Google Analytics under the microscope as Austria rules on data protection


Google Analytics under the microscope as Austria rules on data protection

Dutch ruling is imminent

Since January 2022, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) has issued a grave statement in its manual for setting up Google Analytics in a privacy-friendly way: “[The] use of Google Analytics may soon not be allowed.” It alludes to an anxious, ongoing debate about whether the US-based web-analytics service treats data in a way that complies with the European GDPR (General Data Protection Regulation). Under the famous Schrems-II decision by the Court of Justice of the European Union, personal data transfers to the US are subject to restrictions. This now also affects Google Analytics.

The AP’s statement followed a concerning ruling by Austria’s equivalent of the AP, the DSB, regarding use of Google Analytics by organisations in Austria. The DSB found that by using the service personal data is exported to the United States. For that reason, it says organisations cannot guarantee the fundamental rights of people in Europe in the context of the Schrems-II judgement of the Court of Justice of the European Union. This reasoning also includes the parties receiving the personal data.

In the Netherlands, the AP has investigated two complaints about the use of Google Analytics and is finalising its juridical procedure before communicating the outcome. AP expects to communicate “somewhere in 2022” whether the use of Google Analytics is allowed (whereas AP communicated first to share the outcomes in “early 2022”). Until we find out the authority’s findings, we have only a strong indication that Google Analytics, in its current configuration, may be deemed not GDPR-compliant and not allowed.

The Dutch AP is not the only regulatory body trying to join Austria in forming some hard conclusions. Norway’s Data Protection Authority is conducting its own investigation. In France, the Commission Nationale de l'Informatique et des Libertés (CNIL) is following Austria’s example and has also issued a ruling. These initiatives, and the great debate they revolve around, send a clear message that Google Analytics use across the EU may well become problematic. 

Analytics services and the GDPR

Regardless of what the AP comes to decide, there are risks to sharing personal data with certain organisations. This does not just apply to Google, but also to Facebook, Microsoft, and Adobe’s analytics tools.

Austria’s DSB has offered the following explanation of what it interprets as against the law:

  • Use of website visitors’ combined data (IP addresses, browser data, user IDs): the DSB classifies this combination as personal data, despite Google’s defence that it takes measures to anonymise these details.
  • The processing of that personal data in the US: This contradicts the GDPR, because no adequate level of protection can be offered, including against access by US intelligence agencies. 

Cloud service providers that are (even partially) located in the US, or are part of an American organisation, can be in scope here. Under US law, many of these service providers must offer insights into that personal data to the US government, without being allowed to inform the user. If that user is in Europe, they are missing fundamental rights that apply in the EU.The recent developments on a Transatlantic Data Agreement between the EU and USA could solve this, but still does not provide any certainty.

Transatlantic Data Agreement 

The Transatlantic Data Agreement should be the 'next treaty' to exchange (personal) data between the EU and the US. The previous versions Safe Harbor and Privacy Shield were invalidated by European courts. Currently, the treaty does not exist and is an agreement in principle only: there is no information on the anticipated text. 

Motives: The EU and US have many transatlantic data flows, and any hindering of these flows has an economic effect. The EU requires that a level of data protection that is similar to the EU is applied. The economic value of transatlantic data flows is estimated at USD 7.3 trillion and there are important global political motives at play that influence the EU-US relationship, also in other areas than direct economic reasons. 

Criticism: An important criticism by Max Schrems’ organization None Of Your Business (NOYB) is that it is a political announcement and not an agreement. In addition, there are no legal solutions offered to the Schrems-II issues as the US has not changed its laws. It is doubtful a legal solution will be provided. And if it is, whether it will survive a Schrems-III judgment.

What will the Autoriteit Persoonsgegevens do?

It is difficult to predict what the AP will do. We anticipate any of the following three scenarios unfolding (in order from most to least probable).

