What is Google Analytics?
Background
Decision
Comment
In a recent decision, the Austrian Data Protection Authority (DPA) held that the use of Google Analytics violates the EU General Data Protection Regulation (GDPR) because it does not meet its requirements for the safe transfer of personal data.(1) This decision was issued against an Austrian website operator as the defendant. How will this impact the use of Google Analytics? Is there a way to use Google Analytics that complies with data protection rules? And how does this decision impact broader international data transfers? This article looks at the decision in detail.
Google Analytics is a web-tracking and analysis tool used by almost every website and many web-shop operators. Recent surveys show that more than 86% of the websites that use a traffic analysis tool are running Google Analytics. It provides basic analytics and statistics tools to track website performance, conversion rate (ie, how many website users become paying customers), bounce rate (ie, how many website users enter the site and then leave again, rather than staying within the sites' "digital environment") and marketing effectiveness, among other things. It also analyses how users interact with the website and its features. Google Analytics is free to use for anyone with a Google account.
Google Analytics works when the website operator implements the Google Analytics Tracking Code (a "tag") into the JavaScript of their website. This tracking code is activated if the user accesses the website, then collects user data and sends this data to Google LLC, the US technology company headquartered in California. Furthermore, the tracking code sets a first-party cookie on the user's computer. First-party cookies are used by websites to reidentify users that enter the website again, to collect data for different purposes (eg, identification of shopping cart, website performance on different types of web browsers, data for general website usability and surfing behaviour for personalised advertising) and to create a user profile. The collected cookie data is then also sent to Google.
In the Schrems II decision,(2) the European Court of Justice (ECJ) declared one means on which data transfers to the United States under the GDPR have been based – namely, the European Commission's (EC) Privacy Shield decision – to be invalid on account of invasive US surveillance programmes. Furthermore, the Court stipulated stricter requirements for another means of data transfer – standard contract clauses (SCCs). The ECJ considered SCCs to be generally suitable to provide for an "adequate" (EU-like) level of data protection in the data recipient's country as assessed on a case-by-case basis. If necessary, additional measures to compensate for gaps in protection of third-country legal systems must be implemented. Failing that, operators must suspend the transfer of personal data outside the European Union.
Following this decision of the ECJ, the Austrian data protection organisation noyb(3) analysed numerous source codes of EU webpages and lodged numerous complaints against various websites throughout Europe that continued to use US providers despite the ECJ's ruling.
The Austrian DPA was the first in Europe to decide on one of those complaints. Although the decision is not yet legally binding, in light of the ECJ's ruling it can be expected that the other European DPAs will issue similar decisions. In the meantime CNIL, the French data protection authority, has issued a similar decision, also stating that the use of Google Analytics violates the GDPR's provisions for the transfer of personal data to third countries.
The Austrian DPA held that:
- the analysed data collected by Google Analytics is personal data under the GDPR; and
- this data is not transferred to Google LLC in a GDPR-compliant manner.
First, the DPA regards user identifiers, internet protocol address and browser parameters (eg, browser type, operating system, screen resolution and language selection) as personal data because they contain unique reference numbers and other, more general information. After connecting this data, a digital footprint can be created that allows the user to be identified.(4)
Second, the transfer of personal data to third countries (ie, countries outside the European Union) is only admissible if the EC has decided that the country in question ensures an adequate level of protection for the personal data (adequacy decision) or if "appropriate safeguards" are provided for the safety of the data.(5) For the case at hand, Google and the website provider had concluded an SCC. However, the supplementary measures provided for by Google LLC (eg, a fence surrounding the data centre sites, standard encryption of stored data and a "careful review" of each request for disclosure) were not deemed sufficient or effective by the DPA because they could not remove the possibility of surveillance and access by US intelligence agencies to the stored data.
The DPA, however, held that Google LLC as a US company is not subject to the GDPR when it comes to the transfer of personal data to third countries, since the data exporter (ie, the website provider) had to comply with the requirements of Chapter V of the GDPR, but the data importer (ie, Google LLC) did not.(6) However, it also noted that the proceedings on the possible violation of articles 5, 28 and 29 of the GDPR by Google LLC are still pending.
It is noteworthy that the SCCs that were subject to this proceeding were the "old" set of SCCs, since, in response to the Schrems II decision, the EC substantially revised the SCC and published "new SCCs" in summer 2021 (for further information see "Here we go again - the odyssey of international data transfer challenges continues"). The new SCCs will replace the old ones, and companies have been granted a transition period of 18 months until the end of 2022 to switch to the new version. Companies contracting with new customers must immediately use the new SCCs.
The new SCCs are designed to be more flexible than the older version, and cover data protection safeguards, use of sub-processors, data subject rights (including redress), liability and supervision for transfers from controller to controller, controller to processor, processor to processor, and processor to controller. Of course, companies will still have to undertake the relevant risk assessment, the so-called "transfer impact assessment" (TIA).
The DPA did not analyse the new set of SCCs, including a TIA, but rather the old set of SCCs in the context of the ECJ ruling. In other words, the DPA was bound to apply the new and higher-level TIA requirement to old SCCs.
However, the DPA illustrated with this decision that the leeway for adjustment to the ECJ's requirements is rather small.
The key takeaway from this decision is that it is time for companies to accept their active role as a data controller and get their international data transfers in order.
For further information on this topic please contact Florian Terharen or Veronika Wolfbauer at Schoenherr by telephone (+43 1 534 37 0) or email ([email protected] or [email protected]). The Schoenherr website can be accessed at www.schoenherr.eu.
Endnotes
(1) DSB 22.12.2021, D155.027/2021-0.586.257.
(2) ECJ 16.07.2020, C-311/18, ECLI:EU:C:2020:559.
(3) Noyb is a non-governmental organisation led by Max Schrems that "focusses on commercial privacy issues on a European level, i.e. privacy violations of your digital rights as a private citizen by companies and corporations".
(4) See DSB ruling, D.2, p 26 et seq.
(5) See Chapter V – article 44 et seq of the GDPR.
(6) See DSB ruling D.6, p 40 et seq: the data importer does not disclose the personal data, but (only) receives it.