data is handled around the world. 

The CLOUD Act vs GDPR

Just before GDPR became enforceable, US Congress brought in the CLOUD Act, allowing the government to compel US companies to consent to data access requests without notifying the data subject – for data held both inside and outside the US. Any company storing data in the EU, however, must comply with GDPR, which prevents PII data transfers without the explicit consent of the data subject. 

Privacy Shield and Schrems II

EU and US legislators provided a legal means for data to be transferred between the EU and the US, via 2016’s ‘Privacy Shield’ regulations. 

But in July 2020, the Court of Justice of the European Union (CJEU) ruled that cloud services hosted in the US cannot comply with EU data laws. This legislation is known as ‘Schrems II’. Max Schrems, the Austrian data activist, lawyer, and author defined the reason for the ruling as a ‘clash between EU privacy law and US surveillance law’.

Enforcement of Schrems II

In January 2022, it was announced that the Austrian Data Protection Authority (DSB) had enforced “Schrems II” by issuing a fine for failing to protect the personal data of EU citizens by storing it in the United States without proper consent. The data in question was considered PII in that it contained IP addresses. This effectively meant that no guarantees could be made about how and where that data would be used, as US authorities - such as the NSA - could potentially have unrestricted access to this personal data.

Here is a summary:

• IP addresses are classed as personal data so their transfer falls under EU data protection law
• US intelligence services use IP addresses as a starting point for the surveillance of individuals and the Google Analytics user did not do enough to block US intelligence services from accessing the data
• As a ‘data controller’, any company collecting PII in the EU must follow GDPR – it is not solely the responsibility of the analytics platforms to manage this

In February 2022, the French CNIL followed suit, finding a French website manager in breach of GDPR. The court ruled that the company in question should stop using Google Analytics under the current conditions.

How to manage data in multiple locations

Before we start, it’s worth noting that building a privacy-conscious data strategy takes time and investment, but it’s a journey that can offer longer-term growth and peace of mind.

We refer to our data-collection model as ‘private SaaS’. Almost all other SaaS companies store their client’s data on third-party servers, whereas Snowplow is deployed entirely on our client’s private cloud. Our clients remain fully in control of where their data is stored, how long it’s retained, how it’s managed and the means and purposes for which it’s used.

Having separate data pipelines set up in the US and the EU is one way to respect data sovereignty in both locations. This allows US companies to continue to build a deep understanding of both their EU and US customers and govern data in an effective way. We’ve drawn out some of the alternative solutions below to demonstrate the advantages of adopting a multiple-pipeline strategy.

A multiple-pipeline strategy helps to future-proof a data strategy. If each local jurisdiction varies their data-privacy regime, the security protocols associated with that pipeline can adapt accordingly, without affecting data stored in other locations.