(Editor's Note: In January of 2023, the EU-U.S. Data Privacy Framework was approved and replaces the old Privacy Shield framework mentioned in this article.)
On January 13, 2022, the Austrian data protection authority (DSB) ruled that the continuous use of the world-famous web analytics program, Google Analytics, violates the EU's General Data Protection Regulation (GDPR).
Not unexpectedly, the French data protection authority (CNIL) supported this decision in a ruling delivered on February 10, 2022.
These are the first decisions from EU data protection authorities (DPAs) in response to the 101 complaints filed by the privacy advocacy group, NOYB ("None of Your Business"), led by privacy activist Max Schrems.
Moreover, these decisions (and presumably more to come) could have a significant impact with far-reaching implications for U.S. cloud service providers and European websites going forward.
In this article, we'll walk you through what happened, the possible impact on Google Analytics and EU websites, and what steps you can take to avoid violations and prepare for significant changes to come.
One of our many testimonials:
- 1. A Little Context
- 2. Data Transfers Through Google Analytics Violates the GDPR
- 2.1. How Does Google Analytics Transfer Personal Data to the U.S.?
- 3. The DSB's Ruling
- 4. The CNIL's Ruling
- 5. How the EU DPA's Ruling Affects Businesses
- 5.1. Recent Developments
- 5.2. Recommended Steps to Avoid GDPR Data Transfer Violations
- 6. Summary
A Little Context
On July 16, 2020, the European Court of Justice (CJEU) issued a verdict that rendered the EU-U.S. Privacy Shield invalid. Essentially, the court determined that the transfer of personal data to the U.S. violates the GDPR if the recipient can't guarantee the data's protection from U.S. surveillance and intelligence agencies.
In other words, transferring data to certain U.S. companies who are subject to U.S. surveillance laws is illegal under the GDPR unless additional safeguards are implemented.
The surveillance laws relevant to the ruling are as follows:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)
- Executive Order 12333 (EO 12333)
- Presidential Policy Directive 28 (PPD-28)
This groundbreaking decision was subsequently named the Schrems II ruling as it was borne out of the legal proceedings initiated by the NOYB group chairperson, Max Schrems.
In light of the EU-US Privacy Shield invalidation and the Schrems II decision, EU data exporters turned to Standard Contractual Clauses (SCCs) in an effort to ensure the legitimate transfer of personal data to third countries (i.e., countries outside the EU region that manage personal data).
Now, although the CJEU did not invalidate SCCs for international transfers, data exporters are required to evaluate whether these SCCs provide sufficient protection, keeping in mind that the legal system and government agencies in third countries may get access to any transferred data.
What's more, data exporters must carry out a case-by-case analysis to assess the privacy risks involved in transferring personal data. They are also required to implement additional technical and organizational measures (TOMs) for data transfers where sufficient protection cannot be guaranteed.
That being said, recent events have proven that SCCs and TOMs may not be enough to guarantee the protection of transferred data from U.S. surveillance, leaving European DPAs no choice but to take decisive action. This brings us to the case of Google Analytics violating the GDPR.
Data Transfers Through Google Analytics Violates the GDPR
In today's business landscape, the transfer of personal data has become a vital process without which many companies couldn't operate - at least not efficiently.
This was especially true for an Austrian website called NetDoktor who was charged by the NOYB group with illegally exporting personal data to the U.S. through its use of Google Analytics.
Despite implementing SCCs and TOMs, NOYB claimed that both NetDoktor and Google Analytics violated Chapter V of the GDPR in light of the Schrems II ruling by transferring the personal data of EU citizens to Google.
In its ruling, the Austrian DPA (DSB) found that NetDoktor did not correctly implement the IP address anonymization function provided by Google.
On the other hand, Google is subject to surveillance by U.S. intelligence agencies since it operates as an "electronic communication service provider" as defined in 50 USCS § 1881:
As such, Google may be ordered at any time to disclose the personal data it obtains from the EU and this violates the GDPR's data export requirements.
