Intro
It’s 2022, and the dynamic Data Protection world has seen substantial changes in using Google Analytics (cookies) in the European scenario.
It’s no news to anyone that the use of the US service Google Analytics in the European Economic Area (“EEA”) has become controversial over time, primarily because of the safety concerns about personal data transfers, storage and access. It’s worth mentioning as a reminder that the GDPR has strict criteria to determine whether a country is considered as a “secure third country” or a “non-secure third country” for data protection purposes.
A secure third country is any country outside the EEA, considered by the European Commission as compliant with the GDPR regarding personal data transfer, sharing and storing.
Examining the legitimacy of such a transfer is done in two stages. First, the data transfer itself must be legal since any processing of personal data is prohibited but subjected to the possibility of authorisation. In addition to consent, Art. 6 of the GDPR sets forth further authorisation reasons, such as fulfilling a contract or protecting vital interests.
For special category data which requires a higher level of protection, Art. 9 of the GDPR provides separate legal requirements. If the data transfer meets the general requirements, the next step is to confirm that the transfer to the third country is permitted.
In third countries considered “secure”, national laws provide a level of protection for personal data which is comparable to those of EU law.
However, if the country does not meet the requirements for such transfer, this does not mean that the data transfer cannot take place. In this case, the data controller must ensure in a different way that the personal data will be sufficiently protected by the data processor.
The most common way of doing this is by using Standard Contractual Clauses (SCC), for data transfers within a Group through so-called “binding corporate rules”, declared by the European Commission as compliant.
Comparing US and EU approach to data protection laws
The US data protection regulations approach is significantly different from the European approach; the US legislation, instead of formulating one all-encompassing regulation like the GDPR, has decided to implement sector-specific privacy and data protection regulations that work together with state laws to safeguard American citizen’s data.
California is one of the states ahead of the game offering for example, a Security Breach Notification Law since 2022. Still, not all states are on the same page, and that’s one of the issues with US legislation: its lack of consistency and scope.
The essential difference between the US and EU regarding privacy laws and data protection is their point of focus.The US legislation seems more inclined to consider the integrity of data as a commercial asset,while the EU, with the GDPR, has been determined to put individual rights before the interest of businesses.
The European companies that fail to protect the data subject rights expose themselves to elevated fines and considerable reputational damage.
Let’s remember as well that the former EU- US Privacy Shield, which was a framework designed by the European Commission and the US Department of Commerce to facilitate transatlantic exchanges of personal data for commercial purposes between the EU and the US, was declared in 2020 as invalid for transfers of personal data from the EU to the US, on the basis that does not fully protect EU citizens given the surveillance by US agencies.
After all, this Privacy Shield was always meant to act as an agreement, and not proper regulation, and did not address the individual privacy rights vouchsafed by the GDPR (e.g., the right to be forgotten).
The case in question here was Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (‘The Schrems II Case’).
Austrian Data Protection Authority decision on cookies
On the 13th of January 2022, the Austrian data protection authority (“DSB”) ruled that the use of Google Analytics (Cookies) violates the GDPR, due to the transfer of personal data to the US, which does not meet the GDPR requirements, specifically regarding the violation of Article 44 of the General Data Protection Regulation for exporting personal data to an importer in the US, Google LLC, through ongoing use of Google Analytics without ensuring an adequate level of protection, as required under chapter V of the GDPR.
This following a complaint represented by NOYB (European centre for digital rights), presented in August 2020 as one of the 101 complaints filed by NOYB against EU companies for continued use of Google Analytics and Facebook Connect.
NOYB stated this was allegedly subjecting EU citizens personal data to US surveillance laws in violation of the requirements of the Court of Justice of the European Union’s (“CJEU”) judgement in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (‘The Schrems II Case’).
As we know, Google Analytics is used to provide statistical data on website visits. US service providers are currently largely failing to ensure the required level of protection since they are not guaranteeing properly regulated consent and/or further limitation of the processing activities by Google.
If they did, they could use Google Analytics.This is also raising a systematic concern in the EU about the access to data by the US government.
The decision made by the Austrian DPA, which was also taken by the Netherlands, sets a precedent in the European Union for the continued use of US service providers for data transfers.
The rest of Europe and the life of Google Analytics
Italy
Another strike against use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher’s use of the popular analytics tool to be non-compliant with EU data protection rules owing to user data being transferred to the U.S.
