Data collection in the EU: troubled waters for US companies
February 25, 2022 – The distance between the United States and Europe is about 4,000 miles, but when it comes to laws governing how data is collected and used online, the gap seems a lot wider and hollow.
The US has always had a very different data privacy legal regime than the EU. In the United States, there is no omnibus consumer privacy law at the federal level; rather, there are various sectoral laws dealing with issues such as health care, financial services, and children’s data, as well as a wide variety of state-level laws.
Meanwhile, the European Union’s General Data Protection Regulation (GDPR), which entered into force in 2018, is a comprehensive law that contains 99 articles and 173 recitals and applies to all member countries. Disconnecting between jurisdictions has always been difficult, and recent developments have made compliance even more difficult for US-based technology companies.
Join now for FREE unlimited access to Reuters.com
Standard contractual clauses
In accordance with Chapter 5 of the GDPR, transfers of personal data to a country outside the EU can only take place if this country ensures an adequate level of protection for the rights of EU data subjects. The European Commission (Commission) found the United States to be inadequate under this standard. US and European regulators had negotiated formal programs to make cross-border data transfers to the US GDPR compliant. These programs allowed US companies to register and self-certify their compliance with a series of privacy principles. Once registered, the US company would itself be deemed adequate to receive personal data from the EU.
The first program, the US-EU Safe Harbor program, was struck down by the Court of Justice of the European Union (CJEU) in 2015 following a lawsuit by privacy advocate Max Schrems that convinced the court that the program did not provide an adequate level of protection against US surveillance activities for EU data subjects. The parties negotiated a replacement program, the EU-US Privacy Shield, and this program was also invalidated by the CJEU in 2020 in the so-called “Schrems II” judgment.
In the absence of an adequacy decision, the GDPR requires companies to implement appropriate safeguards, including enforceable data subject rights and legal remedies. The most frequently used mechanism has been Standard Contractual Clauses (SCCs) — a contract pre-approved by the Commission that establishes certain controls to protect data in line with EU standards.
The Commission released updated CSCs in 2021, featuring a customizable design with different modules and optional clauses which was a major break from previous versions. However, these new SCCs came into effect after Brexit and were not acquired under the separate UK GDPR framework. The UK has published its own International Data Transfer Agreement (IDTA) for transfers from the UK, as well as a separate IDTA Addendum which will allow businesses to use the new SCCs for data transfers UK. As the UK is no longer subject to the decisions of EU privacy regulators, it is expected that this scheme will be widely adopted and remain valid for transfers of personal data from the UK. to the United States.
Transparency and consent framework
The free Internet is largely supported by online advertising, and the ad tech industry relies on data collection to inform targeted advertising. The more accurate and detailed the data, the more effective and valuable the advertising.
This industry occurs mostly out of sight of consumers, as website tracking cookies and other data collection mechanisms collect behavioral data from most internet-connected devices for sharing among many parts of the world. ad technology ecosystem, which is then manipulated and transformed into actionable data for ad targeting purposes.
According to the GDPR, there must be a legal basis to process personal data. Data collected through cookies and other tracking mechanisms is considered personal data. Therefore, in order to comply with the GDPR, the industry needed to put in place a process to ensure that industry participants were collecting this data with a lawful basis under the GDPR. This has proven to be a challenge for ad tech companies operating behind publisher websites. As a result, the industry has grown and coalesced around a system known as the Transparency & Consent Framework (TCF) developed and implemented by the trade association IAB Europe AISBL (IAB Europe).
Nearly 800 companies are registered as sellers with the TCF. Under the TCF, when a user visits a publisher’s site and sees a pop-up cookie banner and clicks to accept the banner, the user is deemed to have consented to the collection of personal data via retargeting cookies. . At this point, a “TC string” is generated and a cookie is placed on the user’s device or an existing cookie is updated. TCF transmits user consent to ad tech and other companies in Europe, who then rely on that consent to collect and share a user’s personal data to deliver targeted advertisements based on these data.
In February, the Belgian Data Protection Authority (DPA) announced its decision as part of a regulatory investigation into the TCF at the initiative of the Irish Council for Civil Liberties, a privacy organization. The Belgian DPA has found that the TCF program, as currently operated, violates the GDPR.
In its decision, the Belgian DPA considered, among other things, that (i) IAB Europe is a data controller under the GDPR but does not fulfill its many obligations as a data controller and (ii) the user consents obtained are invalid because users have not given their specific, informed and granular consent.
Although the decision only affects IAB Europe, the implication is that all industry participants who rely on the TCF are using tainted data that was collected by invalid means. IAB Europe was fined 250,000 euros, two months to develop an action plan to address the shortcomings, and then six months to implement this plan once it is approved by the Belgian DPA .
In the meantime, IAB Europe is appealing the decision, but this appeal does not suspend the decision. Therefore, the whole industry is in uncertainty while waiting to see how this data can continue to be collected and used in a compliant way.
Recent decisions by the Austrian DPA and the French “Commission Nationale de l’Informatique et des Libertés” (CNIL) concluded that the use of Google Analytics by EU website operators violates the GDPR. The rulings, the first in response to 101 complaints filed across the EU by non-profit advocacy organization NOYB, are expected to trigger a wave of similar rulings from other EU regulators.
The Austrian DPA has found that the Google Analytics cookies used by an Austrian website allow the collection and transfer of personal data to Google in the United States, including user identification numbers, IP addresses and settings of the browser. Additionally, the Austrian DPA found that the SCCs run by the website operator and Google did not provide an adequate level of protection under the GDPR, as the additional safeguards offered by Google did not overcome the risk of US surveillance activities identified in the CJEU’s Schrems II judgment.
The CNIL, echoing these concerns, noted that data transfers to the United States are not sufficiently regulated and present risks to the privacy of users of French websites, and that the additional measures taken by Google were insufficient “to exclude the accessibility of this data to the American intelligence services”.
American companies are begging for a diplomatic solution to the problem of cross-border data transfer because industry solutions are not working. And the TCF decision strikes at the heart of the ad-supported Internet in Europe, a market dominated by US companies. The next few months will be critical as more enforcement action is likely, uncertainty in the industry grows, and American businesses continue to sweat as they await solutions to these many privacy challenges.
Join now for FREE unlimited access to Reuters.com
The opinions expressed are those of the author. They do not reflect the views of Reuters News, which is committed to integrity, independence and non-partisanship by principles of trust. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.