Based in the heart of the National Forest, we're able to serve businesses around the country.
Privacy obligations under the UK GDPR sometimes pose some restrictions that might go under the radar of many business owners. Let's face it, how many business owners, dealing the the day-to-day issues of staffing, the needs of customers, financial stressors, and other factors, are also staying aware of the nuances of privacy regulations affecting their website, as the legal data controller? Such is the life of a business owner.
One such area that's worth keeping an eye on is International Data Transfer, which is restricted under GDPR unless certain provisions apply. Because UK GDPR only applies to data controllers and processors in the UK, transferring data outside the UK risks individuals losing the protection of GDPR. It's for this reason GDPR imposes restrictions on sending personal data outside the UK.
I Don't Think I'm Sending Personal Data Internationally
"But I don't send personal information outside the UK", you might say. However, many business may do exactly that and not realise it.
One of those circumstances may be something as simple as which website analytics provider a website data controller uses. If the service is based outside the UK, then implementing the code on a website also sends personal information outside the UK.
Does That Mean I Can't Use Analytics On My Website?
It doesn't necessarily mean that. But it does mean site data controllers have to check whether the restriction applies to their chosen analytics provider, or whether 'adequacy regulations' cover them, or whether it falls under one of the permitted exceptions to allow them to make restricted data transfers to the provider. These exceptions are thoroughly explained on the ICO website here, so I won't repeat them verbatim.
In a nutshell, subject to all other GDPR and legal obligations, at time of writing website data controllers are probably OK if the analytics provider is based in a European Economic Area (EEA) country, Gibraltar, The Republic of Korea and any countries, territories and sectors covered by the European Commission’s adequacy decisions (such as Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay). For these places 'adequacy regulations' exist which, put simply, means that in UK law the legal framework in that place has been assessed as providing ‘adequate’ protection for people’s rights and freedoms about their personal data.
What about Google Analytics?
Chances are, however, that website data controllers are using the ubiquitous Google Analytics, which is outside all of those places being based in the USA. At present there's only partial 'adequacy regulations' between the UK and USA where GDPR is concerned, so there's no guarantee a particular US based service provider is covered.
With the USA, only data which is transferred under the UK Extension to the EU-US Data Privacy Framework is covered. This is because the US legal framework as a whole is not considered adequate. Instead the UK Extension to the EU-US Data Privacy Framework sets out adequate rules which individual US businesses must voluntarily certify with in order to be covered.
The good news is that at time of writing Google LLC is certified with the UK Extension to the EU-US Data Privacy Framework. Site data controllers can search for Google's certification here to make sure:
A valid certification for Google LLC means site data controllers may transfer personal data internationally to Google under 'adequacy regulations' and subject to all their other GDPR and legal obligations (they don't go away).
However, because the UK Extension to the EU-US Data Privacy Framework is voluntary, there's no guarantee that Google will always choose to certify. It's site owner's responsibility as the data controller/processor to check. Should they ever not certify, under current arrangements data controllers are no longer covered by the framework to share personal data with them - including analytics.
Pop the date in your diary, Google LLC's next certification due date is 13th September 2024.
Are There Other Exceptions?
There are other exceptions listed by the ICO, which involve various forms of contracts, codes of conduct or agreements, which are all explained here:
Since most small businesses aren't in a position to negotiate with multi-national service providers on an individual basis, the majority will rely on Google LLC, and other internationally based service providers, voluntarily maintaining certification with the UK Extension to the EU-US Data Privacy Framework.
For Full GDPR Information
Although it's impossible to cover everything in this short article, we hope this introduction points you in the right direction. As a business owner you are legally responsible for the compliance of your company. Full details of GDPR obligations can be found on the ICO website.
TLDR
At time of writing, transfers of personal data to Google LLC, subject to all other GDPR and legal obligations, seem to be covered by 'adequacy regulations' because the entity has voluntarily certified with the UK Extension to the EU-US Data Privacy Framework. While that remains the case, website owners may expect be OK to use Google Analytics, subject to their other GDPR and legal obligations. However Google LLC may choose to withdraw certification at any time, and it's the website data controller's responsibility to keep an eye on that.
Disclaimer
This article is provided freely as a brief introduction, does not claim to provide full or complete information, does not constitute advice and is provided without guarantee. Readers apply this information at their own risk. However, we hope the effort made to provide this introduction will prompt readers to learn more about the subject as it applies to their circumstances.
