In an important development, Google Analytics 4 is considered legal in Europe following the recent adoption of the EU-US Data Privacy Framework by the European Commission.
The news comes amid warnings from the Swedish Privacy Authority (IMY) about potential surveillance risks associated with GA4.
GA4’s legal status in Europe and the IMY’s warning are interconnected parts of a larger global narrative on data privacy, data protection regulations and transatlantic data transfers.
The EU-US data privacy framework has been adopted
The European Commission ratified the new data privacy framework between the EU and the United States, stating that the United States provides equivalent protection for personal data transferred from the EU that is provided to the Union.
This decision allows for the secure transmission of data from the EU to US companies involved in the Framework without the need for additional data protection measures.
The Framework introduces strict safeguards that address concerns previously raised by the European Court of Justice. These safeguards restrict US intelligence services’ access to EU data, limiting it to what is essential and proportionate and establishing a Data Protection Review Tribunal (DPRC). EU citizens will have access to this court.
Improved safeguards over previous mechanisms
The new framework offers significant improvements compared to the previous Privacy Shield mechanism. For example, if the DPRC determines that data has been collected in violation of the new safeguards, it can order the deletion of that data.
US companies importing data from the EU must meet obligations that complement the new safeguards relating to government access to data.
Swedish privacy watchdog warns against Google Analytics
The announcement of the new EU-US data privacy framework coincides with warnings issued by IMY for companies using GA4, citing concerns about surveillance risks posed by the US government.
The authority’s investigation into four Swedish companies revealed violations of the GDPR’s data transfer and consent requirements, leading to fines and orders to stop using Google Analytics.
In response to the IMY’s decision, Google emphasized that Google Analytics does not identify or track specific individuals on the web. The company stated that website publishers are responsible for ethical data compliance and use, while Google provides safeguards, controls and resources.
Statement by the President of the Commission
The President of the European Commission, Ursula von der Leyen, commented:
“The new data privacy framework between the EU and the US will ensure secure data flows for Europeans and bring legal certainty to businesses on both sides of the Atlantic. Today we take an important step to give citizens confidence that the your data is secure, to deepen our economic ties between the EU and the US and, at the same time, to reaffirm our shared values.”
Framework Compliance Protocol for US Companies
US companies can adhere to the framework by committing to a specific set of privacy obligations.
These include deleting personal data when it is no longer needed for its original purpose and ensuring continued protection when data is shared with third parties.
EU citizens will have several avenues of redress if US companies mishandle their data. This includes free and independent dispute resolution mechanisms and an arbitration panel.
Protection of access to transferred data
The US legal framework provides several safeguards regarding access to data by US public authorities. Access to data is limited to what is necessary and provided to protect national security.
EU citizens will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, including the newly established DPRC. This tribunal will independently investigate and resolve complaints.
These safeguards will facilitate more general transatlantic data flows as they apply when data is transferred through other tools, such as standard contractual clauses and binding corporate rules.
Future steps
The adoption of the EU-US data privacy framework and the ruling of the European Commission does not make the concerns raised by the Swedish authority irrelevant. The two events address different aspects of the broader issue of data privacy.
The EU-US data privacy framework is designed to ensure the overall data protection of EU citizens when their data is transferred to the US. It provides guarantees and establishes the Data Protection Review Tribunal (DPRC).
While the new framework should improve data protection, individual companies remain responsible for ensuring their practices comply with GDPR and other relevant regulations.
Even with the new framework, companies must remain vigilant in managing their data privacy practices.
To sum up
While the EU-US data privacy framework is an important step towards better data privacy, it does not automatically resolve specific issues related to individual companies or services, such as those raised by the IMY regarding Google Analytics .
The operation of the EU-US data privacy framework will be subject to regular reviews by the European Commission, European data protection authorities and US competent authorities. The first review is scheduled within one year of the application of the adequacy decision.
[ad_2]
Source link
