This article will be updated as more information becomes available after the CJEU ruling in the Schrems II case, invalidating the use of Privacy Shield for the transfer of personal data between the EU and the US.
Currently the US is considered not to have adequate data privacy protection measures in place.
Whether GDPR art 49 on the transfer of data to non-adequate countries then apply to this situation is being debated. Cookiebot is currently awaiting a general comment on the situation by the EDPB and we are monitoring local DPA comments and recommendations.
On July 16th, the EU Court of Justice (CJEU) ruled on the so called "Schrems II" case on Standard Contractual Clauses. As part of the ruling the "Privacy Shield", under which data has been transferred between the EU and companies in the US, has been invalidated.
Because of this, Cookiebot reporting has been changed to reflect that sending data to the US is non-compliant, as the US is considered to not have adequate personal data protection mechanisms in place.
Example from the cookie scan report.
This means that as of the ruling, it is unclear how to legally transfer personal data between the EU and the US. You may do so with standard contractual clauses in place, however this is currently being debated as well. When sending personal data to a non-adequate country, if this cannot be avoided, it can be done under GDPR Art. 49, however this article does not specifically apply to the situation of sending data to the US.
For example, Google/YouTube products are based in the US and it is solely their decision whether the data will be sent to the US or other places. Cookiebot does not have control over the data being sent to the US or somewhere else. Cookiebot just indicates in the scan report whether the data is being send to the adequate or non-adequate countries. The European Commission decides which countries outside the EU are deemed adequate.
What should I do if I want to stop sending data to inadequate countries?
If you want to stop the cookies/trackers from sending your website visitors' data to non-adequate countries, you should remove the elements that set those particular cookies from your website. In the scan report, you will find information about what type of cookie it is, where it was first found, and in what line of the source code it can be found (when applicable).
What should I do if I want to continue sending data to inadequate countries?
Currently, it is not clear how it is possible to be GDPR compliant if you continue using cookies that send data to the US.
Please keep an eye out for any comments or recommendations from your local DPA as this may provide information applicable to your situation.
But if you do decide to keep using these cookies, you can make sure your users are informed about this. You must make sure to enable ‘explicit consent’ and inform your users about the potential risks (see GDPR Article 49(1) a.) by adjusting the text in the cookie consent banner to include this information. See How can I customize the content in the cookie consent banner?.
Please see our blog post on the subject here: Schrems II and the Privacy Shield.