The EU-US Data Privacy Framework OR “Can I use GA legally now?”
on 24.07.2023 by Stefan Riegler, Thomas Symann
In this blog post, you’ll learn:
- What is an adequacy decision and what does it mean for data transfers to the US?
- What are the latest developments for the EU-US Data Protection Framework?
- What impact does it have on my data strategy and use of US-based tools such as Google Analytics?
- What might happen next?
Key takeaways:
- The European Commission has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF).
- This means that US companies certified under the DPF offer a comparable level of data protection to that of the EU.
- Data can now be transferred to such companies without having to implement additional data protection safeguards.
- It will probably take some more weeks or months for US tech providers (such as Google) to adapt to the Data Privacy Framework.
- This may not be a final decision. Max Schrems’ data protection organization, NOYB, already plans to bring the Data Privacy Framework back to court.
On 10th July 2023, the European Commission shared a press release on their website which caught the attention of every Web Analyst. The most common questions were: Can I use Google Analytics legally now? And what about all the other US tools we love to use on websites?
We quickly grabbed one of our FELD M Data Privacy Experts and asked 4 important questions. Here’s what Stefan Riegler had to say.
The European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). Can you shortly explain what that is?
“An adequacy decision is one of the instruments provided under the General Data Protection Regulation (GDPR) to lawfully transfer personal data to third countries. An adequacy decision indicates that a third country has a certain level of data protection, broadly equivalent to that of the EU.
Since the invalidation of the Privacy Shield through the Court of Justice of the European Union in its Schrems II ruling in 2020, the US did not have this anymore. With the adoption of this decision, the European Commission has decided that US companies certified under the DPF offer a comparable level of data protection to that of the EU.”
When will these new rules come into effect?
“The adequacy decision and the framework are in effect as of now.
However, in order to lawfully export data to a US company, said company has to be certified under the EU-US DPF. It will probably take several weeks or months for US tech providers (such as Google) to adapt to the Data Privacy Framework, get certified, and update their privacy policies.”
Does that mean I can use Google Analytics legally now?
“Following the Schrems II ruling and the invalidation of the Privacy Shield, companies had to base the transfer of data to GA servers in the US on standard contractual clauses (SCCs). However, with SCCs, the data exchanging companies had to implement supplementary measures to guarantee a sufficient level of data protection.
In the past, European data protection authorities found that Google’s additional measures weren’t doing that and consequently penalized data exporting companies.
With the adoption of the adequacy decision, exporting companies will now be able to base their transfers of data to certified importers on that, rather than on standard contractual clauses.
Regarding the “now” in your question: To my understanding of the adequacy decision, US organizations may receive data as soon as they are placed on a list by the US Department of Commerce (DoC). Organizations such as Google, which were already certified under the Privacy Shield, are to inherit their old certification status – however, they will have to update their privacy policies.
As of today, Google’s information page on data transfers (last updated February 2022) still states that they no longer base data transfers on the Privacy Shield. However, it is indeed already listed in the DoC’s list of certified companies.
So if you want to use Google Analytics, you should probably keep a close eye on Google’s privacy policy. You may want to schedule an appointment with your DPO or legal department to discuss what the adequacy decision means for your specific situation and which steps you might want to take.”
Can we be sure that the new agreement will stay in place longer than its precursor?
“That is a tough question. On the one hand, the European Commission stresses in its communication that the US made substantial commitments regarding the data protection of Europeans.
With the new deal, US intelligence services shall only access personal data when it is required and proportionate to pursue defined national security objectives. Also, a redress mechanism was established, which will enable individuals to appeal unlawful surveillance practices.
However, it is questionable if the measures taken by the US are truly sufficient to address the Court of Justice of the EU’s (CJEU) concerns, which led to the overturn of the Privacy Shield in its Schrems II ruling three years ago.
Data protection organizations are already gearing up to bring the new adequacy decision before the CJEU again. Max Schrems’ data protection organization, NOYB, announced that they have already prepared various options to bring the Data Privacy Framework back to court.
According to them, a challenge could reach the CJEU by the end of 2023 or the beginning of 2024. Furthermore, they claim that the CJEU could possibly then suspend the framework for the duration of the process.
A final decision by the court could be made within the next one to two years. So, no, for now, I wouldn’t build my whole Data and Data Protection Strategy on it.”
Next steps
The prevailing mood around all things privacy and consent is one of uncertainty for many. Even as court rulings are made, criticism and challenges continue to mount. Many websites exist in a grey zone, either because they’re simply unsure how to approach cookies or worse, keen to side-step consent management guidelines using manipulative design.
This makes it more important than ever to have a reliable partner at your side who has their finger on the pulse of current legal discussions, already has experience with pragmatic best practices, and develops innovative technical solutions that give you a true and legally secure advantage over your competitors. FELD M can be this partner for you. If you’re not sure whether your organization is fully compliant, we can provide consultation on all digital topics around Consent and Privacy with our internal and external experts.
* Disclaimer: Please be aware that the information in this post reflects our opinions and understanding of the topic at hand and should not be considered as legal advice or legal counseling but rather serves general informational purposes. You alone are responsible for your legal compliance and should therefore consult with qualified legal professionals before making any decisions based on the information contained in this post. We do not accept any liability for any losses, damages, or legal consequences that may arise from the use or interpretation of the information provided in our blog post. The use of the information is at your own risk.
You can find more information on the matter here:
- Press release of the European Commission
- Release by BfDI – the German Federal Commissioner for Data Protection (German)
- Google’s page on data transfer frameworks
- US DoC’s page on the data privacy framework
- Google’s entry in the DoC’s list of certified companies
- Statement by NOYB on the new data privacy framework