The history of major GDPR updates, breaches and rulings from the adoption of the Safe Harbor Framework to present.
Denmark ruled Google Analytics not compliant under the GDPR
The Danish Data Protection Agency concluded that Google Analytics can not be used lawfully under the GDPR. This decision has been made to protect the privacy of European citizens by stopping personal data transfers to countries that do not have an adequate level of data protection.
Denmark banned Chromebooks and Google Workspace in schools
Denmark’s Data Protection Agency (Datatilsynet) ruled that Chromebooks and Google’s Cloud-based services (e.g., Google Drive, Gmail, Google Calendar, Google Docs and more) are not compliant under the GDPR. This ruling was handed down due to data transfers to the US, which does not offer adequate protection for personal data.
This ruling currently applies to Helsingør schools. Those that do not comply could face jail time.
Italy banned Google Analytics under the GDPR
Italian Data Protection Authority (Garante) ruled that a websites use of Google Analytics is not compliant with the GDPR. This ruling was a result of Google Analytics sending personal data to the United States, which does not provide an adequate level of data protection.
German website fined for leaking visitor's IP address via Google Fonts
A German court fined a website for using a Google-hosted web font from Google’s Font Library (a font embedding service), which disclosed the unidentified plaintiff’s IP address. This was ruled as a GDPR breach due to the plaintiff’s personal data being shared without authorisation and without a legitimate reason for doing so.
The Court of Justice of the European Union (CJEU) ruled that any Cloud services hosted in the US no longer comply with the GDPR (called “Schrems II case”).
EU websites using tools such as Google Analytics and Facebook became targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.
GDPR officially became enforceable
The GDPR officially enacted as of 25 May 2018. Businesses that are not compliant can be fined up to 4% of the yearly turnover or20 million Euros, whichever is higher.
The purpose of this regulation is to strengthen and unify data protection for all individuals within the European Union. This also includes entities outside Europe that do business with European citizens.
EU-US Privacy Shield replaced the Safe Harbor regulation
The European Commission adopted the EU-US Privacy Shield, a data protection pact negotiated to replace Safe Harbor and safeguard EU citizens’ rights in relation to transatlantic data transfers.
The EU adopted the General Data Protection Regulation (GDPR)
The GDPR (General Data Protection Regulation) was officially adopted on 14 April 2016 and replaced the 1995 Data Protection Directive.
EU Member States were given two years to ensure that the GDPR was fully implementable in their countries.
The European Court of Justice (CJEU) declared the International Safe Harbor Framework invalid (Schrems I)
The CJEU ruled that the Safe Harbor agreement as no longer valid. The Safe Harbor agreement previously allowed the transfer of European citiszens’ data to the US.
The European Commission and the US government created the Safe Harbor Framework
The Safe Harbor Privacy Principles were developed to prevent EU and US private organisations from accidentally disclosing or losing personal data.