The EU Data Act will require cloud providers like Amazon, Microsoft and Google to stop illegal data transfers between the EU and non-EU. The bill is scheduled to be presented somewhere in the coming month. Reuters shares the news based on a document that — according to Reuters — was leaked.

The Data Act, a European bill, will be presented before the end of February. According to the European Commission, the bill was designed to facilitate and secure data transfers between European companies and governments. Only when the Data Act is presented can we confidently say what the bill will actually bring about.

News organization Reuters says it has seen part of the Data Act. According to Reuters, the Data Act stipulates that providers who process data must “take all reasonable technical, legal and organisational measures to prevent such access that could potentially conflict with competing obligations to protect such data under EU law.”

What does that mean?

If Reuters’ document is correct, the implications are significant. To clarify, we will be describing its impact on Google Analytics.

Google moves personal data (data) from the EU to the US. The GDPR states that European personal data must always be secured according to European laws — even when the data is processed outside the EU.

There’s one problem. US laws apply from the moment Google processes data in the US. One of the laws states that intelligence agencies should always have access to data processed in the US. This is in violation of the GDPR.

Google crosses EU lines to follow US laws. The organization is frequently slapped on the wrist, but the greatest responsibility lies with Analytics users. According to the Reuters document, the Data Act changes things.

Google should “take all reasonable measures to prevent data access that conflicts with obligations to protect data under EU law.” In other words: the EU can impose quite a few conditions on services that process data.

Google — but also Amazon, Microsoft and others- – could be required to make drastic policy changes to operate in the EU. Changes that, in the case of Google Analytics, might violate foreign laws. Although organizations using their services often remain co-responsible for data privacy, the responsibility shifts.

Far from home

We find it important to emphasize that the Reuters report cannot be confirmed until the Data Act is presented. Even if the report turns out to be correct, we could be months or years away from actual change. First, European member states and the European Parliament must approve the proposal. Often, a bill is repeatedly amended before all parties are satisfied. There is no guarantee that the first draft will be similar to the final law.