From JDSupra, Karol Laskowski discusses a recent decision in which the privacy protections offered by Google Analytics did not protect the transfer of personal data from the EU to the U.S. according to the Austrian Data Protection Authority. Karol writes:
Google Analytics and privacy concerns surrounding it
Google has been criticized for collecting data about Internet users, aggressive tracking and disclosing too much information to governments for a very long time, with Google Analytics recently raising some of the biggest privacy concerns. Decision of the Austrian Data Protection Authority (DPA) of 22 December 2021, being Europe’s first decisive move against Google Analytics, only heatens the discussion and confirms the need for new EU-US data regulations.
Google Analytics and data protection
Launched in November 2005, Google Analytics is the most widely used website statistics service that tracks and reports website activity, including session duration, pages per session, information on the source of the traffic etc. Additionally, whenever someone visits a website that uses Google Analytics, Google tracks that visit via the IP address to determine the user’s approximate geographic location. All the data collected by Google Analytics passes through the Google’s serves located in the US, therefore the use of Google Analytics by a European website provider (and transfer of personal data to the US) can constitute a breach of Chapter V. of the GDPR.
The case of NetDoktor
An Austrian medical news company NetDoktor (“Company”) implemented a free version of Google Analytics tool on its website to enable statistical evaluations of the behaviour of website visitors. Data collected by the tool, which was delivered by Google LLC (“Google”) at that time, was hosted (and therefore transferred to) in the US. In order to address Schrems II judgment’s requirements, the Company and Google concluded standard contractual clauses. Moreover, Google implemented further contractual, organizational and technical measures.
Considering that Google, as a provider of electronic communications services within the meaning of 50 US Code § 1881, is subject to surveillance by US intelligence services in accordance with Section 702 of the Foreign Intelligence Surveillance Act (FISA) and is obliged to provide the US authorities with personal data, it is not in position to ensure adequate protection of personal data, according to the Austrian DP (given that the supplementary measures in place were not able to overcome the risks associated to the use of the mentioned cookies). Therefore, the DPA ruled that such transfer of personal data to the USA is unlawful.
The DPA also noted that:
- use of encryption technologies is not sufficient in this case as US authorities may oblige the provider to release the data by providing the encryption key; similar conclusion was made in relation to pseudonymisation also considering that Google Analytics identifier can be associated with Google Account.
The discussed decision of the Austrian DPA is a first one issued as a consequence of last year’s 101 complaints filed by Max Schrems’ noyb in several European DPAs following the CJEU Schrems II judgement.
Another one was issued recently by the French watchdog – the CNIL, in which it ruled that since Google Analytics did not adopt adequate supplementary measures in order to avoid the access of US intelligence services to the data, the transfer of data to Google Analytics violates Article 44 of the GDPR. It also found the IP anonymization function, which is (i) optional and does not apply to all transfers and (ii) it is not clear whether the anonymization takes place before or after the IP address is transferred to the US and only shortened in a second step, potentially giving access to the entire IP address, to be ineffective. The CNIL also briefly concluded that consent (as one of the exemptions listed in Article 49 of the GDPR) is not a suitable transfer mechanism, if it is collected within the cookie banner, as it would not meet the requirement of being explicit.
The decision is also in line with recent decision of European Data Protection Supervisor, which the European Parliament infringed Article 46 and Article 48(2)(b) of the GDPR as even though it relied on standard contractual clauses as a transfer mechanism, it failed to provide any documentation regarding the contractual, technical or organisational measures in place, which could ensure an adequate level of protection to the personal data transferred to the vendors located in the US (Google Analytics and Stripe). We should also expect the German and Dutch DPAs to issue their decisions any day now.
The above cases will certainly be significant in their implications adding to the discussion on Europe’s strict privacy laws and heating the debate on the necessity of new EU-US data regulations.
It is yet not clear how companies, which use Google Analytics on their websites, should proceed. The most consistent solution with the data protection authorities’ latest interpretations is to stop using the tool; however, many companies continue to do so while watching how the situation develops. What is undoubtedly crucial at this point, as DPAs are vigorously investigating transfers outside the EEA, is having all the appropriate agreements, policies, procedures and, above all, proper transfer impact assessments in place.