"Secure Data Transfer" checkbox for EU customers; required or not?

AntonSyAntonSy Member
In TEMPLATES -> configuration -> Checkout, there's a box for "Display a Secure Data Transfer agreement to EU customers", which says:
If you have customers in the European Union, enable this feature so they can opt in to sending their data to our secure servers in the United States.

Until Safe Harbor 2.0 or an equivalent is in place, European customers are required to give their consent to send their data to the United States. This feature adds a required checkbox to your checkout page which they must check in order to complete the transaction.
However, whilst that may be required for US-based customers of FoxyCart, I think it's not necessarily required for EU folks like me who are bound by the GDPR. My reasoning is as follows.

GDPR Article 45 Section 1 [ https://gdpr-info.eu/art-45-gdpr/ ] says that:
A transfer of personal data [from the EU] to a third country or an international organisation may take place where the [European] Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
Now, thanks to FoxyCart's participation in the EU-US Privacy Shield Framework [ https://wiki.foxycart.com/static/foxycart_security#foxy_is_a_member_of_the_eu-us_and_swiss-us_privacy_shield_framework ], an "adequacy decision" by the European Commission exists for FoxyCart's US-based processing and transfer of my EU customers' personal data [ https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en ].

My understanding (and I'm not in any way a lawyer!) is that this puts FoxyCart's data processing in the US on a par with any other data processing that I or my other Data Processors/Controllers do within the EU. In which case, for EU folks like me, the full range of "lawful bases"[1] are available for me to "choose" from when determining the lawful basis for Foxy's processing of my customers' data on my behalf, just like normal. And I choose to use "Legitimate Interests" as the lawful basis for having FoxyCart process my customer's data on my behalf, not "Consent". Consequently, I don't plan to enable that checkbox in my Checkout. What are your thoughts on that?

[1] GDPR Article 6 Section 1 [ https://gdpr-info.eu/art-6-gdpr/ ]
Tagged:
Comments
  • fc_adamfc_adam FoxyCart Team
    @AntonSy,

    Wow - great research there!

    We're also not lawyers ourselves, but from our understanding, we believe how you've laid it out there to be correct. Because of our participation in the newer privacy shield framework, you should be fine to have the "consent" checkbox unchecked in your store's configuration. We have a ticket for updating the information shown in the admin around that option too to provide additional details there too.
  • AntonSyAntonSy Member
    Thanks Adam! Hahaha I certainly felt like a lawyer for months last year when we were trying to get our heads around the requirements that the GDPR imposes on us! Thanks very much for sharing you guys' opinion on the matter (and of course I recognize that you folks aren't lawyers either).
Sign In or Register to comment.