In a significant development, Google Analytics 4 is considered legal in Europe after the European Commission recently approved the EU-US data protection framework.
The news comes amid warnings from the Swedish Data Protection Agency (IMY) about potential surveillance risks related to GA4.
The legal status of GA4 in Europe and the IMY warning are interrelated parts of a larger global narrative about privacy, protection regulations and transatlantic data transfers.
EU-US data protection framework adopted
The European Commission has ratified the new EU-US data protection agreement, reaffirming that the United States offers the same level of protection for personal data transferred from the EU as within the Union.
This decision enables secure data transfers from the EU to US companies participating in the framework without the need for additional data protection measures.
The framework introduces strong safeguards that address concerns previously raised by the European Court of Justice. These safeguards restrict US intelligence agencies’ access to EU data to what is essential and proportionate, and establish a Data Protection Review Court (DPRC). EU citizens have access to this dish.
Improved protections over previous mechanisms
The new framework offers significant improvements compared to the previous Privacy Shield mechanism. For example, if the DPRC finds that data has been collected that violates the new protections, it can order the deletion of that data.
US companies importing data from the EU must comply with obligations that complement the government’s new data access protections.
Swedish data protection commissioner warns against Google Analytics
The announcement of the new EU-US data protection framework coincides with warnings issued by the IMY to companies using GA4, citing concerns about surveillance risks posed by the US government.
The agency’s investigation into four Swedish companies found violations of the GDPR’s consent and data portability requirements, resulting in penalties and orders to stop using Google Analytics.
In response to the IMY’s decision, Google emphasized that Google Analytics does not identify or track any specific person across the web. The company stated that website publishers are responsible for compliance and ethical data use, while Google provides safeguards, controls and resources.
Statement by the President of the Commission
EU Commission President Ursula von der Leyen commented:
“The new EU-US data protection framework will ensure secure data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic. Today we are taking an important step to give citizens confidence that their data is safe to deepen our EU-US economic relationship while reaffirming our shared values.”
Framework compliance protocol for US companies
US companies can join the framework by committing to comply with certain data protection obligations.
This includes erasing personal data when it is no longer required for its original purpose and ensuring ongoing protection when data is shared with third parties.
EU citizens have several redress options when US companies mishandle their data. This includes free, independent dispute resolution mechanisms and an arbitration board.
Ensuring access to transmitted data
The US legal framework provides several protections for data access by US authorities. Access to data is limited to what is necessary and proportionate to protect national security.
EU citizens will have access to an independent and impartial redress mechanism regarding the collection and use of their data by US intelligence agencies, including the newly formed DPRC. This court will independently investigate and rule on complaints.
These safeguards will facilitate broader transatlantic data flows, as they apply when data is transferred using other tools, such as Standard Contractual Clauses and Binding Corporate Rules.
The adoption of the EU-US data protection framework and the European Commission’s ruling do not render the concerns expressed by the Swedish authority irrelevant. The two events will address different aspects of the broader data protection issue.
The EU-US data protection framework aims to ensure general data protection for EU citizens when their data is transferred to the US. It provides safeguards and establishes the Data Protection Review Court (DPRC).
While the new framework should improve data protection, individual companies remain responsible for ensuring their practices comply with the GDPR and other relevant regulations.
Despite the new framework, organizations must remain vigilant in managing their privacy practices.
While the EU-US privacy framework represents an important step towards better privacy, it does not automatically resolve certain issues related to individual companies or services, such as those raised by the IMY on Google Analytics.
The functioning of the EU-US data protection framework is subject to regular reviews by the European Commission, European data protection authorities and relevant US authorities. The first review is scheduled to take place within a year of the implementation of the adequacy decision.