Schrems II Compliant Web Analytics
The past 5 years have seen significant changes to data protection regulation. Leading the charge was the EU’s GDPR in 2018 and more recently California’s CCPA.
It’s hard to say we’ve seen a step change in behaviour from big tech companies. The overwhelming cookie/consent popups have created a great deal of friction for browsing and likely desensitised users to the impact of data collection. Whilst people follow the letter of the law, it’s hard to see how these experiences/dark patterns are following the spirit of it.
This shake-up is before the potential impact of “Schrems” rulings (specifically Schrems II) which impacts the transfer of EEA personal information/data outside of the EEA itself. If the initial knee-jerk reaction to GDPR by some international companies led to European IP ranges being completely blocked, the potential impact of where data transits could be huge.
Whilst it’s hard to think that we’d see any significant change in behaviour from big tech as a result of this, it does give us time to reflect on where the data is flowing. The global nature of the internet means you can never be truly sure where data transits through, but we can make an effort to understand where the data lives and which companies/authorities have the jurisdiction to access it.
Bymetric and EEA Data Transit
When we started Bymetric we wanted to be as flexible as possible to potential data sensitivities. This is why we offer an option to restrict transit and storage of user data to the EEA if that’s what a customer wants.
What this means in practice is having data transit through and stored on systems and servers physically located in the EEA and crucially operated by EEA registered/owned organisations.
This means that data cannot go through/be stored on any popular cloud services (e.g. Amazon AWS, Heroku, Microsoft Azure, Google GCP, Digital Ocean, Linode) - this is a bit unusual for a bootstrapped tech startup as these platforms are incredibly powerful enablers for building technology but we think it’s worth it.
We don’t expect these rulings, and any future regulation, to have a major impact on the way big tech/cloud hosting works on the internet for a long time, but we wanted to be flexible and offer some peace of mind when it comes to the changing privacy regulation landscape.