US services, EU privacy rules
January 25, 2022
In the last few weeks, there has been a lot of talking about Google Analytics and the GDPR. I think most of the comments around it have missed the whole picture.
A little bit of history
Our brief history begins at the end of the ’90s when the EU and the US agreed on the International Safe Harbor Privacy Principles. On the 26th July 2000, the European Commission (EC) formalized it with the Commission Decision 2000/520/EC, where it was defined that data could be freely moved from the EU to the US. The assumption was that the data on US soil would have comparable (or better) protection than the same data on EU soil, and therefore the privacy of European citizens was not at risk. On 6th October 2015, the European Court of Justice (ECJ) invalidated this decision on the basis that in the US laws were authorizing public authorities to have access on a generalized basis to the content of electronic communications, and this was deemed to be “compromising the essence of the fundamental right to respect for private life” (the quote is from the ECJ decision).
On 2nd February 2016, less than six months after ECJ’s decision, the EC published the first version of Privacy Shield, a new agreement that should have overcome the issues highlighted by the ECJ. On 30th May 2016, the European Data Protection Supervisor (EDPS) issued an opinion in which stated that “the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the [European] Court”. Nevertheless, on 8th July 2016, EU member states approved the EU-US Privacy Shield, and the EC implemented the EU-US Privacy Shield on 12th July 2016 with the 2016/1250/EC decision. On 16th July 2020, the ECJ declared the EU-US Privacy Shield invalid.
Since 2020, the EU and the US have worked together to ensure that soon a new agreement will be in place, but in the meantime exporting privacy-related data from the EU to the US has no legal basis. Also, there is no guarantee that a new agreement will be found, and in that case, if it will be valid for more than a few years.
On 12th January 2022, the Austrian Data Protection Authority (DSB) decided that an Austrian company using Google Analytics was violating the GDPR since moving such data to the US has no legal basis.
Possible future outcomes
I think there are two major possible outcomes to consider:
- An agreement is found
- No agreement is found
If an agreement is found, everything will go back to normality, and it will be possible to re-start moving European citizens' data from the EU to the US legally.
If an agreement is not found, it will continue to be illegal to move data from the EU to the US, as effectively it has been since July 2020. This means that ALL services that export European citizens' data to the US will not be allowable, not only Google Analytics.
What to do
What I think is the real point is ask ourselves how can the users of such services as well as the providers behave from now on to ensure that they do not violate the rules.
The safest way for users of such services to avoid issues is to avoid using Google Analytics and review if they or any of their data processors stores data in the US. If data in the US are found, their migration and/or the migration to other solutions that do not have the issue should be implemented.
Obviously, it’s also possible to wait and see the output of the negotiations between the EU and the US, but this clearly exposes to risks in the meantime.
If an agreement between the EU and the US is not found, the only real solution for providers of the services will be to modify their services so that data can be kept in the correct country and then used/exposed only in aggregated ways.
Some closing thoughts
We will have to accept that the web is being split into many similar-but-different internets by the countries. We are already seeing this in other parts of the world, such as in Russia and China, where it is not allowed to bring their citizens' data outside their borders. My prediction is that this pattern will continue over time. Whether the EU and the US will reach an agreement, the services providers will need to re-engineer their services to comply with regulations of this kind or limit their offering only to specific markets.