Note: Not a lawyer. Speak with legal counsel for compliance issues. Questions on your specific Adobe Analytics configuration, speak with your agency or Adobe Account Rep.
One may assume given my recent blog posts that all American analytics software is unlawful due to Europe’s General Data Protection Regulation, but the reality is more nuanced. Google’s major issue was shipping all data to the United States for processing, subjecting it to more stringent requirements for lawful transfer under Chapter V of the GDPR. This has prompted people to wonder if Adobe would be found in the same quagmire. I take a look at their documentation in this post, and cross reference it with current events to try to get more insight into that answer.
Data Collection
Like Google Analytics, Adobe Analytics collects a vast amount of different data points in their analytics product by default. I have no doubt that some of this is personal data (as defined by GDPR) which would require user consent for collection.
We can see from their documentation Adobe users can specify regional collection points. In the case of Europe this means data could be collected in Ireland or Paris. As we haven’t left the European Union yet, this means that Article 45 of the GDPR applies for consent mechanics. This is a much lower bar than the Article 46 requirements that Google claimed to apply to its collection and processing.
Data Processing
When Google reported to the Austrian DPA that the Google Analytics data processing occurred in the United States it prompted an evaluation of lawful processing where the United States data-adequacy was considered. Google was subject to more strict requirements as a result.
In contrast to this, Adobe has several different Data Processing Centers around the world. For the EU specifically, this means that data can be configured to be processed in a leased data center in London per their documentation. Once the data is processed there, it becomes available to the Adobe Experience Cloud.
This is significant, because the data does not leave the EU for collection or processing it is subject to different Articles of GDPR for lawful transfer. It is my belief that this means Adobe is subject to Article 45 requirements, rather than the Article 49 requirements, which I covered recently, which I believe Google Analytics is subject to.
Cloud Concerns
For me, the biggest outstanding question that prevents me from declaring Adobe fully compliant is the United States CLOUD Act. There was a recent court case in Germany, where the court considered the Content Delivery Network (cloud) provider to be in violation of GDPR because it was an American owned company, and so subject to the CLOUD Act.
Earlier this month that case had some developments in which the injunction which was initially levied against the University in the case has been stayed pending trial due to the far reaching ramifications of such a decision.
As no decision has yet been issued by a data protection authority that has considered the CLOUD Act, and the German court outcome presently undecided pending trial, the presence of the CLOUD Act for determining GDPR compliance is remains an open question.
With that said, we’re presently in a waiting environment. Earlier this week the 22 members of the European Data Protection Board issued a press release which indicated the a major focus for the coming year will be an evaluation of cloud providers, and if those cloud providers comply with the GDPR.
In particular, SAs will explore public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.
https://edpb.europa.eu/news/news/2022/launch-coordinated-enforcement-use-cloud-public-sector_en
Once one of the situations resolve, we may ultimately end up with an answer to this question – but for now the best we can do is make data collection as lawful as possible based on what we do know.
Verdict
So is Adobe Analytics GDPR Compliant? In my opinion it could be if properly configured in regard to data collection and processing centers. Brands would need to consider the risk of an adverse CLOUD act ruling but at least for now, while that remains an open question, based on a review of the documentation and my understanding of the decisions to date and the laws involved – I have to say it likely is – if configured properly.