[snowwolf]

Has Google Analytics now adopted the latest European Commission approved SCCs (https://ec.europa.eu/info/law/law-topic/data-protection/inte...) and does that mean using GA with those SCC's is now compliant going forwards. Or does this cases verdict that "SCCs and "TOMs" not enough" now mean those EC approved SCCs are now useless?

[tedivm]

This case is explicitly about US Law and how it contradicts the EU law. According to this case, as long as US law allows the US government to force US companies to share data with the US Government then you can't share data with those US companies.

To quote directly-

> SCCs and "TOMs" not enough. While Google has made submissions claiming that has implemented "Technical and Organizational Measures" ("TOMs"), which included ideas like having fences around data centers, reviewing requests or having baseline encryption, the DSB has rejected these measures as absolutely useless when it comes to US surveillance (page 38 and 39 of the decision):

> "With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations."

> "Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."

[snowwolf]

Exactly my point. However the European Commission has released "Approved" SCC's in June 2021. Does this case now invalidate those because "the DSB has rejected these measures as absolutely useless when it comes to US surveillance" in which case it is in conflict with the European Commissions guidance.