Austria’s data regulator has found that the use of Google Analytics is a breach of GDPR. In the absence of a new EU-US data deal, other countries may follow.
The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing. the watchdog found that IP address and identifiers in cookie data are the personal data of site visitors and as such these transfers do fall under the purview of the EU’s General Data Protection Regulation (GDPR). Using these bits of personal data by themselves will still be difficult to link it to an individual but this data has the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.
Consequently, the Austrian DPA found that the website in question, which had been exporting visitors’ data to the US as a result of implementing Google Analytics (like countless other websites do as a matter of routine) — had violated Chapter V of GDPR. The problem with this export is that US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals.
In reaching its conclusion, the regulator assessed various measures Google said it had implemented to protect the data in the US — such as encryption at rest in its data centres; or its claim that the data “must be considered as pseudonymous” — but did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard. This is because as long as Google has the possibility to access data in plain text, the technical measures invoked cannot be considered effective.
The DPA’s wholesale dismissal of any legally relevant impact of the bundle of aforementioned “Technical and Organizational Measures” (such as standard encryption) — which were cited by Google to try to massage compliance and ensure EU-to-US data transfers continue so they can continue business as usual.
Now that Austria has come to this conclusion, other EU countries (or countries that have similar views on privacy) surely will follow suit. After all, Google Analytics is everywhere online. It wouldn’t be surprising if other cloud giants, such as Facebook, will also fall into this category.
In today’s digital world, using such analytics tools may seem intensely normal but — legally speaking, in the EU — it’s anything but because EU-to-US transfers of personal data have been clouded in legal uncertainty for nearly a decade due to ongoing clashes between European privacy rights and US surveillance law. The latter affords foreigners zero rights over how their data is scooped up and snooped on, nor any route to legal redress for whatever happens to their information when it’s in the US. EU law says European levels of protection must travel with data. While US law says ‘we’ll do what we like with it, thanks’.
This case follows a landmark ruling by the CJEU in July 2020 — which struck down the Commission’s re-upped data transfer arrangement (Privacy Shield), which — since 2016 — had been relied upon by thousands of companies to rubberstamp their US transfers. This 2016 case did not outlaw personal data transfers to so-called third countries entirely which is why these data flows didn’t cease overnight. However, it clarified that such data flows must be assessed on a case by case basis for risks. And it made it clear that DPAs could not just turn a blind eye to compliance.
The European Data Protection Board’s (EDPB) guidance confirmed that personal data transfers out of the EU may still be possible — if a set of narrow circumstances and/or conditions apply. Such as the data being genuinely anonymized so that it is truly no longer personal data. Or if you can apply a suite of supplementary measures (such as technical stuff like applying robust end-to-end encryption — meaning there’s zero access to decrypted data possible by a US entity) — in order to raise the level of legal protection.
The problem for firms like Google and Facebook is that their business models are all about accessing people’s data. So it’s not clear how such data-mining giants could apply supplementary measures that radically limit their own access to this core business data without a radical change of model.
The Austrian DPA decision makes it clear that Google’s current package of measures, related to how it operates Google Analytics, is not adequate because it does not remove the risk of surveillance agencies accessing people’s data.
How do we solve this without losing analytic data?
If there is one thing to learn from this case, it is that ignoring these court rulings and continuing to use Google Analytics is not a viable option. If you operate a website in Austria it is something to resolve straight away. If you’re in any other EU country then it’s something you should keep an eye on and/or make a plan now.
Removing Google Analytics from your site doesn’t mean that you need to give up website analytics altogether though as there are a variety of alternatives available today. CuCo has been using Matomo in tandem with GA for quite some time now. The alternative, in particular, is a powerful open-source web analytics platform that gives you 100% data ownership and GDPR compliance as we host the software ourselves so the data never is transferred to third party servers. Meaning that you can get the insights you need while remaining compliant. As a bonus, you can import your historic GA data so you lose nothing.
Update 14 Feb 2022
And the dominos start to fall – France joins Austria. The French Data Protection Agency, CNIL (Commission nationale de l’informatique et des libertés), has concluded that the use of Google Analytics is illegal under GDPR. The CNIL has begun issuing formal notices to website managers using Google Analytics.