A decision by the Austrian Data Protection Authority (DPA) is currently causing a stir in the marketing and data protection world. The DPA considers the use of Google Analytics to be a violation of the provisions of the GDPR on third country transfers and therefore illegal. But what does the decision from Austria mean for the use of Google Analytics for German companies?
The Google Analytics tool offered by Google has always been the subject of discussions on data protection law. Since the DSGVO came into force (May 2018), the discussions initially revolved mainly around the question of the legal basis for data processing (see most recently the DSK with the “Notes on the use of Google Analytics in the non-public sector” of 12 May 2020), a data protection-friendly configuration (in particular IP address shortening by means of the “_anonymizeIp()” function) as well as the correct fulfilment of information obligations under data protection law pursuant to Art. 13 GDPR.
With the discontinuation of the EU-U.S. Privacy Shield (adequacy decision pursuant to Art. 45 GDPR) as a result of the ECJ’s Schrems II decision (16 July 2020, Case C-311/18), the question of data transfers to the U.S. and their lawfulness pursuant to Art. 44 following GDPR has come into focus since summer 2020. The Austrian data protection supervisory authority now had to deal with precisely this question (partial decision of December 2021 and published on 13 January 2022).
Subject matter and core statements of the proceedings in Austria
The complaint procedure was initiated by the data protection NGO “None of Your Business” (noyb), which was founded by Max Schrems, among others. The proceedings are part of the so-called “101 complaints”, an EU-wide campaign launched by noyb in August 2020, which is directed against the use of Google Analytics and Facebook tools on websites.
The complaint was directed against both the operator of a website (first respondent) and Google itself (second respondent). The complainant had visited the first respondent’s website in August 2020. During the visit, the complainant was logged into his Google account, which in turn was linked to the complainant’s email address. The website had embedded HTML code for Google services (including Google Analytics), so that in the course of the visit, the first respondent processed personal data, at least the complainant’s IP address and cookie data (unique user identification numbers and browser parameters), via the free version of Google Analytics and had transmitted some of this personal data to Google LLC in the USA. The IP anonymisation function was not implemented correctly.
The main statements of the decision are:
- The online identifiers/identifier numbers on which the complaint procedure is based are personal data (at least in combination with further information), since an individualisation of the data subjects and identifiability of the website visitors by Google (in case of parallel Google account login) and the US authorities in the context of their intelligence and intelligence surveillance activities is possible (cf. p. 26 following of the decision);
- The data transfer took place between the website operator as data controller/data exporter and Google LLC as data processor/data importer;
- The measures/”supplementary measures” (of a technical, organisational and contractual nature) taken by Google in addition to the standard contractual clauses concluded were not suitable to eliminate the monitoring and access possibilities by US intelligence services to which Google LLC is subject as a provider of electronic communications services within the meaning of 50 U.S. Code § 1881(b)(4) pursuant to 50 U.S. Code § 1881a (“FISA 702”) (p. 34 following of the notice).
In any case, Google LLC was not accused of violating the provisions of Chapter V of the GDPR. There was no disclosure act by Google as a data importer based in the USA. The partial decision also does not make any statements about possible violations by Google LLC in its function as a processor pursuant to Art. 5 following and Art. 28(3)(a) and Art. 29 GDPR. These issues will be dealt with in separate proceedings.
The anonymisation function of the IP address, which can be activated in the context of the use of Google Analytics, was not relevant in the present case, as it was not implemented correctly and apart from that – according to the Data Protection Authority (DPA) in any case – this function was only one of many “puzzle pieces” of the complainant’s digital footprint anyway.
Since the domain of the complaint was sold to Germany in the course of the proceedings, the DPA will refer the case to the competent German supervisory authority (the Bavarian State Office for Data Protection Supervision (BayLDA)) with regard to possible remedial powers within the meaning of Art. 58(2) GDPR.
In Germany, too, noyb has conducted several proceedings (including a total of five on Google Analytics), so that decisions by the German state supervisory authorities can also be expected in the coming weeks.
First classification of the decision
First of all, it should be noted that the decision was made by a supervisory authority of another EU member state and therefore has no direct impact on the use of Google Analytics in Germany. The supervisory authority also states in the partial decision that the decision does not take into account the new standard contractual clauses of the EU Commission from June 2021.
When examining “supplementary measures” to ensure an essentially equivalent level of protection when using standard contractual clauses, the supervisory authority closely follows the “Recommendations 01/2020 on measures supplementing transfer tools to ensure the level of protection of personal data under Union law” of the European Data Protection Board (EDPB). Unsurprisingly, the supervisory authority therefore concludes that as long as the data importer has the possibility to access data in plain text, technical measures (in particular for encryption “at rest”) cannot be considered effective in preventing and limiting access by US authorities. The other measures of a contractual or organisational nature put forward by Google in the proceedings (e.g. notifying data subjects of data requests or reviewing each data access request) are not considered by the DPA to be appropriate additional measures.
In addition, the DPA notes that there are no pseudonymisation measures in the sense of Recital 28 of the GDPR. This is because the identifiers on which the complaint procedure was based were explicitly used to make individuals distinguishable and addressable and were not used to disguise or delete the identifying data so that the data subjects could no longer be addressed.
The DPA did not consider the question of how high the probability of access by US authorities to the data subject to the procedure is and what impact this has on the lawfulness of the data transfer. This aspect can be found in the new standard contractual clauses (clause 14) and the updated recommendations 01/2020 EDPB (para. 43 et seq.).
It remains to be seen to what extent the new standard contractual clauses will allow for a different consideration of the use of Google Analytics; in particular due to the possibility of taking into account the probability of access and a possible inclusion of the Irish Google company, which has been acting as a provider of Google products and tools in Europe since April 2021, through the new Module 3 (if a third country transfer actually takes place between the Google companies). So far, there are no meaningful recommendations from the supervisory authorities as to what obligations the website operator as data controller has when accepting this transfer constellation. However, the website operator’s responsibility under data protection law remains the same in this constellation.
It also remains to be seen whether the additional standard contractual clauses announced by the EU Commission for data importers, who are already subject to the GDPR through Art. 3 (2) GDPR, will bring about innovations.
Website operators who continue to use Google Analytics on their website should carefully follow the decisions on Google Analytics to be expected in the medium term from the German state supervisory authorities. Here, particular attention should be paid to whether German complaint proceedings were conducted under different circumstances (in particular without a parallel Google account login and with activated IP anonymisation) and whether different evaluations result from this. However, it is to be expected that the other future decisions of supervisory authorities will be issued in parallel due to the cooperation in a task force at EDPB level. The Dutch supervisory authority had already announced that the use of Google Analytics might soon no longer be permitted.
Due to the increased attention now being paid to the use of Google Analytics, website operators should consider alternative options for action and develop strategies for possible orders and measures by supervisory authorities as well as possible claims for damages by data subjects pursuant to Art. 82 GDPR if Google Analytics is to continue to be used.
One possible option to act is certainly the possibility of consent pursuant to Art. 49 (1) sentence 1 lit. a GDPR, which can constitute a justification for data transfer. In this context, data controllers are confronted with the challenges of implementing the high requirements for informing the data subjects in a transparent and meaningful manner, as well as obtaining the three required consents (Section 25 (1) TTDSG (German Telecommunications-Telemedia Data Protection Act), Art. 6 (1) sentence 1 a GDPR and Art. 49 (1) sentence 1 a GDPR) via the consent management tool in a legally compliant manner.