The transfer of personal data to the USA does not comply with the GDPR. Implications and solutions.

Following the recent provision of the Privacy Guarantor relating to many digital marketing tools that are not compliant with the GDPR, we are carefully analyzing the reasons, implications and possible solutions of the matter.

There has been a lot of talk about Google Analytics, but this specific tool is just the tip of the iceberg.

As a matter of fact, we should not focus on individual platforms, but rather on the whole issue of the transfer of users’ personal data between countries that do not have the same privacy protections standards, in this case the European Union and the United States of America. 

History and evolution of the legislation on the transfer of personal data abroad

On June 23, 2022, the Italian Privacy Authority published a press release stating that the Google Analytics configuration of the Caffeina Media Srl site is not compliant with the GDPR. This decision ideally follows those of the French and Austrian Privacy Authorities, who recently pronounced themselves with similar sentences in their countries.

Why is that configuration not compliant? In order to understand the current scenario, we need to step back a few years.

2010

It all started in 2010: Maximilian Schrems, a young Law graduate and Austrian citizen, is attending a Masters in the University of Santa Clara in the USA. Here he meets a young Facebook executive, Ed Palmieri, who gives a lecture on the subject of privacy. 

Schrems considers Palmieri’s intervention to be lacking or careless: it is clear that Facebook ignores many rules of European privacy, and so he starts his first legal action.

Maximilian asks Facebook to have access to 1200 contents of his personal page, according to the so-called  “right of access” included in the user’s privacy rights, along with opposition, data updates, limitation of treatment, portability and cancellation.

These are the rights that today Federico Leva is pleading for, sending requests to Italian companies to assert his privacy rights.

Going back to 2010, Schrems receives a CD from Facebook with 1200 pages of personal data: he thus discovers that the Big Tech has not deleted many contents he had removed himself, this way he finds out Facebook does not cancel contents according to the user’s will, it keeps them instead. We can consider this legal action Schrems’s ground zero: 22 ‘accusations’ made by Maximilian to Facebook and presented to the Irish Guarantor.

2012

Lord Richard Allan, then Head of Facebook’s European policy, understands that Maximilian’s intuition is dangerous for his company: Schrems is summoned and in 2012 they offer him a job, which he refuses.

2013

Shortly thereafter, Schrems I begins: the first real lawsuit on EU-US data export. This will last several years, and at the end the verdict is that the ban on data transfer, which was previously regulated by an international agreement called Safe Harbor, must be urgently established.

2015

The issue is in the spotlight: this was the time of Edward Snowden’s revelations on the violation of the FISA (Foreign Intelligence Surveillance Act), an American act regulating the surveillance that the US institution can exercise on non-American citizens. As is known, after 7 years the American government agreed with Snowden.

Also in 2015, the Court of Justice of the European Union established the invalidity of the Safe Harbor, according to Schrems I.

2016

However, immediately after this turning point, the Privacy Shield came into force, with a new government pact that regulates inter-country privacy, and reconstructs a “buffer” agreement between the EU and the US.

In fact, the Privacy Shield was a necessary political decision for the sake of economy and services. Unfortunately, it allowed the President of the USA to decide to access the personal data of citizens, both American and non-American, without any previous authorization from a judge.

2018

All this tension worsened in 2018, when the GDPR came into force.

2020

The Schrems II ruling defines the Privacy Shield as invalid, as it was for the Safe Harbor, which was not compatible with the GDPR according to the Court of Justice.

Not only Schrems but also Noyb (European Center for Digital Rights, a European non-profit organization based in Vienna, founded in 2017), sent 101 complaints to 30 Privacy Guarantors in the EU, against big companies not respecting their users’ privacy.

2022

After two years, authorities began to rule on the matter, giving Schrems right.

We now hope for a new agreement between the EU and the US, in order to really protect the privacy of users, not just a “filler” like the previous Privacy Shield, but a true solution to correctly regulate access to personal information by companies, governments and secret services.

The Italian Privacy Guarantor, as well as other European authorities, can only notify the companies caught “at fault”, which will have 90 days from the formal notification – as happened for Caffeina Media Srl, for example – to adjust their systems.

Therefore, this doesn’t mean – as many have mistakenly stated on the web and on social media in recent weeks – that all companies have a 90-day time limit to adapt.

Nor does it imply that the solution must come from the institutions: the Guarantor should not technically suggest how to make their tools compliant, this is up to the digital specialists, as we are doing in ByTek.

Data export: what is personal information and what are the consequences for the companies’ marketing

The fall of the Privacy Shield has consequences: it is no longer possible to export personal data of European citizens to the United States.

