27 Sep Data transfer: news from the U.S. and its implications for the use of Google Analytics

Authors: Francesca Tugnoli, Eleonora Margherita Auletta

The EU-U.S. Data Privacy Framework

Following the Schrems II judgment[1], the European Commission entered into talks with the U.S. government with a view of coming up with a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 (hereinafter “GDPR”) as interpreted by the Court of Justice of the European Union (CJEU).

As a result of these discussions, on 7 October 2022, the United States adopted Executive Order 14086 on Enhancing Safeguards for US Signals Intelligence Activities (EO 14086). The framework that applies to commercial entities processing data transferred from the Union under the present Decision – the “EU-U.S. Data Privacy Framework” (EU-U.S. DPF or DPF) – has been drafted (hereinafter “Decision”)[2]. The consequence of the Decision is that personal data transfers from controllers and processors in the Union to certified organizations in the United States may take place without the need to obtain any further authorization. The direct application of the GDPR to such organizations is not affected where the conditions regarding the territorial scope of that Regulation, laid down in Article 3, are fulfilled.

How does it work?

The EU-U.S. DPF is based on a system of certification similar to the Privacy Shield. In particular, to be certified[3] the organization:

• Should respect a set of principles (for example, purpose limitation, specific safeguards in the case of processing special categories of personal data, data minimization, accuracy, security, transparency, accountability, etc.) and supplementary principles issued by the U.S. Department of Commerce (“DoC”) as laid out in Annex I of the Decision;
• Is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) or the U.S. Department of Transportation (“DoT”).

The organizations are required to re-certify their adherence to the principles on an annual basis. To certify under the EU-U.S. DPF (or re-certify on an annual basis), organizations are required to publicly declare their commitment to comply with the principles laid out in Annex I of the Decision, make their privacy policies available and fully implement them. As part of their certification application, organizations have to submit information to the DoC on, inter alia, the name of the relevant organization, a description of the purposes for which the organization will process personal data, the personal data that will be covered by the certification, as well as the chosen verification method, the relevant independent recourse mechanism and the statutory body that has jurisdiction to enforce compliance with the principles.

Organizations can receive personal data on the basis of the EU-U.S. DPF from the date they are placed on the DPF list by the DoC.

What about public access by the U.S. Authorities?

One of the most important aspects that led to the invalidation of the Privacy Shield was the risk that the U.S. Authorities could access the personal data of European citizens without any guarantee, adequate safeguards being in place and without the knowledge of the data subjects. The consequence was that the data transfer executed by the data controller/processor was considered illegal.

To overcome this critical issue that resulted in the invalidation of the Privacy Shield, among other things, the Commission also assessed to introduce some limitations and safeguards to protect the European citizens ‘rights. Among them, for example, the oversight and individual redress mechanisms available in U.S. law as regards the collection and subsequent use of personal data by the U.S. public authorities (in the public interest) that is transferred to controllers and processors in the U.S. More specifically, government access may be for criminal law enforcement and national security purposes. In particular, access by the U.S. Authorities should comply with the prescription and condition described in paragraph 3.1.1 and the subsequent paragraphs of the Decision. The same guarantees are provided for the secondary use of the personal data.

Implications of the use of Google tools

From the information made available on the official website of the International Trade Administration (ITA), the U.S. Department of Commerce notes that Google LLC has adhered to the Decision for the following processing activities:  “This certification applies to Google LLC and its wholly-owned U.S. subsidiaries, including X (a division of Google LLC) and Chronicle LLC, and any other wholly-owned U.S. subsidiary of Google LLC to the extent of any current separate self-certification by such entity. With respect to personal data other than human resources data: Data is processed for various purposes depending on the particular product or service being provided, including: sales and marketing to consumers and businesses; supplying services and products to consumers and businesses; operating, developing and improving services and products of Google and/or any of its wholly-owned U.S. subsidiaries identified below; personalizing services and products; financial processing and management; supplier, vendor and partner relationship management; fraud prevention, security, and protection of Google, its wholly-owned U.S. subsidiaries, and our users; compliance with applicable law and governmental, legislative and regulatory bodies; and customer support and relationship management. Data is disclosed to third parties as detailed in our relevant Privacy Policies, listed below, including: in situations in which we have consent, for external processing, with domain administrators, and for legal reasons”[4].

Practical take-aways: Data transfers that take place when using Google Analytics are now lawful  

Based on the above, adherence to the Decision can finally guarantee the lawfulness of transfers of personal data from the EU to the U.S. in the context of the provision of Google’s services and products, including Google Analytics 4 (GA4). In practice, this means that, if the chosen configuration of Google Analytics does not exclude the transfer of personal data from the EU to the U.S., the transfer can now be considered lawful based on an adequacy decision pursuant to Art. 46 of the GDPR since Google has adhered to the Decision.

What about other US-based vendors?  

In order to verify the correct mechanism for the data transfer in relation to other U.S.-based vendors, it is necessary to verify if they are listed on the website of the Framework[5]. In case they are in the list and their certification is marked as “active”, it will be necessary to check that the scope and duration of the certification covers the outsourced service. This is to ascertain that the data transfers can be considered lawful without the need to sign the Standard Contractual Clauses (“SCCs”) and perform a Transfer Impact Assessment (“TIA”). In other cases, it is necessary to find a different mechanism for data transfers because the Decision is not applicable.

[1] See https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62018CJ0311.

[2] For  an overview of the invalidation of the Privacy Shield you can read this article https://www.ictlc.com/personal-data-transfers-between-uncertainties-and-new-requirements/?lang=en. You can find the EU-U.S. Data Privacy Framework here: https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework_en.pdf.

[3] The list of the certified organizations is available here: Participant Search (dataprivacyframework.gov).

[4] The Google ’certification is available here: Participant Detail (dataprivacyframework.gov).

[5] See footnote no. 3.