Austrian data protection authority considers the use of Google Analytics to be illegal
Is it still possible to use Google Analytics in a legally secure way? What options are there for companies to take action? And what are the effects for cooperation with other service providers in the U.S.? A recent decision by the Austrian Data Protection Authority (“DPA”) regarding Google Analytics raises some questions.
Data transfer to the USA violates Art. 44 GDPR according to DPO
In the opinion of the authority, the data that is transmitted to Google when using Google Analytics is personal data according to Art. 4 No. 1 DSGVO. This includes a unique online identifier (“unique identifier”), the URL and HTML title of the website as well as the subpages that the user has visited, information about the browser, operating system, screen resolution, language selection as well as the date and time of the website visit and ultimately the IP address of the device. According to the DPO, the transfer of data to Google LLC in the USA violates Art. 44 of the GDPR, as an adequate level of protection for the processing of personal data in the USA is not guaranteed. The standard contractual clauses concluded between the website operator and Google and the protective measures taken by Google do not provide adequate protection.
These are the options for action for companies
Companies are now called upon to act. First of all, it should be checked whether Google Analytics is actually needed. If only access to the website is to be recorded, this can be done using other analysis tools from European providers, some of which are free of charge.
If companies wish to continue using Google Analytics, explicit consent for the transfer of data to the USA should be obtained in the Consent Management Platform. This consent requires the indication that no data protection equivalent to the European level of data protection is guaranteed in the U.S. and that there is rather a risk that U.S. authorities access user data for control and monitoring purposes without the data subject having any legal remedies. It is unclear whether the consent of the data subject is sufficient from the perspective of the supervisory authorities. The same applies to the anonymize_IP function, which should, however, be activated in any case.
Other US service providers could also be affected in the future
The Google Analytics decision is a typical example of proceedings that will be observed more frequently in the future. U.S. service providers often only make do with rather “cosmetic measures” in dealing with the provision of data to U.S. authorities without making substantial changes to the processes. In such cases, the supervisory authorities are likely to reach results comparable to those in the Austrian DPO decision. Since companies often have no or very little influence on the design of the data processing processes at such U.S. service providers, there is a latent risk that the supervisory authority will assess this data transfer as impermissible and possibly sanction it. Therefore, EU companies should check whether non-EU service providers offer data localization in the EU or whether the desired service is not offered by an EU-based company right away. There are also alternatives to Google Analytics.
Data Transfer Impact Assessment is essential for companies
Companies should check again whether they have recorded all processes involving an international data transfer and assessed the permissibility of the data transfer. According to the case law of the European Court of Justice (ECJ) or the requirements of the standard contractual clauses, a data transfer impact assessment is required, which supervisory authorities can also request to be submitted during audits. In addition, the data protection notices must address the international transfer of data.
Political decision required
An agreement between the EU and the U.S. on the permissibility of transatlantic data transfer is called for and could make all this internal corporate effort superfluous. Negotiations on a Privacy Shield 2.0 are taking place – unfortunately, the end is not in sight.