Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
On January 13, 2022, the Austrian data protection authority (DSB) ruled that the continuous use of the world-famous web analytics program, Google Analytics, violates the EU's General Data Protection Regulation (GDPR).
Not unexpectedly, the French data protection authority (CNIL) supported this decision in a ruling delivered on February 10, 2022.
These are the first decisions from EU data protection authorities (DPAs) in response to the 101 complaints filed by the privacy advocacy group, NOYB ("None of Your Business"), led by privacy activist Max Schrems.
Moreover, these decisions (and presumably more to come) could have a significant impact with far-reaching implications for U.S. cloud service providers and European websites going forward.
In this article, we'll walk you through what happened, the possible impact on Google Analytics and EU websites, and what steps you can take to avoid violations and prepare for significant changes to come.
One of our many testimonials:
On July 16, 2020, the European Court of Justice (CJEU) issued a verdict that rendered the EU-US Privacy Shield invalid. Essentially, the court determined that the transfer of personal data to the U.S. violates the GDPR if the recipient can't guarantee the data's protection from U.S. surveillance and intelligence agencies.
In other words, transferring data to certain U.S companies who are subject to U.S. surveillance laws is illegal under the GDPR unless additional safeguards are implemented.
The surveillance laws relevant to the ruling are as follows:
This groundbreaking decision was subsequently named the Schrems II ruling as it was borne out of the legal proceedings initiated by the NOYB group chairperson, Max Schrems.
In light of the EU-US Privacy Shield invalidation and the Schrems II decision, EU data exporters turned to Standard Contractual Clauses (SCCs) in an effort to ensure the legitimate transfer of personal data to third countries (i.e., countries outside the EU region that manage personal data).
Now, although the CJEU did not invalidate SCCs for international transfers, data exporters are required to evaluate whether these SCCs provide sufficient protection, keeping in mind that the legal system and government agencies in third countries may get access to any transferred data.
What's more, data exporters must carry out a case-by-case analysis to assess the privacy risks involved in transferring personal data. They are also required to implement additional technical and organizational measures (TOMs) for data transfers where sufficient protection cannot be guaranteed.
That being said, recent events have proven that SCCs and TOMs may not be enough to guarantee the protection of transferred data from U.S. surveillance, leaving European DPAs no choice but to take decisive action. This brings us to the case of Google Analytics violating the GDPR.
In today's business landscape, the transfer of personal data has become a vital process without which many companies couldn't operate - at least not efficiently.
This was especially true for an Austrian website called NetDoktor who was charged by the NOYB group with illegally exporting personal data to the U.S. through its use of Google Analytics.
Despite implementing SCCs and TOMs, NOYB claimed that both NetDoktor and Google Analytics violated Chapter V of the GDPR in light of the Schrems II ruling by transferring the personal data of EU citizens to Google.
In its ruling, the Austrian DPA (DSB) found that NetDoktor did not correctly implement the IP address anonymization function provided by Google.
On the other hand, Google is subject to surveillance by U.S. intelligence agencies since it operates as an "electronic communication service provider" as defined in 50 USCS § 1881:
As such, Google may be ordered at any time to disclose the personal data it obtains from the EU and this violates the GDPR's data export requirements.
Furthermore, the DSB noted that the additional TOMs implemented by Google (as required by the Schrems II ruling) did not provide an adequate level of protection for personal data, as shown in the excerpt below:
"Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
The TOMs implemented by Google, in this case, are as follows:
Responding to the compliance claims made by Google, NOYB privacy activist, Max Schrems said in a statement:
"Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."
To sum up, the DSB upheld the complaints against NetDoktor and Google Analytics. It's also worth noting that the French DPA (CNIL) came to a similar conclusion weeks after the DSB's ruling.
Before we take a closer look at the EU DPA's ruling, it's important to understand how Google Analytics actually transfers the personal data of Europeans to the United States.
Google Analytics is a U.S.-based web analytics software used all over the world by websites to track the online activities of their users.
By integrating Google Analytics on a website, cookies (or similar online identifiers) are placed on that website by Google to monitor the online behavior of website users.
While these cookies primarily collect data to help website owners improve browsing experience and website functionality, Google also receives the data gathered by such cookies.
