On January 13, the Austrian privacy supervisor issued a ruling in the Google Analytics
On January 15, the Dutch Data Protection Authority announced that Google Analytics may be violating the AVG/GDPR legislation. The Dutch regulator is currently investigating 2 complaints about the use of Google Analytics in the Netherlands. On January 13, the Austrian privacy supervisor DSB already issued a ruling in a comparable case. It concluded that Google Analytics is indeed in violation of Chapter V. Art. 44 of the GDPR. This ruling may have major consequences for the use of Google Analytics within the EEA (European Economic Area).
This is evident from a case brought by NOYB (None Of Your Business, a privacy organization founded by privacy activist Max Schrems), against the organization behind an undisclosed website and Google LLC.
Why Google Analytics should be banned
The statement can be explained as follows. When using Google Analytics, personal data is sent to the United States. This includes data for user identification, IP addresses and browser data. The Standard Contractual Clauses (SCC) used by Google for the transfer of personal data thus offer insufficient protection. This judgment is based on 2 important conclusions:
- As a provider of electronic communication services, Google is governed by law 50 US Code § 1881(b)(4). As such, Google is overseen by US intelligence agencies, who may require Google to provide access to Google’s data under 50 US Code § 1881a (“FISA 702”).
- The measures taken in addition to the Standard Contractual Clauses (SCC) have been assessed as insufficient, as they do not exclude the possibility of monitoring and accessing data by US intelligence services.
Because no other legal grounds apply in this case that legitimize the transfer of data to the United States, the Austrian privacy regulator is of the opinion that there has been an infringement.
So it comes down to:
- The data processed by Google is regarded as personal data, even when IP anonymization is involved, and;
- The processing of this data in the United States as a result of applicable legislation there is in violation of the GDPR, because ‘third parties’ (read: the intelligence services of the United States) can gain access to this data without the prior consent of the user.
In violation of GDPR/AVG, despite furnishing in accordance with privacy guidelines
As is the case in all EEA member states, the Dutch Data Protection Authority has provided a manual for setting up Google Analytics in a privacy -friendly manner. However, the Austrian privacy supervisor is of the opinion that even when taking the privacy-friendly measures, including IP anonymization, personal data is still involved and not anonymized data. For example, it would still be possible to combine the remaining data into a unique profile and thus trace back to a naturally identifiable person. Certainly in combination with the data that Google has when the user is logged in to the Google Account while surfing.
Would you like to know more about the ruling of the Austrian privacy regulator DSB? Then read:
What are the consequences for the use of Google Analytics in the Netherlands?
The ruling by privacy supervisor DSB in Austria may have far-reaching consequences, because it seems likely that other European supervisors will draw the same line. However, it is not that far yet. The Dutch Data Protection Authority is currently investigating two complaints about the use of Google Analytics in the Netherlands, which were also submitted by NOYB of Max Schrems. After completion of that investigation, the Dutch Data Protection Authority can say whether Google Analytics will be prohibited or allowed in its current form. The ruling is expected in early 2022. In view of the fact that the complaints on which the case in Austria is based have already been submitted in mid-2020 and the importance that the Dutch Data Protection Authority also attaches to the earlier ruling, we (Traffic Builders) may already expect this ruling within a few days to weeks.
Recommended next steps
It is clear that this statement can have major consequences. Because if the ruling is adopted at European level, it means that not only the use of Google Analytics by European users should be examined, but this applies to all American providers of software and services that process personal data. Think of Salesforce, Hubspot, Adobe, etc. Previous lawsuits have shown that this is not so much a question of where the personal data is processed, but whether it is processed by an entity that is subject to the aforementioned legislation in the United States.
For the time being, our advice is therefore to at least ensure the configuration of Google Analytics in line with the previously issued guidelines as stated in the manual for setting up Google Analytics in a privacy-friendly manner from the Dutch Data Protection Authority. In addition, it is recommended to make an inventory of which software, originally American, is used that involves the processing of personal data and to obtain legal advice about this.
And of course make sure you follow the developments in this matter closely, for example by subscribing to our newsletter and blog updates (see the subscription option at the bottom of this blog). Traffic Builders would like to keep you informed of the relevant developments.
Expectations Traffic Builders
Never before has the use of Google Analytics been so strongly condemned in the context of the GDPR as in the aforementioned ruling by the Austrian privacy regulator. This is certainly cause for caution. It seems only a matter of time before other supervisors, including the Dutch Data Protection Authority, also reach a similar conclusion. However, in theory it can also end with a sizzle.
For example, agreements can be made between the EEA and the United States that limit or at least align the scope of the 50 US Code § 1881a (“FISA 702”) with regard to European residents. Such agreements have previously been applicable in, among others, the EU-US Safe Harbor and EU-US Privacy Shield agreements. It may also be possible to include explicit warnings about the possibility of American intelligence services to inspect privacy-sensitive data in the privacy statement on the website. After all, in that case a visitor whose data may be shared would have given explicit permission for this, assuming a correct implementation and reference to the privacy statement.
Anyway; There is a lot at stake and the endgame is not yet clear. A statement like this can therefore certainly be used as a means of pressure in the negotiations between the United States and the European Union, with the aim of attracting European clients from American tech companies. To be continued.
To see the frequently asked qusetions regarding the topic click on the link below.
Originally published by Traffic Builders as “Google Analytics mogelijk verboden wegens overtreding GDPR/AVG”.