Monday, July 10th, the EU Commission adopted a so-called "adequacy decision" regarding the USA. This means that American companies seeking certification under the new agreement can now legally transfer personal data to organizations in the USA. The "adequacy decision" from the EU was the final missing piece after the USA completed the last steps on their side last week. The EU Commission's assessment will take effect as of Tuesday, July 11th. Thus, the new transatlantic data protection agreement between the USA and the EU is formally in effect.
However, this does not mean that all data transfers to the USA from Tuesday, July 11th, are legal. American companies must now be certified under what is called the "EU-U.S. DPF" with the US Department of Commerce before they can receive data from companies that, in terms of GDPR, act as data controllers in the EU. The list of companies that have already obtained certification can be found here.
Link to the Danish Data Protection Agency's coverage of the new transfer framework here.
The whole issue surrounding Google Analytics and others arose after the previous data transfer agreement between the USA and the EU, known as Privacy Shield, was invalidated on July 16th, 2020 (Schrems II). All stakeholders, users, companies, and authorities using tools like Google Analytics 4 have therefore had a great common interest in establishing a new Privacy Framework, which is why the adoption of this has been long-awaited.
With the decision on Monday 10th July from the EU, the path is clear for software tools like Google's GA4, Meta's Pixel, etc., to be used legally.
The ball is now in the court of Google, Meta, etc., to initiate their internal process to obtain approval from the US Department of Commerce.
European supervisory authorities have for a long time focused on Google Analytics, but the same GDPR-related challenge exists across a wide range of American software products where data is either transferred to US servers or where American authorities - theoretically and despite the data being stored on European servers - can still force access since the European company ultimately has American owners.
In Denmark, the Data Protection Agency, has among other things recently issued a decision in June criticizing Boligportal for not being able to demonstrate that their processing of information about individuals visiting their website, regarding Boligportal's use of Meta's Pixel, complies with the GDPR. The authority has also issued an injunction to Boligportal to bring the processing into compliance with the rules.
We hope and believe that Google, Meta, and other companies that provide popular software tools are actively working to qualify under the new "EU-U.S. DPF" with the US Department of Commerce so that Danish and international companies can legally use these tools in full.
s360 will continue to closely monitor the developments with the aim of obtaining more information about Google's and Meta's certification processes, which we can share with our customers.
The above cannot replace legal counselling. s360 and its employees do not offer legal counselling in any form, including circumstances surrounding the setup and use of websites and media platforms. s360 does not accept any form of responsibility in regards to direct or indirect losses as a consequence of the use of this article, including loss following from inadequate or wrongful use of information, evaluations or other conditions. s360 recommends seeking legal counselling from a qualified lawyer if you are in doubt about any legal requirements and conditions, GDPR compliance and/or use of data.
Stay updated on the case and future updates regarding this.