The European Commission announced on Monday that it had adopted a new adequacy decision for data transfer between the EU and the USA.
This follows the cancellation of the first version of the Privacy Shield by the Court of Justice of the European Union on July 16, 2020.
Europe and the USA have therefore agreed on a new data protection framework. In principle, this new agreement offers EU citizens greater security and more possibilities for redress.
This could pave the way for the legal use of Google Analytics 4 (GA4), as well as many other tools affected by this regulation.
The new agreement introduces additional safeguards, notably limiting access by US intelligence agencies to EU citizens' data. In addition, it establishes a new court, the Data Protection Review Court (DPRC), to which EU citizens will have access to challenge data protection issues.
However, this decision is not yet permanent, and does not guarantee the security of all data transfers between these two entities.
The durability of the agreement raises questions
Indeed, this new agreement is part of a series of agreements between the EU and the USA, two of which were previously invalidated by the Court of Justice of the European Union (CJEU). The question then arises as to whether this new agreement could meet with a similar fate to its predecessors;
The will to reach an agreement is very real, given the economic and political stakes involved. Ursula von der Leyen, President of the European Commission, underlined the importance of the decision, saying, "The new EU-US data protection framework will ensure secure data flows for Europeans and provide legal certainty for businesses on both sides of the Atlantic."
However, others denounce this agreement as an insufficient copy of the first "Privacy Shield", such as Noyb.eu, the organization headed by Max Schrems that succeeded in having the first version of the Privacy Shield annulled, which states in its article European Commission Gives Eu US Data Transfers Third Round CJEU that "The new transatlantic agreement is a copy of the previous "Privacy Shield", which had already been invalidated. There is no legal basis for this change of course, only political logic.." ... "The fundamental problem of mass surveillance operated by FISA 702 in the United States has not been resolved. The U.S. continues to consider that only American people deserve constitutional rights, which excludes non-Americans from these protections." The organization is planning legal action to challenge this decision before the Court of Justice of the European Union. It believes that this new attempt at an agreement does not resolve the fundamental problems and does not respect the rights of European citizens.
Only certain organizations are concerned
The decision does not authorize all data transfers indiscriminately. It concerns only those organizations listed in the Data Privacy Framework, the list of which is provided by the CNIL
The Data Privacy Framework is an agreement between the United States and the European Union designed to protect the personal data of European citizens when transferred to the USA. It is based on a series of principles that American organizations must commit to respecting.
In the case of Google Analytics specifically, we need to confirm that it will be present among the organizations listed in this program.
Our recommendation: Wait & see
The trend in France and Europe is clearly not towards a lightening of personal data protection standards. While GA4 is certainly on track to comply with RGPD requirements, the deadline is unknown and it remains to date (07/12/2023) non-compliant in its "classic" configuration.
Update 27/10/2023: Google Analytics has been included in the list of authorized entities, making GA4 use compliant (Always subject to user consent)
The two most interesting alternatives:
- Choose Matomo Analytics Matomo is recommended by the CNIL and is exempt from tracking consent (accept cookies).
- Use Google Analytics 4 via a proxy server: to avoid any direct contact between the Internet user's terminal and the servers of the measurement tool (in this case, Google). As recommended by the CNIL in its article Google Analytics and data transfers: how to bring your audience measurement tool into compliance with the RGPD?