Data transfers, the EU and the United States: what is the marketing impact?

PHOTO: tostphoto

Who would have thought: data transfer has become the hot potato of data privacy compliance.

A statement from the Austrian Data Protection Agency that Verlags AG and Google have breached the European Union’s GDPR raises the stakes of a major clash of data protection laws between the United States and Europe . The cascading impact for regulators, analytics providers and technology providers is clear.

This article will examine the additional impact of the application of data transfer for analytics practitioners, marketers, and companies tasked with maintaining a strong data privacy policy.

How did data transfers become illegal?

The road to the data transfer issue has been built from several key court decisions in Europe. Regulators are concerned that data hosted outside the EU could be accessed by foreign governments, undermining citizens’ data privacy rights. This prospect has led European courts to rule on the most influential data transfer cases to date, such as the decision against IAB Europe regarding the use of the consent pop-up window.

Here is a timeline of key events regarding data transfer:

  • July 2020: Privacy Shield, a data transfer agreement that established a framework for acceptable data transfer between the United States and European Union countries, was established in 2016. But it was canceled due to a 2020 ruling by the European Court of Justice, which effectively made all commercial data transfers between EU countries and the United States illegal.
  • August 2020: None of Your Business (NOYB), an Austrian digital privacy NGO, has filed a complaint that companies sending data from the European Union to Facebook Inc. and Alphabet Inc.’s Google violate the GDPR.
  • January 13, 2022: The Austrian Data Protection Agency has confirmed a complaint about a website’s use of Google Analytics. The focus of the decision was where Google Analytics beacon data is stored. Analytics solutions, in general, store measured data from website or application interactions on a hosting server and then send it to dashboards for analysis. Because Google hosts its analytics data in the United States, Google Analytics on websites selling to customers in Europe is affected.
  • February 10, 2022: Experts expected NOYB’s complaint to be the first in a long series. On February 10, the Commission Nationale de l’Informatique et des Libertés (CNIL) also determined that Google Analytics data transmitted from France to the United States violated Article 44 of the GDPR.

Other tech giants are also facing similar data transfer breach charges. The Irish Data Protection Commission (IDPC) issued a preliminary stop order in 2020 regarding transfers of Facebook user data from the EU to the US. Reports indicate that Meta would pull Facebook and Instagram from European markets if an agreement on data transfer guidelines is not established. Markus Reinisch, vice president of public policy in Europe for Meta, issued a notice earlier this month indicating that a withdrawal is not being considered.

Related Article: IAB Europe to Appeal Belgian Data Protection Authority’s GDPR Data Consent Decision

More than analytics is at risk

The battle cry of professionals to understand where the data is going is not new. At the D8 conference in 2010, Apple founder Steve Jobs explained how Flurry Analytics leaked information about Apple’s iPhone and tablets ahead of an official Apple announcement. Flurry encouraged developers to embed its analytics beacons in their apps, which then sent data to Flurry without explicit user permission. Jobs was furious, explaining how Flurry circumvented Apple’s App Store guidelines and its strategy to limit developer access for advertising purposes, not to sell customer data. Such a revelation through the data was a harbinger of the regulatory worries tech companies are currently facing.

Data transfers raise questions of data residency, the geographic location where an organization hosts its operational data. Data residency is related to the legal and regulatory processing of personal data. Understanding these laws creates operational questions, such as whether local servers in a given sales territory are a necessary investment to remain compliant with privacy laws.

Different treatments of personally identifiable information may create conflicts in agreements between regions. For example, an IP address is not an informative detail about a person comparable to a hair or DNA. However, its use in combination with other information can inadvertently identify an individual’s location. Privacy frameworks in different regions vary in how they deal with this operational possibility with data.

Goes beyond the tech giants

The dispute over data transfer guidelines will impact businesses far beyond the debates facing big tech companies. On the face of it, last month’s Austrian decision appears to be a threat to Google’s brand image. Google Analytics is widely considered a digital marketing staple. Google has just launched a complete overhaul of the Google Analytics reporting interface, with a greater focus on measuring session activity. Any question about the trust behind a highly rated product or service becomes a test of brand trust.

A second implication is collateral damage for customers. Naming Verlags AG in the Austrian decision implies that the use of software supported by questionable data transfer poses a serious risk. Software, whether it’s a simple website or an app-supported platform, is an essential part of a business model and a critical part of how businesses operate today. today. Thus, how this software handles data becomes important in understanding transfer risk and whether residency issues apply. This means that companies whose use of data is only superficial are questioned can be drawn into a liability action.

Related article: The implications of the EU’s decision to tear down the Privacy Shield in the US

What is the message for marketers?

The key take-home message for marketers is how data flows through their martech stack, and not just from a user consent perspective. Martech consists of centralizing the data of a suite of connected software, such as an ecosystem around a CRM or an analysis solution.

But any software involves data and should raise the question of where it is stored, versus the types of data collected. Marketers need to appreciate the data operations they rely on to map the risk of collected data against regions with strict privacy regulations.

Marketers should also be prepared to assess the data transfer capability of partners. Almost all companies operate as a platform, so partners associated with this platform structure must demonstrate that their privacy prevention measures comply with the data transfer guidelines that your company must follow. Vigilance should be no different than protecting brand associations. B2B and B2C customers expect data privacy measures, even when the technical details may not be understood. Marketers need to demonstrate how their chains of data mining partnerships work for the good of the customer.

How will data privacy evolve between the US and Europe?

The final word of this breach of privacy is clearly undefined. The US and EU are negotiating an updated Privacy Shield Framework that will provide adequate guidelines for data transfers. Meanwhile, the IDPC is investigating data transfers associated with Facebook services, all in support of a final ruling expected in the first half of 2022.

Despite regulatory headwinds, tech companies are still financially successful. Google’s parent company, Alphabet, beat Wall Street analysts’ estimates in its recent earnings report. It further delighted analysts with a rare 20-to-1 stock split announcement. is confronted. For now, tech companies are more likely to resolve regulatory differences than go bankrupt.

Problems with data transfers might seem like a distant problem for a small B2B business outside of Europe, but they are not. Data transfers between regions highlight the extent of legal risk management for marketers, wherever they are.

Pierre DeBois is the founder of Zimana, a small business digital analytics consultancy. It reviews data from web analytics and social media dashboard solutions, then provides web development recommendations and actions that improve marketing strategy and business profitability.

Comments are closed.