CNIL rules GA data safeguards and transfers are not GDPR compliant
It’s not often that data privacy policies feature in articles about international politics and the future of democracy. But this week, as the world watches the tensions on the Ukrainian border (at time of writing – the morning of 22/2/22 – these remain only tensions), data security has been cited by a Times columnist, James Forsyth, as at least an indicative factor in how Western countries have responded to the unfolding crisis. How the West can defeat the Xi-Putin axis | Comment | The Times
The argument goes that Western powers are divided, and so now is a good time for others to take advantage of this fact, which political commentators explain is why the problems in Ukraine, and possibly Taiwan, are occurring now. One way in which the powers are divided is in technology and data. Whilst the European Union, and the UK, have led the world in terms of adopting the highest levels of privacy and data security standards, as enshrined in GDPR legislation, others, and particularly the US, have adopted a more “national security first” approach. Specifically, this means there is in the US the possibility, however theoretical, that security agencies could demand access to personal data stored in the United States. This is beyond the pale for European legislators, as it breaches the concept of individual freedoms and safety from state-backed intrusion. In terms of personal data security at least, therefore, Europe and America are at odds with each other.
This is backed up by what we are seeing in terms of data privacy cases in the more mundane world of digital analytics. There have been several privacy activists in Europe bringing cases before the courts to test the GDPR legislation for a number of years, most famously Max Schrems, who brought the case by which the US/EU Privacy Shield was deemed to be incompatible with GDPR. Practically, this meant that the “safe harbor” agreement – the scheme by which US companies promised to process data in accordance with EU law, even if it was hosted in the US – was invalidated. Since then, there has been no generally available way (outside of specific contracts with companies) of processing GDPR-compliant personal data in the US.
In the last couple of months, this gulf has now been further reinforced by activists bringing cases in all 27 EU countries about the compatibility of analytics data with the principles of GDPR, and specifically Google Analytics data. The argument is that because Google does not guarantee it will process the GA data locally, analytics data (which could include personally identifiable indicators) could be processed in the US, and therefore be liable to be requested by American security agencies. On the face of it, this seems an odd data battleground – why would the CIA want to know that I, or indeed anyone, was looking to buy some clothes online – and this could seem like finding a very unlikely use case to attack what might be the soft underbelly of the legislation, but the activists will say there is a principle at stake. And so far, the data regulators have agreed, with first Austrian and now French DPOs (Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply | CNIL) agreeing that Google Analytics data safeguards are not sufficiently robust to protect data freedoms in the GDPR; the decision specifically references the risk of data being used by security agencies.
The other 25 countries are yet to decide, but it seems likely that many of them will follow suit. There is a clear legal divide emerging between Europe and the US and it doesn’t look like it is going to be reconciled any time soon; as the article puts it, “the West is divided between two large regulatory blocs which cannot and will not mate”.
As Forsyth highlights, this discrepancy, and associated risks, between technologically advanced nations has not gone unnoticed at a political level. One US think tank has proposed a new international alliance of technologically advanced democracies. The proposed “T12”, including the US, UK, France, Germany, Australia, Canada, South Korea, Japan, Finland, Sweden, India and Israel, would come together to define strategies and rules on data, AI, data science and cyber security. As the last few months would indicate, such an alliance may have initial difficulties, simply because of the difference in philosophies between different regulatory regions. That said, with a physical threat to democratic nations on Europe’s eastern borders, there may be greater recognition for collaboration and compromise amongst a “T12” than thought possible, even a couple of months ago.
For the time being, however, the difference between Europe and the US from a data point of view is as broad as ever. American organisations, like Google, will need to establish data collection methods in Europe fairly rapidly to counteract the current judgements, as well as lobbying to explore what a new Safe Harbor scheme might look like; expect Google Analytics to have a solution to this fairly soon; other American data companies, like Adobe, already have European based processing methods, so are less exposed to this risk. However, in the meantime, data businesses with data centres in the UK and Europe will be in a better position to capitalise on this strategic landscape for European based clients. What this means in terms of a longer-term data landscape will partly depend on whether this is a renewed interest in collaboration among leading technological nations.