In other words, data such as unique user identifiers, browser parameters, and IP addresses are transferred back to Google in the United States.
Although it was argued whether the data collected by these cookies could be classified as personal data, the DSB decided that cookie data can (together with other unique identifiers) single out a specific user.
Therefore, cookies and similar identifiers constitute personal data.
Now, let's see the highlights of the EU DPAs ruling regarding Google Analytics.
Employing the Schrems II ruling as a legal authority, the DSB concluded that both NetDoktor (in its role as a data exporter) and Google Analytics violated the GDPR.
This was the first decision in response to the 101 complaints filed by NOYB regarding EU-US data transfers.
The highlights of the ruling are as follows:
The DSB held that the SCCs and TOMs implemented between NetDoktor and Google did not provide an adequate level of protection for the following reasons:
The DSB denied the complaints filed against Google LLC itself as a data importer, maintaining that the legal obligations regarding data transfers apply only to the data exporter.
However, the DSB stated that it will further investigate Google with regard to the possible violations of Articles 5, 28, and 29 of GDPR.
The DSB is yet to issue an official penalty for NetDoktor's GDPR violation. This is because the company was initially based in Austria but is now based in Germany as a result of a merger. Therefore, the DSB will refer the case to the suitable German DPA.
According to Max Schrems:
"We would assume that there is also a penalty for the EU data exporter, but we only received a partial decision so far that does not deal with this question."
Much like the DSB's ruling, the French DPA (CNIL) held that the transfer of EU data to the U.S. through Google Analytics violates Article 44 of the GDPR.
In response to the complaints filed by NOYB, the CNIL ordered an undisclosed French website to comply with the GDPR's data transfer rules within one month, and suggested either:
This is likely only the beginning of a coordinated response from EU DPAs regarding data transfers between the EU and the U.S., as announced by Max Schrems:
"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week."
Now that we're clear on how Google Analytics violates the GDPR, let's take a look at how businesses are affected and what steps can be taken to prepare for the coming changes.
Following the invalidation of the EU-US Privacy Shield to facilitate data transfers, virtually all data exporting organizations relied on SCCs and TOMs in an effort to ensure adequate protection for personal data.
However, in light of the Google Analytics saga, it appears that both SCCs and TOMs can no longer guarantee the absolute protection of personal data.
This chain of events all but threw organizations into a world of uncertainty, with no clear guidance or viable solution to legally transfer personal data to the United States.
However, recent developments by the European Commission and the U.S. may change this.
Let's take a look.
The EU made a major announcement that could put many months of legal uncertainty to rest with regard to EU-US data transfers. In the announcement, the EU stated that it had reached an agreement with the U.S. on a modified transatlantic data flow deal to replace the previously annulled Privacy Shield.
Addressing the introduction of the new framework, the European Commission President, Ursula von der Leyen, posted a tweet on March 25, 2022, as shown below:
Several privacy advocates (including Max Schrems), however, expressed reservations about the new deal, declaring it to be another version of the invalidated Privacy Shield.
Responding to the tweet above, Max Schrems said:
"Seems we do another Privacy Shield, especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another 'patchwork' approach but no substantial reform on the U.S. side. Let's wait for a text but my first bet is it will fail again."
On the other hand, the responses from representatives of tech giants like Google and Meta were unsurprisingly optimistic.
To shed a little more light on the development, the White House released a fact sheet that details what can be expected from the new transatlantic data framework.
Until the official text of the new data transfer framework is released by the European Commission (which may take some months), organizations can stay compliant by taking certain measures.
In other words, if your company currently uses Google Analytics and does business in the European Economic Area (EEA) or processes the personal data of EU citizens, it's recommended that you take the following steps:
Although the European Commission and the U.S. government have taken measures to ensure a safe, legal way to facilitate data transfers, it remains to be seen whether the new transatlantic framework will stand the test of time.
Privacy advocates like Max Schrems remain skeptical about the new data transfer framework, claiming that in the long run, there are only two options:
"In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."
Whatever the outcome, this series of events serves as an important reminder for your business to be proactive in its GDPR-compliance efforts by: