In a significant development, Google Analytics 4 is deemed legal in Europe following the recent adoption of the EU-U.S. Data Privacy Framework by the European Commission.
The news comes amid warnings from the Swedish Authority for Privacy Protection (IMY) concerning potential surveillance risks associated with GA4.
The legal status of GA4 in Europe and the IMY’s warning are interconnected parts of a larger global narrative about data privacy, protection regulations, and transatlantic data transfers.
EU-U.S. Data Privacy Framework Adopted
The European Commission ratified the new EU-U.S. Data Privacy Framework, affirming that the United States provides equivalent protection for personal data transferred from the E.U. as supplied within the Union.
This decision enables safe data transmission from the E.U. to U.S. companies involved in the Framework without necessitating supplementary data protection measures.
The Framework introduces stringent safeguards that address concerns previously raised by the European Court of Justice. These safeguards restrict the access of U.S. intelligence services to E.U. data, confining it to what is essential and proportional and establishing a Data Protection Review Court (DPRC). E.U. citizens will have access to this court.
Enhanced Safeguards Over Previous Mechanisms
The new Framework offers significant improvements compared to the previous Privacy Shield mechanism. For instance, if the DPRC determines data has been collected violating the new safeguards, it can order the deletion of such data.
U.S. companies importing data from the E.U. must adhere to obligations complementing the new safeguards concerning government access to data.
Swedish Privacy Watchdog Warns Against Google Analytics
The announcement of the new EU-U.S. Data Privacy Framework coincides with warnings issued by IMY for companies using GA4, citing concerns over surveillance risks posed by the U.S. government.