Janus de Visser
18 January 2022
15 minutes reading time
The world of data & analytics has been rocked by the Austrian Data Protection Authority declaring that the use of Google Analytics violates the European General Data Protection Regulation (GDPR). A difficult subject with lots of history. With this article we will try to shine some light on the situation and the potential impact.
The Austrian data protection authority DSB ruled on the 13th of January 2022 that the use of Google Analytics violates the GDPR. The ruling is a result of a complaint filed by digital rights organisation None Of Your Business (NOYB) with privacy activist Max Schrems behind the wheel. They are calling out for stricter privacy regulation because of the lack of control in exchange of European personal data with US tech giants. This complaint was aimed at an Austrian website using Google Analytics that claimed that there was no transfer of personal data. Because US Surveillance laws require US companies to provide personal details to US authorities when asked to do so, the Austrian ruling states that the use of a US Provider – in this specific case Google Analytics – violates EU privacy rules on safe and protected international data transfers.
CookieBot, a Danish consent management solution, used a US based cloud company (Akamai) to process data. In December 2021, the German courts ruled against Cookiebot for processing and providing personal details (IP Addresses) to US based servers of Akamai. This ruling was regarding the IP address and a unique key that identifies a user, a browser to be precise. For those in the digital business, yes, the same thing all digital tooling and platforms use to operate. CookieBot on the Wiesbaden ruling: https://www.cookiebot.com/en/wiesbaden-ruling/
This ruling, if upheld, has the same impact as the Austrian ruling. It is bad news for all US services providers as it sets precedent to go after all of them.
NOYB has filed over a hundred of these cases all over Europe and Data Protection Authorities are processing them. The DSB was the first with a big name as Google. The NOYB cases also focus on Facebook, and the model cases can for all intents and purposes be replaced with any US based service provider. Why you ask?
The cases are based on the loss of Privacy Shield, which intended to regulate the exchange of personal data between EU companies and the US. This loss was the result of the “Schrems II” decision by the European Court of Justice in 2020 that declared the Privacy Shield invalid. Without the Privacy Shield in place companies could no longer state that data transfer was safe by referencing this regulation.
The same happened with the Safe Harbor Agreement in 2015, and we experienced a legal void for over a year until it was replaced by Privacy Shield in 2016. An identical situation but the current void is tested to its legal limits with the model cases instigated by NOYB.
Let us move all data to Europe, right? No, not that simple. Location and jurisdiction are something different entirely. All US organisations – even if they are based in Europe – are subject to the US legal process. The Irish Case of Microsoft vs the US government made this very clear. After numerous court appeals, they still had to provide data stored on servers in Ireland. So even if data is located in the EU it doesn’t provide a safeguard against the mass surveillance laws of the US government when those servers are owned by a US company.
It is good to consider that both the Austrian and the German case are a snapshot in time and things have changed in the meantime. For instance, the Google data processing terms referencing Privacy Shield have been update since the NOYB complaints and no longer reference Privacy Shield. The Google Analytics configuration in question was done incorrectly and as a result IP anonymization did not function in all cases. And as a cherry on top, consent was not obtained. If anything, the Austrian case tells us what to look out for and do better.
However, the issue of safe data transfer between the EU and US is a big one. A new, and improved, version of Privacy Shield is needed and fast. This is a job for the EU commission and the US Department of Commerce, and they are working on it.
Although the Austrian data protection authority has been the first of EU member states to make a ruling on a NOYB case, similar decisions are expected to follow in other EU countries, including The Netherlands. The Dutch DPA is currently investigating two NOYB complaints about the use of Facebook and Google Analytics in the Netherlands. The fact that privacy regulators can now declare US services illegal will put additional pressure on companies and governments to make safe data transfers possible.
For those interested, NOYB has a list of all complaints: https://noyb.eu/en/eu-us-transfers-complaint-overview
There are no direct consequences as of now and we all must be patient for Data Protection Authority guidelines and clarity on EU/US data transfers. We advise to keep a close eye on the European Data Protection Board and the guides they provide (https://edpb.europa.eu/). But to be honest, without any type of Privacy Shield in place, the current guides are not very useful.
Even though many questions remain unanswered there are a number of things you can do today to improve your state of compliance while using Google Analytics and to protect the privacy of your website and app users. Please keep in mind that these actions mitigate some on the concerns stated by the Authorities, but not all. These are not the ultimate solutions to solve the issue of safe data transfer to the US.
Blog titles that are claiming Google Analytics is illegal are an oversimplification of a very complex situation. So do not panic, have patience, consult experts, and wait for guidelines from the data protection authorities.
Google offers this feature, it works, use it. Do the implementation correctly, not alike the Austrian case.
Custom implementations are easy to expand with additional identifiers and other personal data. Do not send this data to Google Analytics, or any other US based analytics tool (e.g. Adobe Analytics), marketing platform or A/B-testing tool.
These terms have been updated since the snapshot of the Austrian case. You can accept these via Admin Account Settings of Google Analytics. Please make sure to consult your legal department before doing so.
Also found in the Admin Account Settings, disable them.
Manage sharing data with Google marketing products based on user consent by using the AllowAdFeatures. https://support.google.com/analytics/answer/9050852
Although at the moment this requirement differs per European country, we see that in most countries consent is already required, and other countries are moving in that direction. Consent is not a golden bullet to allow for all kinds of unsafe data processing, but it does give people control and that is important.
We firmly believe in a privacy first approach and support our clients daily to improve their data operations by implementing privacy protecting measures. We also believe things need to change in the industry and are no advocate of the US mass surveillance. But, and this is a big but, we think the NOYB and Data Protection Authority aim at analytics tools is like using a canon to kill a mosquito, while missing the swarm.
The privacy risks involved with analytics when practicing privacy by design are insignificant in comparison to the risks involved with communications, financial, and medical data that is also often processed via US cloud providers. What is the likelihood that an intelligence service wants an IP address and unique identifier instead of mailbox contents or financial records? The answer to that question is the reason we believe this ruling is where GDPR enforcement loses its touch with reality and loses credibility.
We also believe that the rulings are a bold step forward to emphasize and enforce data privacy laws. This will challenge both EU-US governments and US technology providers on how to respect user privacy. Although the message is a rigorous one, the actual implications and implementations of the rulings into the real world remains for now unclear.
For all Google Analytics users we say, follow the checklist and wait on further instructions from Data Protection Authorities.