Even before the end of Privacy Shield, and in May 2020 to be precise, the Data Protection Conference (Datenschutzkonferenz, DSK), the body of independent German federal and state data protection supervisory authorities, had published “Guidance on the use of Google Analytics in the non-public sector”.
In brief, several additional measures were called for, such as obtaining informed, voluntary, active, and prior consent from users, functional implementation of the revocation of consent, transparency for users with regard to the use of Google Analytics, and IP address shortening.
If these measures are incomplete, the data protection supervisory authorities already considered the use of Google Analytics to be impermissible before the end of Privacy Shield.
Google Analytics and The Transfer of Data
A central problem with the use of this service for reach analysis is the transfer of personal data to the third country USA and the legal basis required for this.
As is well known, a data transfer to the USA can no longer be based on Privacy Shield. But even the pure standard contractual clauses of the EU are not sufficient as a legal basis in this case. Thus, the DSK stated: “It should be noted that the mere conclusion of standard data protection clauses such as the standard contractual clauses adopted by the EU Commission is not sufficient.
It must also be examined on a case-by-case basis whether the law or practice of the third country affects the protection guaranteed by the standard contractual clauses and whether, if necessary, supplementary measures must be taken to ensure compliance with this level of protection.”
These complementary measures, which are intended to provide an adequate level of data protection, must be effective. “However, especially in connection with the integration of third-party content and the use of tracking services, sufficient supplementary measures will often not be possible. In this case, the services concerned must not be used, i.e., they must not be integrated into the website,” according to the DSK.
Exactly such cases have now been objected to, by the data protection supervisory authorities in Austria and in France.
What the Data Protection Authorities in France Objected To
After receiving complaints from the NOYB association, the French data protection authority CNIL, in cooperation with its European counterparts, analyzed the conditions under which data collected via Google Analytics is transferred to the United States. The CNIL considers that these transfers are illegal and instructs a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.
Google has taken additional measures to regulate the transfer of data within the Google Analytics functionality, but these are not sufficient to exclude the accessibility of this data to US intelligence agencies. Therefore, there is a risk for French website users who use this service and whose data is exported.
CNIL notes that the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR. The CNIL has therefore instructed the Website Manager to bring this processing into compliance with the GDPR, if necessary by discontinuing the use of Google Analytics functionality (under the current conditions) or by using a tool that does not involve transfers outside the EU.
Regarding website analytics services, CNIL recommends that these tools should only be used to generate anonymous statistical data.
What the Data Protection Authorities in Austria Criticized
The data protection authority in Austria had also previously addressed the compatibility of Google Analytics and the General Data Protection Regulation (GDPR) in a complaint procedure.
In the complaint procedure regarding a specific website, it was determined that personal data was also transmitted to the servers of Google LLC, which is based in the USA. The website operator and Google LLC have concluded standard data protection clauses (in the former version).
The measures implemented in addition to the standard data protection clauses were not effective in the view of the data protection authority, as they did not eliminate the monitoring and access possibilities by US intelligence services as identified by the ECJ (European Court of Justice).
The data protection authority, therefore, issued a decision stating that website operators cannot use the Google Analytics tool in compliance with the GDPR (at least on the basis of the facts established in the decision).
What Google says
Google itself has commented that “We remain confident that the extensive complementary measures we provide to our customers ensure practical and effective data protection to any reasonable standard. At the same time, we want to provide our customers with privacy settings that enable them to meet their specific business and compliance requirements, as well as determine what data is collected and how it is used.”
In May 2022, Google added, “Settings are now available in Google Analytics to manage the collection of detailed location and device data, as well as data for Google signals for individual regions.”
Keeping an Eye on Trends
Anyone who wants to continue using Google Analytics must carefully examine which of the additional measures taken to secure data traffic effectively ensure that data transfer to the U.S. becomes permissible; the pure standard contractual clauses are not sufficient as a basis. The data protection supervisory authorities have now made it clear that they do not consider the measures to be effective in the cases under review.
It is strongly recommended to follow further developments and the decisions of the supervisory authorities and possibly courts, to adjust one’s own measures to ensure an adequate level of data protection accordingly or to use an alternative to Google Analytics that does not result in data being transferred to a third country such as the USA.