In a major development for the digital analytics industry and for data privacy practices, the European Commission announced on Monday that it has determined that the United States now ensures an adequate level of protection for personal data being transferred from the EU to American companies. The new “EU-U.S. Data Privacy Framework” adopted by the European Commission provides a foundation upon which personal data can safely be transferred from the EU (e.g. a web visitor in the EU) to the US (e.g. to an American analytics platform like Google’s or Adobe’s).
What this means for digital analytics
The demise of the EU-U.S. Privacy Shield in July 2020 left many organizations with serious questions. Were EU-US data transfers still permissible? If so, would this vary by country? If these transfers were not permissible, how would any form of American adtech/martech, such as Google Analytics, be used for European audiences?
The adoption of the EU-U.S. Data Privacy Framework provides a degree of welcome reassurance for organizations wrestling with those questions. While data privacy is increasingly regulated all over the world, and organizations must continue to build capabilities for data governance and compliance, organizations can also now feel confident that EU-US data transfers are not, fundamentally, at issue. This should — for now, at least — grant some “breathing room” for Google Analytics and many other American technology platforms.
Why did the European Commission make this decision?
The European Commission clearly believes that this new Data Privacy Framework is an improvement upon the previous Privacy Shield. The Framework creates incremental controls and limitations upon how data transferred from the EU to the US must be managed. For example, the potential for US intelligence agencies to access this data — long a concern, if only a hypothetical one — is limited. In addition, a new “Data Protection Review Court” has been created and vested with the power to order the deletion of data found to have been collected in violation of any of the new policies. Improvements such as these convinced the European Commission to adopt the Framework.
What happens next?
Predictably, the Data Privacy Framework is set to be challenged by NOYB, the privacy advocacy group which challenged the Privacy Shield, leading to its demise a few years ago. NOYB argues that until meaningful changes are made to U.S. surveillance laws, a replacement for the Privacy Shield won’t be valid. Given the seeming certainty of continued legal challenges, it seems likely that the Data Privacy Framework will be ruled on by the Court of Justice of the European Union (CJEU). In the meantime, however, EU-US data transfers are on much firmer footing than they were prior to the adoption of the Data Privacy Framework.
Organizations shouldn’t become complacent due to the Data Privacy Framework. Instead, organizations should continue to:
- Explore more privacy-safe methods for supporting data analytics
- Prioritize their ability to comply with regulations like GDPR
- Implement governance processes and technologies that make compliance possible
- Adopt healthy data practices such as transparency, consent management, and data minimization
While the dust settles, it’s a great time to review your tech stack to ensure you know where data is being collected, how it’s flowing from one system to another, how it’s governed and protected, and where you might be at risk. The Merkle | Cardinal Path team is available to help with those kinds of audits and assessments, which are only becoming more important as more and more US states bring their own data regulations into force.