Data transfers between the EU and the US

Currently the US is considered not to have adequate data privacy protection measures in place.

There is a disagreement on whether article 49 GDPR can be used as a legal basis for the transfer of data to non-adequate countries. According to a guideline of the EDBP (from February 2018) consent according to Art. 49 GDPR needs to be explicit, specific to a case and informed. Consent has to be specific for the particular data transfer, which leads to the conclusion that Art. 49 GDPR might not be a suitable legal basis for regular data transfers.

On July 16th 2020, the European Court of Justice (CJEU) ruled on the so called "Schrems II" case on Standard Contractual Clauses. As part of the ruling the "Privacy Shield", under which data has been transferred between the EU and the US, has been invalidated.

Because of this, Cookiebot reporting has been changed to reflect that sending data to the US is not-adequate, as the US is considered to not have adequate personal data protection mechanisms in place.

                                    Example from the cookie scan report.

For example, Google/YouTube products are based in the US and it is solely their decision whether the data will be sent to the US or other places. Cookiebot does not have control over the data being sent to the US or somewhere else. Cookiebot just indicates in the scan report whether the data is being send to the adequate or non-adequate countries. The European Commission decides which countries outside the EU are deemed adequate. 

What should I do if I want to stop sending data to inadequate countries?

If you want to stop the cookies/trackers from sending your website visitors' data to non-adequate countries, you should remove the elements that set those particular cookies from your website. In the scan report, you will find information about what type of cookie it is, where it was first found, and in what line of the source code it can be found (when applicable).

What should I do if I want to continue sending data to inadequate countries?

Since the ruling, data transfers can not be based on the EU-US Privacy Shield anymore. Do note that, for example in article 44 GDPR, other ways to transfer data to third countries are mentioned. This includes Standard Contractual Clauses, which were updated by the European Commission in 2021 to correspond to the current legal situation, in connection with further safeguards. You will have to check with your legal and/or privacy team, which option suits your needs best.

Please keep an eye out for any comments or recommendations from your local DPO as this may provide information applicable to your situation.

If you do decide to keep using cookies which transfer data to third countries, you can make sure your users are informed about this. See How can I customize the content in the cookie consent banner?.