EU-US data transfers, three times a charm or not?
A dynamic legal challenge impacting data collection and utilisation
- Article
- Technical Web Analytics
July got off to a rocky start. First, we saw the Swedish Data Protection Agency (DPA) issued a warning to stop using Google Analytics due to the risks posed to privacy under the lack of an adequacy decision for EU-US data transfers. In the same week, the EU Commission reached an adequacy decision with the US for the third time. Can you now finally share personal data for all purposes with US based organisations or should you change course?
What happened recently?
Recently, we already discussed how to protect the privacy of your users, specifically with regards to Google Analytics and how to set up data collection with privacy in mind.
Swedish DPA's Ruling on Google Analytics
The Swedish DPA, IMY, ruled at the start of July that four Sweden-based companies must stop using Google Analytics. The reports for this ruling discuss the Google Analytics implementation in detail with regard to the processing and international data transfers of personal data. In the analysis, the IMY refers to the Schrems II case, which led to the invalidation of the previous transatlantic adequacy decision. The exported data from the Swedish companies with the U.S.-based Google, which was largely based on standard contractual clauses, was insufficiently protected through technical security measures. The DPA concluded with “These decisions have implications not only for these four companies but can also provide guidance for other organisations that use Google Analytics.”, nudging that this decision would have a more widespread impact on EU-US data transfers.
EU Commission's new adequacy decision for International Data Transfers
While the decision by the IMY was making waves, the EU Commission was on the verge of reaching a new adequacy decision for international data transfers. The EU Commission believes that the actions set out in Executive Order 14086 on October 7, 2022, provided enough protection against interference from US intelligence agencies. The actions introduced via the Executive Order are also believed to be good systems that protect people's rights. The adequacy decision ends a three-year limbo period that started with the Schrems II ruling, where there was no adequacy decision in place. Now, organisations have fewer restrictions for sharing personal data with U.S.-based organisations, with the hope of that adequacy remaining for the long term.
NOYB's Opposition to the New Adequacy Decision and Executive Order Changes
However, nothing is set in stone. The Court of Justice of the European Union (CJEU) has already annulled previous adequacy decisions twice. These decisions were based on challenges initiated by NOYB, a non-profit organisation that has filed a long list of direct cases against privately owned companies and lodged complaints against governmental bodies and decisions. The NOYB has already stated that it will challenge the new adequacy decision based on previous CJEU findings and rulings and the limited changes that the new Executive Order would introduce.
How am I impacted?
The EU-US adequacy decision allows sharing data to resume with third parties in the United States. Although the previous cases and rulings have largely been directed at Google Analytics, this would have a bigger scope than this singular tool. Its impact also relates to other tooling and integrations on your website, app, or other digital platforms. The purpose of those applications can also vary widely, from analytics and insights, optimisation and personalisation, and marketing and advertising. Typically, most organisations rely on US-based service providers and partners to achieve their digital goals and they rely on what is known as an international data transfer for it.
International data transfer is what is known as exporting data as a data controller (your organisation) to whom the GDPR is applicable to another controller or (sub)processor outside the European Union or to international organisations. In this case, there are three levels within the regulatory framework you can reference as mechanisms for the data transfers:
- Adequacy – the absolute golden standard. On a country basis, it was decided that there are adequate levels of protection for natural people, your customers, prospects, visitors, employees, etcetera. This means that preventative measures to ensure the rights of individuals are upheld are most likely to be limited.
- Safeguards – This middle-of-the-road solution offers the most flexibility. However, it also results in fewer concrete solutions for authorising data transfers. Some examples of these solutions include binding corporate rules (BCR) for group undertakings or joint economic activity. Another option is using standard contractual clauses (SCCs) that are approved by data protection authorities. Approved codes of conduct and certification mechanisms with binding commitments are also viable options. Lastly, there are "ad hoc" contractual clauses that can be authorised by the DPA.
- Derogations – The least desirable mechanism for international data transfers is only to be used in situations where no adequate protection and safeguards are possible. This leads to the requirements of a more narrowly construed definition and specific additional requirements for the grounds of processing.
For the U.S. specific, on the one hand, the new adequacy decision allows organisations to continue sharing data with U.S.-based businesses and partners on a golden standard basis. On the other hand, there is a chance of the adequacy decision being nullified, which would result in an impasse to decide on how you can continue down the line. A possible solution to mitigate the impact could be to combine the approaches mentioned.
What should you do?
Ultimately, it all comes down to what you value and what fits your business in terms of flexibility, risk, and priorities. There are steps you can take to determine what the best approach for your application is.
1. What fits your organisation?
Whilst international data transfers are most likely a possibility, they always come at an increased risk and need additional procedures to manage. It is valid to first ask yourself whether you need an international data transfer. Do you need to use that specific service provider or tool? Perhaps you can find an EU-based alternative for the functionality that you need to achieve your goals. Maybe the value of protecting your subject’s personal data is more valuable than the value obtained from using the international partnership.
2. You need that transfer, so what does it require?
If you need to collaborate with an organisation in a third country, you can build protective measure principles such as data minimisation to reduce the impact of data transfers. Ensuring to abide by privacy-by-design, privacy-by-default can greatly reduce the impact of the data transfers on the privacy of affected individuals. Perhaps it is possible through anonymisation or encryption to reduce the transfer impact to a non-personal data one. This reduction would subsequently decrease the implications and restrictions of the GDPR. It's important to note that the GDPR only applies to data that can be linked to an identifiable natural person.
3. Do a Data Transfer Impact Assessment (DTIA)
Several questions are important to assess before you may be able to decide on the best fitting solution. First, you identify and assess the relevant data transfers along with the relevant mechanisms for these transfers. Then, you assess the status of data protection laws and practices of the third country. Next, you identify whether additional measures are needed. If so, you take measures at the appropriate level and document and execute the procedural steps of implementation. Finally, you establish a periodic re-evaluation process for the safeguards.
4. Discuss, Decide, Document
The worst thing you can do as a data controller is to make decisions on a whim or make it appear that you do so. Doing your due diligence and ensuring to document this is vital when a DPA or DPO requests information. Even documenting conflicting issues or grey areas of decision-making can help your organisation. This shows you are prepared to take responsibility to protect stakeholders.
Conclusion
Even after an adequacy decision, the responsibility to act regarding sharing personal data internationally remains of important. Assess the options, values and costs, impact, and future actions to stay on top of your responsibility of a data controller or processor. Consider local alternatives and personal data minimisation principles to reduce international data transfers and thus reduce the overhead and requirements that are applicable due to the GDPR.
Could you use assistance in ensuring the privacy of end users while also complying with the legislation? Contact us, and we'll be happy to help! We understand that analysing data in a privacy-friendly manner is crucial for improving your services.
This is an article by Bram Ooms
Bram started as a Technical Web Analyst in 2019, where he focused on data implementations at clients such as Univé, DPG Media, Boels and Vodafone. Through his experiences with the impact of legislation on enabling data flow he developed an interest in data privacy, which he is now actively pursuing within Digital Power.
Receive data insights, use cases and behind-the-scenes peeks once a month?
Sign up for our email list and stay 'up to data':