In this post, Pixalate, the global market-leading fraud protection, privacy, and compliance analytics platform for Connected TV (CTV) and Mobile Advertising, reviews an update concerning international data transfers of personal data that will now occur under the realm of the newly passed European Union - United States Data Privacy Adequacy decision.
About the author: Yusra is a data protection and privacy specialist with experience advising the global pharma and automotive industry on a range of privacy matters connected to in-house, B2B and B2C setups. She specializes in providing pragmatic legal advice and guidance under Europe's key legal and regulatory frameworks relating to Data Protection, Compliance and Corporate Governance. Before joining Pixalate, Yusra was working as a Data Privacy Counsel for a German pharmaceutical company Boehringer Ingelheim and prior to that, as a Privacy Specialist at Porsche Cars.
After the Court of Justice of the European Union (CJEU) issued the Schrems II judgement, adequacy decisions in favour of the USA permitting free flow of restricted data transfers did not occur for over two years. Whilst attempts were made to resurface the previously invalidated framework, they fell through due to inadequacies already underlined in Schrems II.
This pause not only impacted the way restricted data transfers of personal data took place between the EU and U.S. but also required additional transfer mechanisms (such as the Standard Contractual Clauses) to be put in place before a company made any transfers to receiving companies outside of the EU/EEA region. Data controllers (or Data Exporters) were also required to conduct laborious and time consuming processes, such as conducting Transfer Impact Assessments (TIA) that often provided uncertain results. Companies would have to put in place additional safeguarding measures to make restricted transfers safe and protected throughout the transfers journey.
This is because Chapter V of the EU and UK General Data Protection Regulation (GDPR) places restrictions on transfers of personal data outside of the UK and EU/EEA regions. These restrictions are based on the philosophy of ensuring that benefits of high data protection standards continue to apply to EU and UK residents even if their personal data is transferred outside of these regions.
In other words, the GDPR only permits restricted data transfers if the data receiver is either covered under the scope of adequacy regulations or by putting in place ‘appropriate safeguards’ prior to continuing with such a transfer. Undoubtedly, some exemptions are allowed, but these are fairly exhaustive and limited in scope, making them inapplicable in most commercial industry areas that focus heavily on personal data processing.
New Framework: The EU-US Data Privacy Framework
After various reviews and considerations of the law, on July 10, 2023, the EU Commission adopted its adequacy decision for safe and trusted international data transfers between the EU and U.S.
This decision concludes and further creates a revived pathway for U.S.-based organisations to rely on the new legal framework established under the EU-US Data Privacy Framework (EU-US DPF) for conducting restricted transfers of personal data. As per the EU Commission, the DPF sets an equivalent standard to that established under the EU GDPR when conducting international transfers of personal data.
Some key operational elements that U.S.-based organisations must consider now call attention to as follows:
Additionally, from July 17, 2023, ITA will also launch its Privacy Shield website to allow submissions for self-certification of organisations and join the EU-US DPF. The website will also cover submissions for the UK Extension of the EU-US DPF (when applicable) and the Swiss EU-US DPF.
The website will also enable organisations to make their annual renewal submissions for each framework and will further include a variety of guidance materials and supportive measures.
Restricted Transfers from the United Kingdom & Switzerland
One key point to highlight is regarding the UK Extension of the DPF. Whilst organisations can also start self-certifying with the UK Extension for compliance purposes, they will be unable to rely on the UK-US data bridge for conducting any restricted transfer as it yet remains to be finalised and can only be relied upon for such data transfers when the data bridge is concluded and comes into effect.
However, organisations that previously participated under the Swiss-US Privacy Shield can start complying with the new Swiss-US DPF and update their privacy policies before October 17, 2023, in line with the EU-US DPF set up.
Impact on AdTech
The DPF mechanism will generally be welcomed by the advertisement technology sector; backed by the White House as an economic relationship worth $7.1 trillion, the new adequacy decision also ends a deadlock that found U.S.-based technology companies restricted from processing personal data of EU-based customers. As large social media companies like Meta continue to rely on hefty revenues resulting from ads delivered within Europe, it is becoming evident that Europe will continue luring in U.S.-based tech giants, with more companies anticipated to rely on the DPF and gain access to European consumer data.
The DPF translates into more flexibility when accessing customer data without undergoing time consuming and expensive processes to put in safeguards prior to transferring personal data. U.S.-based Tech companies working with local sub-processors can also rely on the DPF to share and view customer data with each other for purposes such as optimisation and web analytics.
However, U.S.-based companies wishing to import data from the EU must take note of the strict obligations that kick in under the new framework; the DPF offers several avenues to EU residents for redress if any mishandling of their personal data occurs, including the availability of free and independent dispute resolution mechanisms. It also provides EU residents the ability to access their personal data and request for corrections and even deletion of data if they suspect that their personal data is being handled unlawfully by such data importing companies.
Though we anticipate a phase in which the U.S. Department of Commerce will scrutinise these heightened safeguards and their compliance in practice, a bigger challenge for the ad industry may be forthcoming via the strict regulations that have come into effect recently under the Digital Markets Act.
Ad tech platforms will also have to carefully review their partners’ privacy policies by the deadlines (mid-October 2023).
Anticipated Legal Challenges
While some may welcome this decision that enables a friction-free flow of personal data across the Atlantic, not-for-profit organisation NOYB is gearing up to bring another legal challenge against the newly-issued adequacy decision.
The Chairman and Founder of NOYB, Maximillian Schrems, has already issued an open letter to the EU Commissioner demanding an apology for referring to not-for-profit campaigners backed legal challenges brought to the CJEU as “business models.” As per NOYB’s assessment, there are little to no changes in the new adequacy decision and expect the new DPF to be back under the European Court of Justice’s scrutiny by the beginning of 2024.
List of Top Apps Impacted
Pixalate has compiled a list of the top 20 most popular apps based on programmatic ad traffic in the EU that currently have international data transfer clauses in their privacy policies. Access the full list of apps here:
Disclaimer: The content of this page reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”