Not out of the woods yet: what does the new US-EU data transfer mean for adtech and martech
It seems like the gates will re-open for Trans-Atlantic data flow, in principle – but when? Following two years of limbo, the EU and US have reached a political agreement that will restart data transfer and storage. But while this outcome is what many hoped for, when and whether it will end ongoing uncertainty is still unknown, says Anders Pilgaard Andersen, senior vice president, general counsel, and corporate secretary for Adform, the only global, independent and fully integrated advertising platform built for modern marketing.
Actions from EU Data Protection Authorities (DPAs) remain significant. Several have decided that the use of Google Analytics is in violation of the General Data Protection Regulation (GDPR), and for now these rulings still stand. This coordinated action across supervisory authorities also indicates that the increased scrutiny of data practices will not be letting up any time soon.
The latest marketing news and insights straight to your inbox.
Get the best of The Drum by choosing from a series of great email briefings, whether that’s daily news, weekly recaps or deep dives into media or creativity.Sign up
The ECJ judgement has sparked aligned efforts on multiple fronts, focusing on Google Analytics sending EU data to the US
For companies reliant on US-based adtech and martech platforms, this makes understanding of the current situation, and where that leaves them, crucial.
A flurry of landmark decisions
Most recent decisions spring from one catalyst: the Schrems II case. In 2020, the European Court of Justice (ECJ) dismantled Privacy Shield over its failure to meet Article 44 of the GDPR. With the US government able to view personal data under US federal surveillance laws – such as IP addresses and cookie data – Privacy Shield could not guarantee equal protection for EU citizens after transfer to the US.
Fast forward to 2022 and the ECJ judgement has sparked aligned efforts on multiple fronts, specifically focused on Google Analytics sending EU data to the US. In January, the Austrian DPA announced its verdict that the platform breaches GDPR rules and within days the Dutch DPA shared guidance reaching similar conclusions. Statements from the French and Danish DPAs quickly followed.
Progressing toward better privacy
Unveiled last month, the provisional political agreement relating to the Trans-Atlantic deal forged by US president Joe Biden and EU Commission leader Ursula Von der Leyen aims to create a new data-sharing framework that will allow organizations to reinstate flow across from the EU to the US, while allegedly ensuring GDPR compliance. But will it?
So far, details of how these revised practices will work are minimal. According to the White House’s fact sheet, negotiations have centered on strengthening user safeguards. For instance, defined actions include setting up an independent Data Protection Review Court, where EU citizens can seek redress if they feel unlawfully targeted by intelligence activities. Specifics on what enhanced high-standard commitments and protections will involve are still largely unclear.
A deal in name, not reality
It is important to underscore two terms: political and provisional. As it stands, the deal is agreed between political leaders in principle and there are many possible issues along the road ahead. The way US surveillance laws are designed might present challenges – as could how long it takes to achieve federal-level change. With the EU and ultimately the ECJ requiring solid legal guarantees, only time will tell if all parties can reach a mutually acceptable conclusion.
That leaves companies operating internationally with the continued need for caution. Those in the strictly-regulated finance and telco sectors will have (and should if they haven’t yet) begun re-evaluation of adtech and martech platforms to determine if they are the right GDPR-safe choice. Organizations in other sectors must follow suit.
In addition to bringing together key stakeholders from every department to assess if data collection procedures, flows and existing security mechanisms meet GDPR standards, companies should consider their tech selection carefully. Vendors offering infrastructure built to offer localized data storage and EU-secure data processing and ensure non-US jurisdictional exposure will be best placed to future-proof their operations, whatever the outcome of the new Trans-Atlantic deal turns out to be once in final print.