Who would have thought: data transfer has become the data privacy compliance hot potato.
A declaration by the Austrian Data Protection Agency that Verlags AG and Google violated the European Union's GDPR raises the stakes for a major conflict of data protection laws between the US and Europe. The cascading impact for regulators, analytic solution providers and tech vendors is clear.
How Did Data Transfers Become Illegal?
The road to the data transfer issue was built from several key judicial decisions in Europe. Regulators are concerned that data hosted outside of the EU can be accessed by foreign governments, thus compromising citizen data privacy rights. This outlook has led to European courts ruling the most influential data transfer cases to date, such as the decision against IAB Europe over the use of consent popup.
Here's a timeline of key events regarding data transfer:
- July 2020: Privacy Shield, a data transfer agreement that established a framework for acceptable data transfer between the US and countries in the European Union, was established in 2016. But it was nullified due to a 2020 decision by the European Court of Justice, which effectively made any business data transfers between EU countries and the US illegal.
- August 2020: None of Your Business (NOYB), an Austrian NGO advocacy group for digital privacy, filed a complaint that found companies that send data from the European Union to Facebook Inc. and Alphabet Inc.‘s Google violate GDPR.
- Jan. 13, 2022: The Austrian Data Protection Agency upheld a complaint related to a website's use of Google Analytics. The central point of the decision was the location where data from Google Analytics tags is stored. Analytics solutions, in general, store data measured from website or apps interactions on a hosting server, then send to dashboards for analysis. Because Google hosts its analytics data in the US, Google Analytics on websites that sell to customers in Europe is affected.
- Feb. 10, 2022: Experts have expected the NOYB complaint to be the first of many. On Feb. 10, National Commission on Informatics and Liberty (CNIL) also determined Google Analytics data transmitted from France to the US as a GDPR Article 44 violation.
Other tech giants are also facing similar data transfer violation accusations. The Irish Data Protection Commission (IDPC) in 2020 issued a preliminary stop order regarding data transfers of Facebook user data from the EU to the US. Reports said Meta would pull Facebook and Instagram from the European markets if an agreement on data transfer guidelines was not established. Markus Reinisch, VP of Public Policy Europe for Meta, issued a notice earlier this month indicating that a pullout is not being considered.
Related Article: IAB Europe to Appeal Belgian Data Protection Authority's GDPR Data Consent Ruling
More Than Analytics Is at Risk
The battle cry for business professionals to understand where data goes is not new. At the D8 Conference back in 2010, Apple founder Steve Jobs outlined how Flurry Analytics unveiled information about Apple iPhone and tablets prior to an official Apple announcement. Flurry encouraged developers to incorporate its analytics tags into their apps, which then sent data to Flurry without explicit user permission. Jobs was furious, explaining how Flurry circumvented Apple's App store guidelines and its strategy to limit developer access for advertising purposes, not selling customer data. Such a reveal through data was a harbinger of the regulatory worries that tech companies face now.
Data transfers raise questions of data residency, the geographic location of where an organization hosts its operational data. Data residency is linked to the legal and regulatory treatment of personal data. Understanding these laws creates operational questions, such as asking if local servers in a given sales territory is a necessary investment to remain compliant with privacy laws.
Differing treatments of personal identifiable information can create conflicts in agreements between regions. For example, an IP address is not an informational detail on a person comparable to a hair or DNA. However, its usage combined with other information can inadvertently identify an individual's location. Privacy frameworks in different regions vary in how they address this operational possibility with data.
Goes Beyond Tech Giants
The conflict over data transfer guidance will impact businesses far beyond the debates major tech companies face. On the surface the Austrian decision last month appears as a branding threat to Google. Google Analytics is widely regarded as a digital marketing staple. Google just launched an extensive redesign of Google Analytics reporting interface, with a stronger emphasis on measuring session activity. Any question of the trust behind a highly regarded product or service becomes a test of brand faith.
A second implication is the collateral damage to customers. Naming Verlags AG in the Austrian ruling implies that usage of software that is supported by questionable data transfer is a serious risk. Software, be it a simple website to a platform supported by apps, is a critical part of a business model and a vital component of how businesses scale today. So how that software manages data becomes important for understanding transfer risk and if residency concerns apply. This means businesses with only cursory data usage being questioned can get swept into liability action.
Related Article: The Implications of the EU's Decision to Shoot Down US Privacy Shield
What Is the Message for Marketers?
The critical takeaway message for marketers is to know how data flows through their martech stack, not just from the perspective of user consent. Martech involves centralizing data from a suite of connected software, such as an ecosystem around a CRM or an analytics solution.
But any software involves data and should raise the question of where it is stored, relative to the kinds of data being collected. Marketers must appreciate the data ops they rely upon to map the risk of collected data against regions with strict privacy regulations.
Marketers must also be prepared to evaluate the data transfer capability of partners. Nearly every business operates as a platform, so partners associated with that platform structure must prove that their privacy prevention measures align with the data transfer guidelines your business must meet. The vigilance must be no different than that for protecting brand associations. B2B and B2C customers expect data privacy measures, even when technicalities may not be understood. Marketers must demonstrate how their data ops chains of partnerships work for the customer's good.
How Will Data Privacy Evolve Between the US and Europe?
The last word in this privacy violation is clearly not set. The US and EU are negotiating an updated Privacy Shield framework that will provide adequate data transfer guidelines. Meanwhile, the IDPC is investigating the data transfers associated with Facebook services, all in support of a final decision is expected in the first half of 2022.
Despite the regulatory headwinds, tech companies are still achieving financial success. Google's parent company, Alphabet, surpassed Wall Street analysts' estimates in its recent earning report. It further delighted analysts with a rare 20-for-1 stock split announcement. While its poor earnings lead to a striking stock price drop, Meta still has the scale and wherewithal to manage the regulatory hurdles it faces. For now, it is more likely that tech companies will resolve regulatory differences rather than go out of business.
The issues surrounding data transfers may seem like a faraway problem to a small B2B firm outside of Europe, but they're not. Data transfers across regions highlight the scale of managing legal risk for marketers no matter where they are.