  • Scenario 1 (possible/probable): The AP follows the DSB’s and CNIL’s leads, by regarding exporting data to the US as a risk; data transfer is prohibited without additional measures.
  • Scenario 2 (possible): The AP withdraws its “privacy-friendly manual” but does not make a broad statement about Google Analytics; it states only that adequate measures must be taken, as determined on a case-by-case basis.
  • Scenario 3 (possible/unlikely): The AP states that privacy is sufficiently guaranteed by its “privacy-friendly manual”. (This is unlikely partly because it requires coordination between the various EU data protection regulators.)

In addition, it is quite possible that Google will come up with a suitable solution in the form of more controls for end users2. It will probably be a long time before a regulator analyses such controls, which could buy time for organisations to gauge their risk exposure when it comes to processing data. 

What can you do now? Assessing risk and exploring options

Kent Walker, Google and Alphabet’s president of global affairs and chief legal officer, expressed surprise at Austria’s decision, arguing that “Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the Data Processing Agreement speculated about.” Now that we know that use of Google Analytics must be analysed in light of the Schrems-II ruling, the guidance of the European Data Protection Board (EDPB) can help assess whether you’re running a risk. Entities with broad risk exposure, such as government, healthcare and/or those in financial services may decide to take action by exploring alternatives to Google Analytics (see box).

The best way to directly gauge your risk exposure is by performing an assessment:

  • Create a view so you know what data is used where and how. Investigate the locations where you process personal data, who handles it and where it is stored. Are any locations in the US? Are any of your third parties partly or fully owned US companies? Must they hand over personal data to US government entities if requested? 
  • Define your business needs for an analytics solution and map your alternatives. What will be the analytical, marketing, and legal implications? What changes will you need to make if it is necessary to switch? How do these fall in line with your overarching data strategy?

The tides of personal data processing are turning; what is critical now is to get an overview of your data solutions and identify what personal data is shared with service providers located in the US. Any ruling could not only impact use of Google Analytics but also jeopardize other US (cloud) solutions that process personal data.

Second, with more European regulators ruling that Google Analytics is non-GDPR compliant, we recommend that Dutch firms define and agree on suitable alternatives for Google Analytics. Website analytics is an integral tool used by various organisational disciplines to gain customer insights and achieve marketing success; thus, any transition will impact many different stakeholders. In case the Dutch AP decides Google Analytics does violate GDPR, this makes any transition faster and better in line with business needs.

Underlying many of these decisions is a data strategy that defines the effective, responsible, safe, and durable usage of data. Read more about it in our whitepaper ‘Building customer trust through human experience design and responsible data use’.

Analytics alternatives

There are alternatives that don’t present the same challenge as Google’s and Adobe’s analytics tools:

  • Piwik PRO Analytics: Piwik provides a complete package of analytics capabilities and integrates with over 20 DSPs and its proprietary Tag Manager and Customer Data Platform (CDP), but most important in view of this article: Piwik is an EU-based legal entity, provides data storage in the EU and stored data is owned by the customer.
  • Mapp Intelligence: Mapp provides analytics capabilities in a visually attractive and intuitive interface and integrates with the digital marketing suite that provides features for campaign management, cross-channel engagement, personalisation and lead generations. From a data privacy perspective Mapp offers European data storage, customer data ownership and is ISO 27001 and 27018 certified.
  • Snowplow Analytics: Snowplow focuses on collecting customer behaviour data, auditing and customizing data at every stage of the data pipeline and feeding this into your data assets like RedShift and Snowflake. Since Snowplow is hosted on its customers (cloud) premises, it provides total control over all data collected. 

Google itself is also rolling out options for users to strengthen their privacy choices, including:

  • Google Analytics 4 (GA4) making events the central focus, rather than users.
  • Google Tag Manager’s consent mode preventing users from processing personal data without permission.

Limiting your risks, and then accepting the residual risk, is also an option. This does require a thorough assessment from the perspective of the person involved and acceptance by the organisation at the right level.

Did you find this useful?