Data Protection : New agreement between the EU and the US

The European Union and the United States have recently strengthened their commitment to transatlantic data protection, thereby establishing new guidelines. Let's take a detailed look at this innovative framework and find out what it means for the protection of our personal data in the digital age.

Origin and Details of the Agreement

Originally, the Privacy Shield was invalidated in 2020 due to concerns about American surveillance programs.
In February 2022, France's CNIL declared the use of Google Analytics in the country non-compliant with GDPR, citing the transfer of personal data and unique identifiers to the United States. Websites had to discontinue using Google Analytics, although many continued despite the legal risks.

After months of intense negotiations, an agreement was reached on July 10. This turnaround is attributed to Joe Biden's decree, "Enhancing Safeguards for United States Signals Intelligence Activities" thereby ensuring stricter control over data access by U.S. agencies.

Thanks to this measure, European companies can now freely transfer data from Europeans to the United States with full confidence.

Concretely, this adequacy decision allows European companies to transfer the data of their European users to the United States. The European Commission has affirmed that the level of protection offered by the United States will henceforth be similar to that of Europe.

Upcoming Challenges

History shows that the road to strong data protection is fraught with challenges. Previous agreements have been revoked, and the similarity between the Data Privacy Framework and the Privacy Shield raises questions. Legal challenges are already underway, questioning the longevity of this agreement. Only time will tell if this framework will deliver on its promises.

Impact on Tech Giants

For many companies, notably Meta, Google, and Amazon, this agreement marks a major turning point. Meta, which was previously fined 1.2 billion euros for illegal data transfer, now sees an opportunity to reduce or nullify this penalty while continuing its advertising activities in Europe.

In the face of ambiguity in previous regulations and the invalidation of the Privacy Shield in 2020, several companies had decided not to adopt the new version of Google Analytics. Compliance concerns and the desire to ensure data security led many companies to turn to alternative European solutions. Piano, Matomo, and Piwik have thus emerged as preferred alternatives, offering increased transparency and data governance aligned with European standards.

Moreover, the strategy of proxying GA4 in Server-Side has gained popularity. This method allows companies to keep control of their data by processing it on their own servers before sending it to Google Analytics. This provides an additional layer of protection, ensuring that the data is processed in accordance with European regulations while still benefiting from GA4's powerful analytics features.

Key Takeaways and Next Steps

Beyond the headlines and discussions, the agreement emphasizes user data respect. American companies will have to adhere to strict obligations, especially the deletion of unnecessary data. From now on, if the DPRW finds that data has been collected in violation of the new guarantees, it can order the deletion of that data. The European Commission, with heightened vigilance, will conduct regular reviews to ensure promises are kept, with the first review scheduled one year after the agreement's entry into force.

Addingwell is Here to Help !

The evolution of agreements between the EU and the United States on data protection highlights the growing importance of data governance for all advertisers in our digital world. It is clear that the floodgates are currently open, but we must remain cautious. Despite initial optimism, this agreement may remain fragile and could change overnight, with potential repercussions for all businesses active on a transatlantic level.

In addition to the need to maintain compliance, it is imperative to control the level of detail of information shared with third parties. Server-side tracking offers precisely this level of control. By adopting this approach, businesses can accurately steer their data collection and dissemination, thereby strengthening their agility in the face of legislative changes. Staying informed about legal changes allows for quick adjustments in data practices, whether that means deleting, pseudonymizing, or anonymizing data before sharing it with actors, particularly those in the United States.

Now is the ideal time to consider more adaptive technologies, focused on the specific needs of each business, such as server-side tracking.

We invite you to take a moment to speak with our experts. They can guide you through these changes and offer tailored solutions