Furthermore, the DSB noted that the additional TOMs implemented by Google (as required by the Schrems II ruling) did not provide an adequate level of protection for personal data, as shown in the excerpt below:
"Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
The TOMs implemented by Google, in this case, are as follows:
- Notifying users about government access requests to the extent permitted
- Publishing a transparency report or a "guideline for handling government inquiries"
- Thoroughly evaluating every data access request
- Protecting communication between Google services
- Protecting data in transit between data centers
- Protecting communications between users and websites or an "on-site security"
- Implementing encryption software, and
- Pseudonymization of personal data
Responding to the compliance claims made by Google, NOYB privacy activist, Max Schrems said in a statement:
"Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."
To sum up, the DSB upheld the complaints against NetDoktor and Google Analytics. It's also worth noting that the French DPA (CNIL) came to a similar conclusion weeks after the DSB's ruling.
Before we take a closer look at the EU DPA's ruling, it's important to understand how Google Analytics actually transfers the personal data of Europeans to the United States.
How Does Google Analytics Transfer Personal Data to the U.S.?
Google Analytics is a U.S.-based web analytics software used all over the world by websites to track the online activities of their users.
By integrating Google Analytics on a website, cookies (or similar online identifiers) are placed on that website by Google to monitor the online behavior of website users.
While these cookies primarily collect data to help website owners improve browsing experience and website functionality, Google also receives the data gathered by such cookies.
In other words, data such as unique user identifiers, browser parameters, and IP addresses are transferred back to Google in the United States.
Although it was argued whether the data collected by these cookies could be classified as personal data, the DSB decided that cookie data can (together with other unique identifiers) single out a specific user.
Therefore, cookies and similar identifiers constitute personal data.
Now, let's see the highlights of the EU DPAs ruling regarding Google Analytics.
The DSB's Ruling
Employing the Schrems II ruling as a legal authority, the DSB concluded that both NetDoktor (in its role as a data exporter) and Google Analytics violated the GDPR.
This was the first decision in response to the 101 complaints filed by NOYB regarding EU-U.S. data transfers.
The highlights of the ruling are as follows:
- The DSB maintained that NetDoktor had transferred EU personal data, including user identifiers, browser data, and IP addresses to Google.
The DSB held that the SCCs and TOMs implemented between NetDoktor and Google did not provide an adequate level of protection for the following reasons:
- Google is subject to U.S. intelligence and surveillance laws
- The additional safeguards implemented by Google are not enough to prevent U.S. intelligence from accessing the transferred personal data
The DSB denied the complaints filed against Google LLC itself as a data importer, maintaining that the legal obligations regarding data transfers apply only to the data exporter.
However, the DSB stated that it will further investigate Google with regard to the possible violations of Articles 5, 28, and 29 of GDPR.
The DSB is yet to issue an official penalty for NetDoktor's GDPR violation. This is because the company was initially based in Austria but is now based in Germany as a result of a merger. Therefore, the DSB will refer the case to the suitable German DPA.
According to Max Schrems:
"We would assume that there is also a penalty for the EU data exporter, but we only received a partial decision so far that does not deal with this question."
The CNIL's Ruling
Much like the DSB's ruling, the French DPA (CNIL) held that the transfer of EU data to the U.S. through Google Analytics violates Article 44 of the GDPR.
In response to the complaints filed by NOYB, the CNIL ordered an undisclosed French website to comply with the GDPR's data transfer rules within one month, and suggested either:
- Using alternative tools that do not transfer personal data outside the EU. For example, by using an EU-hosted web analytics program, or
- Stopping the use of Google Analytics under the current circumstances
This is likely only the beginning of a coordinated response from EU DPAs regarding data transfers between the EU and the U.S., as announced by Max Schrems:
"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week."
