Google Analytics and data protection

Google Analytics is the most popular analytics tool on the market, but in recent years there have been repeated complaints about questionable data protection practices by Google. Among the complainants was the organization noyb around Max Schrems, which filed 101 model complaints against companies in 30 EU and EEA countries for their use of Google Analytics and Facebook Connect after the Schrems II decision.

This was followed by the DPO’s first complaint decision, which concerned the transfer of data from the netdoktor.at website to Google.

Decision by the Austrian supervisory authority

The Austrian data protection authority ultimately concluded that the use of Google Analytics constitutes a breach of the GDPR.

Personal data

First, the supervisory authority examined whether personal data were processed in the process. Art.4 No. 1 GDPR states:

"’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]."

By activating Google Analytics and visiting the website (netdoktor.at), the following information is transmitted to the Google server:

• unique network identifiers representing both the browser and the device of the complainant as well as that of the first respondent (using the Google Analytics account of the first respondent as webmaster);

• address and HTML title of websites and subpages visited by the complainant;

• information about the browser, operating system, screen resolution, language selection and the date and time the website was accessed;

• the IP address of the device used by the complainant.

The supervisory authority determined that these data are personal data within the meaning of Art. 4 No. 1 GDPR. Netdoktor.at can distinguish website visitors based on the above points and determine whether they are new or returning users. The visitor is thus selected from a homogeneous group of all website visitors and identified by an identifier. This assumption is reinforced by Recital 26 S. 4, Recital 30, as a unique identifier can be combined with any other listed element such as browser data or IP address, increasing the likelihood that a website visitor is identified.

This raises the question of why netdoktor.at did not consider using the "IP anonymization function" of Google Analytics. Netdoktor.at admitted in its statement to the supervisory authority that this function was not implemented correctly. However, the DPO argued that a proper implementation would not have changed the rating. This is because the identifier is linked to so many other elements that the personal reference still exists.

Data transfer with consequences

In this case, the Austrian supervisory authority finds that there is not a sufficient level of protection in the transfer of data from netdoktor.at to Google through an instrument of Chapter V of the GDPR and thus a violation of Art. 44 GDPR has occurred.

The standard contractual clauses that netdoktor.at had agreed with Google do not ensure an adequate level of protection under Art 44 GDPR. This is because Google is subject to surveillance by the US Secret Service pursuant to 50 US Code § 1881 (also known as FISA 702). This means that the current additional measures are not sufficient to exclude the possibility of surveillance and access by the secret service. No other instrument under Chapter V of the GDPR can be used for the data transfer.

In the explanatory memorandum to the decision, the institution refers to EDPB's "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data". Central to this is the statement (para. 70) that the "additional measures" referred to in the Schrems II judgment can only be considered effective if they close the legal loopholes identified by the data exporter when an examination of the legal situation in the third country has taken place.

The authority quotes the EDPB’s statement from this document:

"If, ultimately, you cannot ensure an essentially equivalent level of protection, you must not transfer the personal data." (p. 28).

The following additional contractual and organizational measures were agreed upon:

• the notification of data subjects of requests by the secret service (whether permissible at all in individual cases),

• the publication of a transparency report or a guide for cooperation with the secret service,

• the review of all requests for information from the secret service.

Google has also announced these technical measures:

• Protecting communications between Google services, protecting data in transit between data centers, and protecting communications between users and websites.

• Implementation of "on-site security ".

• Encryption of "data at rest" in data centers.

With regard to the contractual and organizational measures submitted by the authority, it is not apparent how effective these are from EDPB's perspective.

It is also unclear to what extent the possible technical measures would prevent access by the United States Secret Service. For example, the agency objects to the encryption techniques provided by Google, as well as tot he requirements of EDPB, which stated in its aforementioned recommendations to the U.S. that a data importer covered by 50 U.S.C. § 1881a (FISA 702) must grant access to the data, which could explicitly extend to encryption keys (para. 76).

The ruling concerns the operator of the website netdoktor.at, and is not directed against Google LLC (USA), as the requirements of Chapter V of the GDPR do not have to be met by the data importer, but only by the data exporter.

Is it time for a Google Analytics alternative?

As mentioned above, this decision was the first of 101 model complaints.

Other countries are already following. Just two weeks after the Austrian data protection authority’s groundbreaking decision, the French supervisory authority, CNIL, also announced that the use of Google Analytics on websites violates the GDPR. In the following months, the Italian and Danish data protection authorities published similar notices. It is expected that other EU countries will follow suit. If they come to the same conclusion, this will not only have consequences for the use of Google Analytics in Europe. As a further consequence, EU companies will no longer be allowed to use US cloud services in the future.

This decision will inevitably lead to discussions. On the one hand, US companies will have to adapt their products to the GDPR; on the other hand, EU companies should look for more data privacy-friendly alternatives.

Another solution could be to change U.S. laws to better protect EU citizens data or to ban the use of EU citizens data on servers outside the US. If personal data continues to be transferred to the U.S. without adequate safeguards, severe penalties could be imposed.

US-President Biden signed an executive order on Oct. 7, 2022, outlining steps on the data protection framework between the European Union and the United States. The aim is to create the legal framework in the USA, on the basis of which the EU Commission's review process for an adequacy decision can then be initiated. The Executive Order is thus intended to pave the way for a new chapter in data transfers to the USA. However, critics complain that secret service will continue to have access to personal data of EU citizens. Read more here.

There is already a trend away from Google Analytics towards European solutions. We can help you find a GDPR-compliant and secure solution for your needs. Arrange an appointment with us right away, because data protection is our top priority!