The Garante found the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, plus the date and time of the site visit, which were transferred to the U.S. without adequate supplementary measures being applied to raise the level of protection to the necessary GDPR standard.
Protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU DPAs who have also found use of Google Analytics violates data protection rules over the data export issue.
Italy’s DPA has given the publisher in question 90 days to fix the compliance violation.
But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release [translated from Italian with machine translation]:
“The Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.“
France
The CNIL’s guidance suggests only very few EU-based site owners use the Google’s analytics tool legally — either by applying additional encryption where keys are held under the exclusive control of the data exporter itself; or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.
In February 2022 the CNIL released the following statement regarding the use of Google analytics:
“The CNIL concludes that transfers to the United States are currently not sufficiently regulated.Indeed, in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.
However, the CNIL found that this was not the case.Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. There is therefore a risk for French website users who use this service and whose data is exported.
The CNIL notes that the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR.The CNIL therefore ordered to the website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU. The website operator in question has one month to comply.“
Germany
The use of Google Analytics in Germany has been deemed legal by the data protection Authorities, but with conditions. This seems to go against the decisions made by some of the other Supervisory Authorities and removes the consistent approach GDPR was meant to bring to the EU.
The guidelines for German website operators to follow are set out below. A few simple rules should ensure that the requirements of the German data protection authorities are met:
- Website operators should mention in their privacy policy that Google Analytics is used on their website.
- Website operators should implement the IP mask function, which tells Google Analytics to not save the full IP address of the users or to process them.
- Website operators should instruct in their privacy policies on the possibility of disabling the feature via a Google Analytics Browser Add-on. End users can, if desired, prevent sending data to Google very easy by installing this specific browser add-on.
The German data protection published updated terms of agreement (in German) which include the data protection authorities coordinated arrangements for data processing.
John Caspar, the Commissioner for Data Protection in Hamburg, and Freedom of Information is quoted as saying:
“We are at the end of a long but constructive consultation process. The intensive cooperation between data protection supervisory authorities on the one hand, and Google on the other hand have made the necessary improvements. I welcome the announcement from Google that technical changes will be implemented throughout Europe. However, I would also remind you that the work is not completed. In particular, it should be noted that not Google, but the website owners who use the product, are responsible for the privacy-friendly use.”
Is there a sufficient European alternative for the use of Google Analytics?
The legal implications of unlawful processing of personal data in the European context are too immense to miss, and data protection is at the core of European digital rights, so website operators won’t risk it.
They will prefer to migrate to new alternatives to Google Analytics that are compliant with the GDPR. Regulators in 30 European countries are currently investigating other cases, and the majority of these decisions will likely have the same or similar outcomes. There are plenty of European cloud-based analytics services that don’t get as much attention as Google Analytics, which is estimated to be used by 28 million websites worldwide. On the other side, Silicon Valley companies have shown no willingness to adapt to the European rules, since they think there aren’t any problems with shipping EU data to the US.
Unless there is a new data deal in place, the scenario looks problematic for the US company.
Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic.
Conclusion
Looking at all the decision around the EU on the use of data by Google in general, the level of fines imposed by various Supervisory Authorities for violations of GDPR in one way or another, Google has not managed to embed the requirements of GDPR into the framework in any way.
The use of GA4 now and the new privacy settings created to try give back some control to the data subject is an effort by Google to show some form of willingness to try. One can only feel that the data transfer space from the EU to the US is an argument that is going to go on for some time and NOYB will be waiting for another Schrems III and IV, maybe even a V.
The UK government are working on giving the US their own adequacy for data transfers, so they and website operators in the UK will not face this issue, but that will not resolve the territorial scope of GDPR when dealing with EU Residents data.
Austria is the first domino in the line that has tipped over, France and Italy have fallen, one just must wait to the see the rest topple.
Google Analytics as we know it now is in untannable state, website operators are using it with the knowledge that they are breaching GDPR, so playing Russian Roulette with the Supervisory Authority.
But, where do we draw the line. The economy has to go on, we cannot stop trading with the US or using the best products on the market because of a violation of GDPR that won’t affect us anyway.Think of all the digital platforms used in everyday business and where that data goes, or what country will have access to that data.
Remove every software system used that has a touchpoint with the US, there will not be many left, so where will it end.
At the moment the cross hairs are firmly on Google Analytics, so that has to be your compliance risk topic. Make your decision and wait for the next target.
Contact Propelfwd for more information.
