Here are five things you should know about Google Analytics, transfers and Schrems II.
2. Down to Middle Earth We Go
Brush up on your J.R.R. Tolkien because Datatilsynet DK in its new guidance on cloud providers, says you have to know all of your cloud provider processors and sub processors and sub-sub processors until you hit the hobbits in Middle Earth. This was expected based on the European Data Protection Board’s Schrems II guidelines. Like a Keto diet, this is simple to understand but incredibly hard to do.
2. Supervisory Authorities Are People Too
And they are having a hard time enforcing the Schrems II cases, in part because they are aware of how complicated compliance is and, in part, because it is also hard for them. They lack the resources to check if what the controllers said about the sub- and sub-sub- and sub-sub-subprocessors (you get the point) is actually true.
3. Trickle Down Schremsnomics:
It is clear that compliance is hard. Right now, a lot of companies are relying on large processors and unable to get either the information or the compliance concessions they want. Maybe with cases like Microsoft and Zoom for the Netherlands government, DPIA and the new European Data Protection Supervisor MS 365 initiative, the work and changes made will start “trickling down” (or up) and be available up the chain to the SME processors or controllers who need it.
4. Keep Idealistic and Comply On
There is no risk base in transfers