Close
What would you like to look for?

7 March 2022

Close up of Google Analytics main page on the web browser.

Many website operators in Europe are at a loss: Is Google Analytics illegal? This is what recent decisions and statements by European Data Protection Authorities suggest, and some of them even say so directly. On closer inspection the situation is less black and white. Google Analytics can, in our view, be used in compliance with the GDPR. We will explain how and why. The decisions reflect a trend among data protection authorities towards a fundamentalistic and absolutistic view of data protection, trying to push the GDPR into a corner where many say it was not intended to be.

Following a series of complaints filed by the non-profit organization noyb.eu in 2020 against 101 EEA websites using Google Analytics or Facebook Connect, EEA data protection authorities have started issuing rulings against the websites, declaring their use of Google Analytics as noncompliant with the GDPR. The Austrian Data Protection Authority was first on December 22, 2021, with the French Data Protection Authority CNIL following on February 10, 2022. Since the European Data Protection Board (EDPB) "coordinated" the reaction to the complaints by noyb.eu supposedly with a model response, more such "copy & paste" decisions are to be expected (see also Kuan Hon's collection of links on the topic and her paper summarizing enforcement activities in the broader context of Schrems II).

Note that we have not been involved in any of the proceedings discussed here or other similar proceedings related to Google Analytics. This blog reflects the personal opinion of its author and not necessarily the view of any client (or even Google). We have been asked by publishers seeking independent advice on what they should do about their use of Google Analytics following the decisions mentioned. We analyzed the situation and came up with specific proposals. With this blog, we want to share our views and recommendations publicly; they and the related TIA are, however, not legal advice, provided for informational purposes only, and to be used at your own risk.

Before we do a deep dive, it is necessary to understand the bigger picture. It has become obvious that noyb.eu and many EEA data protection authorities want to force EEA website operators to switch to EEA-based solutions and in any event stop using Google Analytics regardless of how it is implemented. In our view, however, the discussion concerning the use of US-owned service providers appears to be, first above all, a political one. While there may be reasons for pushing in that direction, a discussion about the legality of services such as Google Analytics or of other US-based providers should be based on facts and law. We have the impression that this is not always the case, and even data protection authorities are today engaging in what appears to be a mere "power game" between some parties in Europe and in the US; in private discussions, representatives from data protection authorities also admit that they are simply clueless about how to reasonably deal with Schrems II.

The Google Analytics decisions seem to fall in this category. When we talk to our peers, many are worried that the principles set out in these decisions (and similar decisions, such as in the Google Fonts matter) will also be applied in other cases. The attempt to redefine the term "personal data" to no longer require identifiability is one example (we discuss it below). While we understand why some data protection authorities are pushing in that direction, we believe that de lege lata and de lege ferenda should be clearly distinguished. Carey Lening recently described the current trend as a dangerous game that regulators are playing on the Internet. The ones suffering today are the many European businesses and other organizations that want to properly implement state-of-the-art online techniques, but even with a lot of goodwill cannot understand the attitude and position of many EEA data protection authorities. They fear finding themselves between a rock and a hard place and hope that they can remain under the radar until the topic of international transfers is dealt with more reasonably again. We also have the impression that there are more important issues to be dealt with in data protection than the often only theoretical risk of US intelligence authorities accessing the data of offerings such as Google Analytics. The clear and present risk of ransomware and other cyberattacks is only one example.

The Austrian Case

The Austrian decision was the first and the most detailed one, which is why we will focus on it. The decision relies on the manner in which Google Analytics has been implemented in the case at hand. This is important because Google Analytics can be implemented in several different ways, which has an impact on its assessment under the GDPR (and the Swiss Data Protection Act, which follows the same concepts concerning international transfer). In the Austrian case an implementation was chosen as a target by noyb.eu that did not use various features available for data protection compliance. Accordingly, the fact that the authority found the implementation non-compliant does not mean that other implementations of Google Analytics are non-compliant, too. Also, key findings and arguments of the authority are in our view incorrect or at least questionable. We will discuss them further below.

In the Austrian case, the authority according to its decision found or assumed the following (the references refer to the full-text decision in German):

  • Google Analytics was used without the user having consented to it (p. 39);
  • The website operator was the controller, and Google the processor (p. 32 et seq.);
  • The website operator had a contract directly with Google LLC, i.e. a US organization (thus, Chapter V of the GDPR was directly applicable to the transfer) (C.6);
  • The transfer was safeguarded by the old EU Standard Contractual Clauses (C.6, p. 35);
  • The feature for IP anonymization had not been implemented correctly and, therefore, did not work (C.7, C.9);
  • The transfer apparently occurred without a prior assessment of the risk of prohibited foreign lawful access pursuant to Section 702 FIA and EO 12.333 (as required per the ECJ decision of July 16, 2020 – Schrems II); this is not expressly stated in the decision, but the authority finds that the website publisher "continued" to use Google Analytics even after the Schrems II decision, which first introduced the obligation to perform such transfer impact assessments (p. 32);
  • Every time the website was accessed this caused it to send Google two unique IDs, which the authority apparently believed permitted Google to track users across different websites; one of its arguments as to why a unique ID is identifiable information was that Google's intention is to use Google Analytics to collect information about website users from as many websites as possible, which argument only makes sense if one assumes that the website IDs collected by Google Analytics can be connected across all websites, broadening the uniqueness of the user's "digital footprint", as the authority pointed out (p. 29);
  • Google Signals (which we will discuss in detail below) was not activated by the website publisher (C.4);
  • At least one user of the website (i.e. the complainant) was logged into their Google account while using the website at issue (C.8);
  • If a user is logged into their Google account while using the website, Google is able link the Google Analytics data obtained from the user with data of the user's Google account (C.10), and the authority apparently believed that Google links such data with Google Analytics data once the user activates the option "Ads Personalisation" in his or her Google account – such option would otherwise not make any sense in the authority's view (p. 31, 39);
  • The data sent to Google is not considered pseudonymized, because individuals can be singled-out (p. 38);
  • Google has possession, custody and control of Google Analytics data in clear text, because it is technically able to access the data in that form (p. 38);
  • Google's Transparency Report indicated that 0-499 requests were received in any relevant period (C.6, p. 35);
  • Access requests by US intelligence authorities did occur (p. 32, 35);
  • US intelligence authorities are able to track at least some users based on their unique IDs or IP addresses collected through Google Analytics when surfing on the Internet, based on pre-existing information they may have, and it is more than just a theoretical possibility that they are identified (p. 31 et seq., 39).

Furthermore, the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" of the EDPB were apparently considered as de facto binding by the authority. They were applied to the case without validation (see, for example, p. 37 et seq.).

The following chart illustrates the above assumptions and findings of the authority:

Category: Data & Privacy

Author