A lot has happened since our last update on this topic in January. After the Austrian Data Protection Authority declared that the use of Google Analytics violates the European General Data Protection Regulation others have followed with France, Italy, and Denmark releasing similar rulings. At the same time, we’ve all been looking closely at the political stage for answers and clarity about a viable data transfer agreement between the EU and US. And recently Politico released an article that the US is about to release an important executive order for a new data transfer agreement. So due time for an update.

The fallout of not having a data transfer agreement between the EU and US

As stated in the first update, this is not just a Google Analytics problem. The core issue is the lack of a data transfer agreement – previously known as the Privacy Shield – between the EU and US. Simply put, without such an agreement in place, the data of European citizens is not sufficiently protected when in hands of US companies. Meaning that the use of any US vendor to process data of European citizens is a violation of the GDPR. Yes, the issue is as big as it sounds.

The fallout reaching beyond Google Analytics is showcased by the Danish DPA ruling against the use of Google Chromebooks and Google Workspace. In addition, the Irish Data Protection Commission marked Facebook as a prime target and doubled down on the order to stop Meta (Facebook & Instagram) from transferring data to the US, possibly leading to a complete stop for Meta in Europe. And the French, Italian, and Greek DPAs ordered the biometric data company Clearview AI to stop processing data and fined the company for 40 million Euros in total.

The consequences of the loss of the Privacy Shield took some time to show, but they are starting to hurt.

No rulings after withdrawn complaints, and we should learn from it

In the II fallout we’ve also seen something quite interesting. Multiple DPAs have released rulings, yet multiple have not. The complaints of None Of Your Business that started it all have not seen any further actions of certain DPAs because the parties who’ve been targeted by the complaints simply stopped using Google Analytics. This is the case in Spain, Lichtenstein, and Luxembourg. As stated in a (German) press release: DPA of Lichtenstein DSS withdrew NOYB complaints due to the good cooperation between the companies concerned and the quick shutdown of Google Analytics.

These kinds of updates are less spectacular compared to the rulings and because of it receive less media attention, however they do provide excellent insight for companies to base their strategy on. Simply put: preparation for a quick shutdown and good cooperation is a proper investment.

All is well with the new executive order – possibly

Back to the big news about the Executive Order that is expected to bring a ‘series of new legal protections to be granted to both European and American citizens over how U.S. national security agencies can access and use their data.’ as stated in the Politico article. To summarize, the new executive order will make the US play nice with European data and limit the access for surveillance by intelligence agencies, resolving the issue at hand.

In terms of timing this order is expected to be made public soon and that will start the ratification process of the European Commission that should take around six months. This all could result in a new data transfer agreement between the EU and US somewhere around March 2023.

Will this solve the issues we’ve been having? Will it improve privacy protection for EU citizens? Will it enable compliant processing of Europeans personal data with US vendors? Will it allow for the use of Google Analytics without the fear of being non-compliant? The answer is possibly.

The Court of Justice of the European Union (CJEU) sets requirements for the privacy protection expected by foreign nations processing the data of EU citizens. One of these requirements is that protection of privacy is embedded in laws, and that is something an Executive Order does not do. So the order can (and probably will) be challenged. It might be a repeat of the Safe Harbour Agreement and Privacy Shield, that both did not hold up in the end. It can turn out to be a temporary solution instead of being the hoped-for big step forward in digital privacy. But temporary solutions will suit organisations just fine for now, as they buy time and allow us to move forward confidently.

Your to-do list for today

What we’ve seen in the past couple of months is that there simply is no good technical solution to resolve or work around the issue of US data transfer when using Google Analytics. The French DPA (CNIL) advised the use of a proxy but the requirements for that proxy renders Google Analytics useless. Bringing the number of options down to only two: either replace all US vendors you’re using to process data from Europeans, or accept the compliance risk that comes with using US vendors.

We expect organisations to do the latter, but we also know much can be improved in privacy protection and the level of control most companies have over all the data they process. With that in mind, our to-do list:

1. Don’t panic

The core issue is a political dispute about mass surveillance by US intelligence agencies at its centre. This is a topic that should be addressed by world leaders and government bodies, not by individual companies such as yours or your partners. . So do not panic, have patience, consult experts, and wait for the needed the political changes and proper guidelines from data protection authorities.

2. Request consent for everything

The GDPR is not the only legislation to keep in mind. The Dutch e-Privacy directive (regulation is coming) or local equivalents such as the TTDSG in Germany require a lot when it comes to the processing of digital data. This goes beyond cookies and impacts all digital solutions and activities. The simplified summary of the requirements boils down to asking consent for everything you do in terms of web analytics and digital marketing.

3. Activate all privacy controls provided by Google

Google Analytics is evolving and the new version GA4 offers some interesting privacy controls that are aimed at improving privacy protection. Some are serious improvements, some are rebranded features, most are not researched by DPA’s yet. Do use them, every improvement is of importance.

4. Improve control of your data operation

Have you read the news that Facebook doesn’t know what they do with all their users’ data? Yes, it is a shame and ridiculous to be frank. Don’t be like Facebook, invest in making sure you know and understand what you’re doing and being in control of your data operation.

Final notes: our unencrypted and unsalted opinion

As said before we firmly believe in a privacy first approach and continuously support our clients in improving and maintaining privacy protection. We also strongly believe things need to change and are no advocate of mass surveillance by the US.

Things are moving fast on all sides. Vendors develop new privacy features, authorities release guidelines, specialists are trying to figure things out, and now finally we see movement on the political side. It is a very interesting time, and very tiresome.

Just like this update, major updates in the privacy protection of citizens of the EU (and US for that matter) are long overdue. It’s about time the required changes in the data transfer agreements are introduced, and the announced executive order gives hope a (temporary) solution can be expected in a few months. Providing clarity on what is and isn’t allowed and providing guidelines for organisations to move forward.

In addition, we welcome the new privacy features offered by many vendors in the slipstream of this public discussion. Including the added privacy protection features in Google Analytics 4, although – and we cannot stress this enough – this whole issue is not just about Google Analytics.