In a significant development, Google Analytics 4 is deemed legal in Europe following the recent adoption of the EU-U.S. Data Privacy Framework by the European Commission.
The news comes amid warnings from the Swedish Authority for Privacy Protection (IMY) concerning potential surveillance risks associated with GA4.
The legal status of GA4 in Europe and the IMY’s warning are interconnected parts of a larger global narrative about data privacy, protection regulations, and transatlantic data transfers.
EU-U.S. Data Privacy Framework Adopted
The European Commission ratified the new EU-U.S. Data Privacy Framework, affirming that the United States provides equivalent protection for personal data transferred from the E.U. as supplied within the Union.
This decision enables safe data transmission from the E.U. to U.S. companies involved in the Framework without necessitating supplementary data protection measures.
The Framework introduces stringent safeguards that address concerns previously raised by the European Court of Justice. These safeguards restrict the access of U.S. intelligence services to E.U. data, confining it to what is essential and proportional and establishing a Data Protection Review Court (DPRC). E.U. citizens will have access to this court.
Enhanced Safeguards Over Previous Mechanisms
The new Framework offers significant improvements compared to the previous Privacy Shield mechanism. For instance, if the DPRC determines data has been collected violating the new safeguards, it can order the deletion of such data.
U.S. companies importing data from the E.U. must adhere to obligations complementing the new safeguards concerning government access to data.
Swedish Privacy Watchdog Warns Against Google Analytics
The announcement of the new EU-U.S. Data Privacy Framework coincides with warnings issued by IMY for companies using GA4, citing concerns over surveillance risks posed by the U.S. government.
The authority’s investigation into four Swedish companies revealed violations of GDPR’s consent and data transfer requirements, leading to penalties and orders to stop using Google Analytics.
In response to the IMY’s decision, Google emphasized that Google Analytics doesn’t identify or track specific individuals across the web. The company stated website publishers are responsible for compliance and ethical data use, while Google provides safeguards, controls, and resources.
Statement From The Commission President
European Commission President Ursula von der Leyen commented:
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Today we take an important step to provide trust to citizens that their data is safe, to deepen our economic ties between the EU and the U.S., and at the same time to reaffirm our shared values.”
Framework Compliance Protocol For U.S. Companies
U.S. companies can join the Framework by committing to comply with a specific set of privacy obligations.
These include deleting personal data when it’s no longer necessary for its original purpose and ensuring continued protection when data is shared with third parties.
E.U. citizens will have several avenues for redress if U.S. companies mishandle their data. This includes free, independent dispute resolution mechanisms and an arbitration panel.
Safeguarding Access To Transferred Data
The U.S. legal framework provides several safeguards regarding data access by U.S. public authorities. Access to data is limited to what is necessary and proportionate to protect national security.
E.U. citizens will have access to an independent and impartial redress mechanism concerning the collection and use of their data by U.S. intelligence agencies, including the newly established DPRC. This court will independently investigate and resolve complaints.
These safeguards will facilitate more general transatlantic data flows as they apply when data is transferred using other tools, such as standard contractual clauses and binding corporate rules.
Adopting the EU-U.S. Data Privacy Framework and the European Commission’s ruling doesn’t render the concerns raised by the Swedish Authority irrelevant. The two events address different aspects of the broader data privacy issue.
The EU-U.S. Data Privacy Framework is designed to ensure general data protection for E.U. citizens when their data is transferred to the U.S. It provides safeguards and establishes the Data Protection Review Court (DPRC).
While the new Framework should improve data protection, individual companies remain responsible for ensuring their practices comply with GDPR and other relevant regulations.
Even with the new Framework, companies must stay vigilant in managing their data privacy practices.
While the EU-U.S. Data Privacy Framework is a significant step towards better data privacy, it doesn’t automatically resolve specific issues related to individual companies or services, such as those raised by the IMY about Google Analytics.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews conducted by the European Commission, European data protection authorities, and competent U.S. authorities. The first review is scheduled within a year of the implementation of the adequacy decision.