Even though it sounds like something abstract, quite far from everyday life, we need to understand what is personal data in order to consider the practical implications:

What is personal data 

“Personal data is any information that identifies or makes identifiable, directly or indirectly, a natural person and that can provide information on their characteristics, habits, lifestyle, personal relationships, state of health, economic situation, etc “

According to this definition, the user’s IP address is considered personal data, and also a set of data that could make the user recognizable only when combined together. The non-compliance of Google Analytics is based on this last point:

“In declaring the unlawfulness of the processing, it was reiterated that the IP address constitutes personal data and even if it were truncated it couldn’t still be anonymous, since Google is able to enrich it with other data in its possession” 

This is a key concept stated by the Guarantor: the IP is personal data, so it cannot be exported to the United States.

This means that any platform that stores and manages the user’s IP manages personal data, but the physical address of the computer we are using (IP) is the basis of the TCP / IP protocol.

For example, to read this article a server (or more servers) has read your IP to connect you with the server hosting the article, and this server could save your IP for statistical reasons. If this server is owned by an American company, this action is not compliant with the GDPR. Technically, CDN, Hosting and Cloud Platform may not be compliant even if they save the user’s IP just for statistical reports.

What are the implications for the Digital Advertising

According to this interpretation, all Advertising platforms and their tags / pixels are not compliant, because they certainly save the user’s IP address and certainly collect other information to recognize it, therefore they manage personal data, and being the main advertising platforms based in America, it is easy to imagine the consequences:

• We can no longer measure advertising performance, because conversion pixels use personal data and, to date, even the conversion import functions use elements that can be traced back to the individual user, such as Google Ads click tracking;
• Since we can no longer track conversions, we will no longer be able to do advertising the way we do it today, through increasingly performing bidding models: instead we will have to return to manual management or automatic optimization processes based on traffic and exposure;
• We can no longer carry out remarketing activities (in this case because we would recognize on external sites a user that has navigated on our own site);
• We can no longer monetize the traffic on our sites with programmatic advertising platforms;
• We can no longer use all those conversion measurement technologies with first party data (such as Google Ads Enhanced Conversion or Facebook Conversion API) because we cannot send personal user data anymore;
• Publishers should find a different adserver, relying on a European server or managing the servers themselves with some open source projects, since Google Ad Manager obviously sees the user’s IP. Of course in this case they could only exploit the direct sale of advertising spaces, dismissing today’s most advanced solutions, because obviously programmatic advertising shares a user ID and the information related. Therefore, it uses personal data that is most likely exported to the USA, as the main monetization platforms are American.

The scenario is quite alarming, considering that the current technological proposals to replace 3rdParty cookies are still immature, and they might still export personal data. In Germany, Microsoft’s Office 365 was also declared non-compliant and Facebook is also experiencing issues in Ireland.

At the beginning of the brawl, the main newspapers focused only on Google Analytics, implying that this specific technology was the problem, but the situation is very different, as you can see. 

Actually, Google Analytics could turn out to be compliant through a server-side Tag Manager, which allows you to hide the user’s IP from Google’s servers and to anonymize other information, making de facto impossibile to recognize the user. As stated by the lawyer Guido Scorza during the interview with our friends from the Web Marketing Festival: “Google Analytics is just the tip of the iceberg, the situation is much more complicated”.

Potential solutions to minimize the risk of exporting data in the US

Below you can find the possible solutions we have developed by deepening the subject, along with their compliance and implementation characteristics:

There is one solution which is totally compliant with the current regulations planning to completely block data transfer to the United States. In practice, the third column of the table above, which consists of:

• Complete mapping of data collection and check data transfer systems
• Removal of ALL systems applying data transfers
• Installation of a data analytics system based in the EU
• Removal of all advertising pixels
• Complete refactoring of advertising campaigns through manual approach, without conversion data

What would be the costs of this full-block solution? To give you an idea, we have estimated between 150,000 and 250,000 euros invested by a medium-sized customer to activate a solution that:

• does not allow to optimize campaign bidding using automatic platform bidding strategies, but only tries to imitate them with enormous limitations;
• does not allow you to see the conversion data within the advertising platforms but only on a digital analytics system developed in Europe (Matomo, Piwik Pro, etc.);
• does not allow you to use remarketing strategies

Here in Bytek we are ready to support full compliant strategies, and we are ready to face all the problems related and to optimize advertising activities in blind mode. However, we would advise against this choice, focusing on minimizing risk and adopting solutions that do not allow Google Analytics to export neither the IP nor other signals that can be used to identify the user to the United States.

How to be truly GDPR Compliant 

Here the issue is not to find a technology workaround to the current investigation carried by the Guarantor, but to understand how to solve the problem at the source. Otherwise the world of digital advertising will keep being this uncertain, since current technologies  – such as advertising pixels – cannot be made compliant. The only real solution is a political one, unless we are willing to take a major step back in technology.

We believe there European digital advertising should proceed united to a lobbying action 

for Europe to sign an agreement with the US: a true agreement for everyone, users and companies, unlike the Privacy Shield, which was so rapidly demolished by Schrems.

Furthermore, we hope for a European framework project so that European cloud computing solutions can grow and join forces: GDPR has taught us that data will be the next battlefield, so we should become an example for the rest of the world in the operational data management as well.