Google Analytics and GDPR: A win for privacy activists

The recent decision around the use of Google Analytics underlines the continuing battles between EU privacy regulators and big tech.  It should be of interest to all Australian organisations, even those that don’t operate in the EU.

Background

In January 2022, the Austrian Data Protection Authority’s determined that the use of Google Analytics violates the EU General Data Protection Regulation because it breaches the cross-border data transfers provisions in the GDPR.

This particular case considered by the Austrian Data Protection Authority related to the Austrian website of medical news company NetDoktor. The website works like millions of others, using Google cookies which enable tracking including the pages visitors read, how long they are on the website, and information about the devices used to access the pages—with Google also assigning an identification number to each browser that can be linked to other data.

NetDoktor can use this analytics data to see how many readers it has and what they’re interested in—the website picks what it collects. However, all this data passes through Google’s servers and ends up in the United States.

Supplementary measures

Transfers of personal data from the EEA to the EU have been problematic since the “Schrems II” decision invalidated the EU-U.S. Privacy Shield agreement and also found that standard contractual clauses may need to be supported by supplementary measures to ensure adequate protection from U.S. government surveillance.

The Austrian regulator determined that the supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient, to provide protections from U.S. government surveillance required following the Schrems II decision.

The Authority assessed in detail each of the supplementary measures Google had put in place (as part of its Standard Contractual Clauses with all Google Analytics users) and concluded that these were not “effective” in providing for an adequate level of data protection.

The supplementary measures considered included:

• notifying the data subjects about government access requests;
• publication of a transparency report;
• examining each data access request made by public authorities for compliance with applicable law;
• applying encryption technologies;
• applying IP anonymization functionalities, and
• applying pseudonymization techniques.

According to the Authority, as long as Google can access the personal data (in this case, online identifiers) in plain text, these technical measures are not effective to protect the personal data at issue.[1]

The Authority also decided that configuration abilities for customers, including truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government.

Other findings

Google as a processor or controller?

The Austrian Authority decided that Google is a “processor” with respect to its processing of data under its Google Analytics service.  However, this is subject to a “further official review” on this point.

Notably, this decision conflicts with the German Supervisory Authorities May 2020 statement that Google could not be considered a processor but, instead, should be considered a joint controller with website operators deploying Google Analytics (see here).  It once again demonstrates that the “controller” and “processor” concepts are often difficult to apply in practice.

Penalty?

The case was bought against Google LLC. The Austrian Authority found that as Google was the data importer rather than exporter, no penalty could be levied against the Google entity involved.  In this scenario, the website operator from whose site the analytics information was collected by Google and exported to the US, was the exporter and so in breach of the GDPR.  Not Google.

Google Analytics and GDPR: EDPS view

Just days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020.

The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.

Google Analytics and GDPR: NOYB

The decision by the Austrian DPA is the first of 101 complaints filed across EU countries by advocacy group NOYB (None of your business) alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision.  NOYB’s Max Schrems believes “more decisions on the use of U.S. providers” are expected in the coming months, “as other cases are also due for a decision.”

The Dutch Data Protection Authority, said it is investigating two complaints in the Netherlands on the use of Google Analytics. Noting an anticipated decision in early 2022, the DPA said, “the use of Google Analytics may soon not be allowed.”

Google Analytics and GDPR: Impact

The impact of this decision is not limited to those who use Google Analytics and may affect all EU data exporters in the context of services provided by entities outside of the EU, especially those in the U.S, but also those in Australia.

The effect of the decision will be to make it ever more difficult to determine ways to transfer personal information out of the EEA to countries without adequacy findings (like Australia).

US big tech are keen for the US government to find a solution to the impasse on EEA-US cross border transfers post Schrems II. In a blog post published Wednesday, Google’s President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a successor to the Privacy Shield agreement. Walker said Google has offered analytics-related services to business around the world for more than 15 years “and in all that time has never once received the type of demand the DPA speculated about” (that is, from US government agencies).

Cases like this one will increase pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time.

What does this mean for Australia?

Although this decision of the Austrian regulator does not outlaw the use of Google Analytics and similar services, it is a warning for all organisations to be careful about the tools they’re using.

Although it’s not entirely clear under Australia’s Privacy Act whether the data being transferred as part of Google Analytics would be treated as personal information, amendments currently being discussed would make that position much more certain. And potentially raise issues for Australian organisations regarding the use of services like Google Analytics and the transfer to the US of the information collected.

So far, transfers from the EU to Australia have escaped regulatory review.

Any agreement reached by the EU and US on data flows may help Australian organisations work out how best to manage transfers from the EU. This will certainly become an issue at some stage for Australian organisations particularly as there seems to be no real will to amend the Privacy Act to move Australia closer to being recognised as ‘adequate’ by the EU.

[1] https://www.insideprivacy.com/eu-data-protection/austrian-supervisory-authority-finds-that-website-deploying-google-analytics-carried-out-unlawful-transfers-to-the-us/

If you need help negotiating the complexities of the GDPR, contact us for a no obligation, free discussion on your requirements.