Now that we're clear on how Google Analytics violates the GDPR, let's take a look at how businesses are affected and what steps can be taken to prepare for the coming changes.
How the EU DPA's Ruling Affects Businesses
Following the invalidation of the EU-US Privacy Shield to facilitate data transfers, virtually all data exporting organizations relied on SCCs and TOMs in an effort to ensure adequate protection for personal data.
However, in light of the Google Analytics saga, it appears that both SCCs and TOMs can no longer guarantee the absolute protection of personal data.
This chain of events all but threw organizations into a world of uncertainty, with no clear guidance or viable solution to legally transfer personal data to the United States.
However, recent developments by the European Commission and the U.S. may change this.
Let's take a look.
The EU made a major announcement that could put many months of legal uncertainty to rest with regard to EU-US data transfers. In the announcement, the EU stated that it had reached an agreement with the U.S. on a modified transatlantic data flow deal to replace the previously annulled Privacy Shield.
Addressing the introduction of the new framework, the European Commission President, Ursula von der Leyen, posted a tweet on March 25, 2022, as shown below:
Several privacy advocates (including Max Schrems), however, expressed reservations about the new deal, declaring it to be another version of the invalidated Privacy Shield.
Responding to the tweet above, Max Schrems said:
"Seems we do another Privacy Shield, especially in one respect: Politics over law and fundamental rights. This failed twice before. What we heard is another 'patchwork' approach but no substantial reform on the U.S. side. Let's wait for a text but my first bet is it will fail again."
On the other hand, the responses from representatives of tech giants like Google and Meta were unsurprisingly optimistic.
To shed a little more light on the development, the White House released a fact sheet that details what can be expected from the new transatlantic data framework.
Recommended Steps to Avoid GDPR Data Transfer Violations
Until the official text of the new data transfer framework is released by the European Commission (which may take some months), organizations can stay compliant by taking certain measures.
In other words, if your company currently uses Google Analytics and does business in the European Economic Area (EEA) or processes the personal data of EU citizens, it's recommended that you take the following steps:
- Implement Google Analytics only after getting explicit consent from users, making sure to inform them that their data may be transferred to the U.S., where it may be subject to legal access by U.S. intelligence agencies. If properly executed, this action is, in principle, enough to allow the lawful use of Google Analytics. The additional steps provided below are intended as further protection beyond consent.
- Ensure that the contract for using Google Analytics is finalized with Google Ireland Limited and not Google LLC in the United States. This way, the transferred data stays within the EU.
- Implement the updated SCCs (also known as the "new SCCs") issued by the European Commission as it factors in GDPR compliance and the Schrems II ruling. In addition, make sure that, where applicable, SCCs and their annexes are completely filled out and signed.
- Review your global data flows and conduct a case-by-case analysis of the privacy risks involved in each data transfer. This helps you determine whether additional safeguards are needed to supplement your SCCs and protect transferred data from government surveillance.
- If needed, provide additional safeguards to protect personal data, making sure to follow the recommendations released by the European Data Protection Board (EDBP).
- Make sure you properly encrypt and anonymize data wherever possible. This applies to all unique user identifiers including IP addresses and browser parameters.
- As an added measure, ensure that the data sharing and signal options in Google Analytics remain deactivated.
- Finally, make sure you stay up-to-date on data transfer trends, as further guidance is expected in the coming months.
Although the European Commission and the U.S. government have taken measures to ensure a safe, legal way to facilitate data transfers, it remains to be seen whether the new transatlantic framework will stand the test of time.
Privacy advocates like Max Schrems remain skeptical about the new data transfer framework, claiming that in the long run, there are only two options:
"In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."
Whatever the outcome, this series of events serves as an important reminder for your business to be proactive in its GDPR-compliance efforts by:
- Taking every reasonable measure listed above to protect personal data while using Google Analytics and during international data transfers
- Staying updated on trends within the industry and complying with the required policies once official guidelines are released by the European Commission or the EDPB