The integration of Google Analytics on websites is a violation of the General Data Protection Regulation (GDPR). This is according to a recent decision by the Austrian Data Protection Authority (DSB). This is the first decision on the 101 model complaints that the Viennese non-profit organization Noyb submitted by data protection officer Max Schrems in the course of the so-called “Schrems II” decision throughout Europe. In 2020, the European Court of Justice (ECJ) ruled that using US providers violates the GDPR, as US surveillance laws oblige US providers such as Google or Facebook to transmit personal data to US authorities.
After the model complaint, an interesting debate sparked: Is the use of Google Analytics in the EU illegal? According to Max Schrems, the transmission of unique user ID numbers, IP addresses, and browser parameters are not sufficiently protected by the standard protection clauses that Google offers. In other words, the Austrian data protection authorities stated that Google´s tool for analytics disobeyed the European GDPR by transferring the user’s personal data to Google in the U.S.
The DSB sees Article 44 of the GDPR violated because the analysis software transmits personal user information to Google’s corporate headquarters in the USA – and is therefore not protected from access by US authorities. Now many are of the opinion that Austrian companies are no longer allowed to use Google Analytics properly and that the judgment of the DSB from the individual case (about netdoktor.at in 2020) can be transferred to all other web services of European companies.
This is not true, according to the agency e-dialog, which specializes in Google and data-driven advertising and has branches in Vienna, Düsseldorf, and Zurich. “Current news incorrectly reports that Google Analytics is no longer data protection compliant after a decision by the Austrian data protection authority,” says a current mailing and a blog post to customers of the agency. One should not generalize this statement, one can continue to use Google Analytics in the EU in compliance with data protection. In the Netdoktor case, for example, there was no approval mechanism for cookies in the relevant period to which the DSB judgment refers – something that is now standard on many websites.
5 points to consider
According to the agency E-dialog, website operators can continue to use Google Analytics if the following points are taken into account:
- Accept DPAs from Google: Google has updated the Google Data Processing Terms for all Google Products (DPAs) to reflect the new versions of the Standard Contractual Clauses. Accept the new Google DPAs in the Google Analytics settings.
- Reference in the data protection regulations to a possible data transfer to third countries
- Obtain user consent: “This means that you can only fire Google Analytics if you have received consent to do so and can also save and provide information about it. A consent management platform (CMP) makes this process easier,” says e-dialog.
- Correct configuration of Google Analytics: According to the experts at e-dialog, no personal data may flow into Analytics during setup. You should therefore make use of IP anonymization.
- Switch to server-side tracking: “Server-side tracking is not only a suitable solution for increasing the lifespan of 1st-party cookies and bypassing some tracking blockers, but you also have the option of adapting the data before it is sent to Google Analytics be,” says e-dialog. “In concrete terms, this means, for example, that the IP addresses of the users are completely removed before the data is sent to Google Analytics.”
- Data catalyst: According to Klaus Müller, co-CEO and co-founder of the startup Jentis, you have to pay attention to the details. Server-side tracking from Google in the Google Cloud is not enough, you need a data catalyst in front of Google that anonymizes the data – and Jentis offers such a tool. Even if the Google Cloud is in Europe, e.g. the data is on servers located in Europe, US authorities can access the data via the US Cloud Act.
“That’s why it’s so important that personal or related data is anonymized or encrypted beforehand and “outside” Google – with a European compliance tool that cannot be accessed externally. This is the only way companies can ensure that the relevant data is adequately protected. This step falls under the obligation for companies to take additional measures if necessary to compensate for gaps in protection in the legal systems of third countries,” says Müller. However, Siegfried Stepke from e-dialog replies that the server-side part of Google Analytics can also be set up in such a way that everything is compliant. You don’t necessarily need middleware.
Of course, the judgment of the DSB is also an opportunity to find out about possible alternatives to Google Analytics. Trending Topics will soon bring an overview.
Note: Details of e-dialog and Jentis in terms of server-side tracking, compliance, and middleware have been added.