Update on EU-US Data Transfer Agreement and FAQs

Here’s a short update on this topic since 10 July, when the rules entered into force.
August 30, 2023
Est. 1 minute

Update on EU-US Data Transfer Agreement and FAQs

In July, we shared the news of the adoption of the EU-US Data Transfer Agreement. It paved the road for once again using GA4 and other US-based tech tools legally. In this article, you can read an update on the US-based companies & our produced FAQ with valuable takeaways.

As of today (30/8/2023), a total of 2,489 US-based companies have self-certified for the EU-US Data Protection Framework (DPF), and all well-known tech companies have been certified, such as Google, Meta, Microsoft etc.

Google has announced that they will update their data protection terms to comply with the new requirements, which will apply as of 1 Sep 2023. The US has also reached a formal agreement with the UK and Switzerland to establish a similar legal framework to facilitate the transfer of personal data from the UK and Switzerland to the US. A few formalities await UK and Switzerland approvals, but are expected within the near future.

Relevant FAQs on the EU-US DPF

To help navigate this evolving landscape, we have prepared the following FAQs for you.

Is Google Analytics now legal to use?

Yes, but note that Goggles certification under the US/EU DPF does not in itself guarantee that Google Analytics is approved as being GDPR compliant. Google must continue actively to comply with other GDPR requirements which applied before the US/EU DPF.

Why were these new rules needed?

The whole issue surrounding Google Analytics and other US tech tools arose after the previous data transfer agreement between the USA and the EU, known as “Privacy Shield”, was invalidated on July 16th, 2020 (Schrems II). All stakeholders, users, companies, and authorities using tools like Google Analytics 4 have therefore had a great common interest in establishing a new privacy framework, which is why the adoption of this has been long-awaited.
With the decision on Monday 10th July from the EU, the path is clear for software tools like Google's GA4, Meta's Pixel, etc., to be used legally.

How do I find out if a company is certified?

You can check if a company is certified by visiting the U.S. Department of Commerce website and clicking on the "Data Framework Privacy List" tab.

Does my company need to do anything?

Just like with any other processing of personal data, a company must continue to ensure to have a legal basis for the processing and that a data processing agreement is in place if the US company, such as Google, processes data on its behalf. Additionally, if necessary, you should establish an agreement on shared data responsibility with the US based company, especially if you are sharing information with a social media platform, and both parties are using the personal data for their own purposes. When you share information with a U.S. company certified under the scheme, you must disclose in your personal data or privacy policy that the US-based company is certified under the EU-U.S. DPF. You must also ensure that the individual whose data is being processed receives information about their rights.

Popular marketing tools such as GA4 have terms and conditions for the use of personal data stipulated in their online terms applicable to the use of the platforms. We always encourage our customers to review these on a regular basis.
Google has announced that it will update its data protection terms to comply with the new requirements, which will apply as of 1 Sep 2023.

Contact information

Johan Peen, COO, [email protected], +45 3063 9366 
Rasmus Lenler-Petersen, VP & Head of Legal, [email protected], +45 2071 2469

The above cannot replace legal counselling. s360 and its employees do not offer legal counselling in any form, including circumstances surrounding the setup and use of websites and media platforms. s360 does not accept any form of responsibility in regards to direct or indirect losses as a consequence of the use of this article, including loss following from inadequate or wrongful use of information, evaluations or other conditions. s360 recommends seeking legal counselling from a qualified lawyer if you are in doubt about any legal requirements and conditions, GDPR compliance and/or use of data.

Sign up for our newsletter and stay updated on the case

Stay updated on the case and future updates regarding this.


Don’t miss out on digital news

Join our monthly s360 mail to get industry news on digital marketing, technology and data. We put a lot of effort into our newsletter to provide valuable and actionable insights to you.
Woman in armchair