We are a Swiss law firm, dedicated to providing legal solutions to business, tax and regulatory matters.
Life Sciences, Pharma, Biotech
Litigation and Arbitration
Our knowledge, expertise & publications
7 March 2022
Many website operators in Europe are at a loss: Is Google Analytics illegal? This is what recent decisions and statements by European Data Protection Authorities suggest, and some of them even say so directly. On closer inspection the situation is less black and white. Google Analytics can, in our view, be used in compliance with the GDPR. We will explain how and why. The decisions reflect a trend among data protection authorities towards a fundamentalistic and absolutistic view of data protection, trying to push the GDPR into a corner where many say it was not intended to be.
Following a series of complaints filed by the non-profit organization noyb.eu in 2020 against 101 EEA websites using Google Analytics or Facebook Connect, EEA data protection authorities have started issuing rulings against the websites, declaring their use of Google Analytics as noncompliant with the GDPR. The Austrian Data Protection Authority was first on December 22, 2021, with the French Data Protection Authority CNIL following on February 10, 2022. Since the European Data Protection Board (EDPB) "coordinated" the reaction to the complaints by noyb.eu supposedly with a model response, more such "copy & paste" decisions are to be expected (see also Kuan Hon's collection of links on the topic and her paper summarizing enforcement activities in the broader context of Schrems II).
Note that we have not been involved in any of the proceedings discussed here or other similar proceedings related to Google Analytics. This blog reflects the personal opinion of its author and not necessarily the view of any client (or even Google). We have been asked by publishers seeking independent advice on what they should do about their use of Google Analytics following the decisions mentioned. We analyzed the situation and came up with specific proposals. With this blog, we want to share our views and recommendations publicly; they and the related TIA are, however, not legal advice, provided for informational purposes only, and to be used at your own risk.
Before we do a deep dive, it is necessary to understand the bigger picture. It has become obvious that noyb.eu and many EEA data protection authorities want to force EEA website operators to switch to EEA-based solutions and in any event stop using Google Analytics regardless of how it is implemented. In our view, however, the discussion concerning the use of US-owned service providers appears to be, first above all, a political one. While there may be reasons for pushing in that direction, a discussion about the legality of services such as Google Analytics or of other US-based providers should be based on facts and law. We have the impression that this is not always the case, and even data protection authorities are today engaging in what appears to be a mere "power game" between some parties in Europe and in the US; in private discussions, representatives from data protection authorities also admit that they are simply clueless about how to reasonably deal with Schrems II.
The Google Analytics decisions seem to fall in this category. When we talk to our peers, many are worried that the principles set out in these decisions (and similar decisions, such as in the Google Fonts matter) will also be applied in other cases. The attempt to redefine the term "personal data" to no longer require identifiability is one example (we discuss it below). While we understand why some data protection authorities are pushing in that direction, we believe that de lege lata and de lege ferenda should be clearly distinguished. Carey Lening recently described the current trend as a dangerous game that regulators are playing on the Internet. The ones suffering today are the many European businesses and other organizations that want to properly implement state-of-the-art online techniques, but even with a lot of goodwill cannot understand the attitude and position of many EEA data protection authorities. They fear finding themselves between a rock and a hard place and hope that they can remain under the radar until the topic of international transfers is dealt with more reasonably again. We also have the impression that there are more important issues to be dealt with in data protection than the often only theoretical risk of US intelligence authorities accessing the data of offerings such as Google Analytics. The clear and present risk of ransomware and other cyberattacks is only one example.
The Austrian decision was the first and the most detailed one, which is why we will focus on it. The decision relies on the manner in which Google Analytics has been implemented in the case at hand. This is important because Google Analytics can be implemented in several different ways, which has an impact on its assessment under the GDPR (and the Swiss Data Protection Act, which follows the same concepts concerning international transfer). In the Austrian case an implementation was chosen as a target by noyb.eu that did not use various features available for data protection compliance. Accordingly, the fact that the authority found the implementation non-compliant does not mean that other implementations of Google Analytics are non-compliant, too. Also, key findings and arguments of the authority are in our view incorrect or at least questionable. We will discuss them further below.
In the Austrian case, the authority according to its decision found or assumed the following (the references refer to the full-text decision in German):
Furthermore, the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" of the EDPB were apparently considered as de facto binding by the authority. They were applied to the case without validation (see, for example, p. 37 et seq.).
The following chart illustrates the above assumptions and findings of the authority:
In the setup that in our view can be considered compliant with the GDPR and Swiss DPA, nine elements of relevance for privacy compliance are different from the ones in the Austrian case. They are as follows:
The following chart illustrates the above:
When implemented as described above, we believe that Google Analytics can be operated in compliance with the GDPR (and the Swiss DPA). This is true even if one were to assume that the data collected qualifies as personal data (as the Austrian data protection authority and CNIL have; we explain below why we do not believe that this is correct).
Hence, a publisher should take the following seven steps when implementing Google Analytics in a client-side mode:
We assume that large parts of the Austrian decision have been prepared by the EDPB to ensure that the various data protection authorities across the EEA will follow a unified approach with the various complaints of noyb.eu. Hence, it makes sense to analyze its legal reasoning a bit closer. In our view, several conclusions and interpretations made by the authority are in our view not convincing and partially based on wrong assumptions.
To begin with, we believe that the authority's analysis of whether there is personal data is not correct for the following reasons:
If one were to accept that the use of Google Analytics results in the transfer of personal data to the US, one needs to answer the question whether such transfer is in compliance with Chapter V of the GDPR. Here, we find the following considerations of the authority problematic:
All in all, the above thoughts show that it is far from clear that "the use of Google Analytics is illegal" in Europe, as Max Schrems, honorary chair of noyb.eu has claimed. The Austrian case demonstrates, however, that the legal analysis very much depends on the specific facts of the case and on the parties involved in the proceedings presenting the authority with the relevant facts and arguments. It will be interesting to see whether the decisions of the data protection authorities will be challenged in court and how courts, potentially the ECJ, will deal with the above questions. Until the situation has been clarified, we believe website publishers should take the steps described above to minimize their risks, unless they want to move away from US-owned service providers. From a purely legal point of view, the decisions rendered only apply to the cases that have been considered by the authorities at hand. According to our knowledge, so far no fines have been imposed on publishers. Yet, in view of the current situation concerning the topic of international transfers of personal data, we would not be surprised to see more decisions such as the Austrian one even where publishers follow the steps described above.
Author: David Rosenthal
Category: Data & Privacy
Das revidierte Schweizer Datenschutzgesetz tritt per 1. September 2023 in Kraft. Es zwingt...
Das Modell Rosenthal berechnet, wie gross das Risiko der Datenherausgabe ist, wenn Unternehmen und...
At the end of December 2022 the transition period for checking and updating your con-tracts and...
Opt-in for our regular updates, news, views, insights and more.