For years now, privacy and data compliance advocates have been calling on tech giants like Facebook, Google, and Amazon to take data protection laws seriously. When the General Data Protection Regulation (GDPR) came into effect in 2018, it legally mandated all companies serving EU residents to reform their data processing activities. Over the last four years, the GDPR has become the global standard for data protection, with several pieces of legislation drawing their inspiration from it.
The way the GDPR is written is broad, on purpose it attempts to be future-proof and not to have a simple list of elements that are considered to be personal data. It states that personal data means any information relating to an identified or identifiable person, and indicates that it includes if someone can be identified directly or indirectly.
Exactly how broad this is is becoming clearer as rulings appear that help to define just how broad these terms can be - and this brings us to Google Analytics and other systems that collect elements of information that are designed to be collated together with other known information - at what point have you collected enough to identify an individual and at what point does a single element therefore become personal data because it can be collated together with other data? So as per the definition of personal data under the GDPR, as long as there remains the slightest possibility of identifying an individual after taking into consideration all means likely reasonably to be used by the data controller or by any person, the information is qualified as personal data and is subject to data protection requirements under the GDPR.
On 13 January 2022, Google Analytics, the popular tool within the digital marketing industry received a ruling that stated that it violated GDPR because it transfers data to USA that could subsequently be intercepted or requested by US law enforcement authorities and EU citizens do not have any appropriate recourse to a US court or ombudsman to challenge.
How did it come to this? What led to such a drastic measure? And if you use Google Analytics, what should you do?
A Name to Remember
Anyone that successfully manages to successfully challenge a name like Facebook has arguably won the acclaim of data protection activists for life. Max Schrems has repeated the feat. His latest case against Google is based on similar grounds, arguing that the manner in which Google Analytics operated, specifically how it collects and transfers data on EU residents to the US, is in violation of GDPR statutes regarding the transfer of data collected in the EU to other jurisdictions because data subjects are not aware of the data collection and processing taking place.
A Brief Background
Why now? It's not like Google Analytics began operating and collecting data on EU citizens last month. It has been doing so for years now. So why is it only now that it has faced such a remarkable repercussion?
It has to do with three separate pieces of agreements and legislation.
The first is the International Safe Harbor Privacy Principles. It was formulated back in 1998 when issues related to online data privacy were less prone to public scrutiny. Under the agreement, companies that stated (and registered themselves) they complied with the Safe Harbor principles could transfer data from the EU to the US.
However, when Max Schrems complained that data collected by Facebook was insufficiently protected, Safe Harbor was invalidated as an adequate protection mechanism for data transfers from the EU to the US (European Court of Justice - October 2015). This ruling became known within the public as The Schrems Ruling - though is now typically referred to as "Schrems I" At the same time, the European Commission and the US Government began working on a new agreement. One that would afford more protection to data being collected. This came to be known as the EU–US Privacy Shield.
The EU–US Privacy Shield did mark a significant improvement upon the International Safe Harbor Privacy Principles. However, concerns over data collection practices, deletion of data, and the role of new intermediaries remained.
Max and privacy groups kept on vehemently opposing the Privacy Shield framework, and the Court of Justice of the European Union (CJEU) issued its final verdict in the case, and struck down the Privacy Shield framework for the lack of adequate protection measures in place for data privacy of EU residents, such as an independent ombudsman for US organizations that EU citizens can refer to and that each US State has differing data protection laws none of which have been considered “adequate” (similar) to GDPR in the breadth of rights for data subjects. This case came to be known in the public court of opinion as "Schrems II".
But why were privacy advocates in the EU so convinced about the lack of data privacy for EU residents' data being transferred to the US? In part, this relates to the USA law The Foreign Intelligence Surveillance Act (FISA)
FISA allows US intelligence agencies to conduct surveillance and request any information on “persons reasonably believed to be outside the United States” and applies “to providers of electronic communications services.” In other words, once data is transferred from the EU to the US, any US intelligence agency can have access to it.
Back to Austria
NetDoktor is a medical website. It uses Google Analytics to create cookies to track the behavior of users on the site.
However, the issue is whether the data Google Analytics collects on users, such as their IP address, can be “potentially” used to identify the user.
Now, an Austrian court has passed its ruling, (referred here) declaring the methods used by Google Analytics to be highly invasive and in violation of Article 44 of the GDPR concerning the transfer of data. Google argued that the data transferred was not personal data as this data on its own, could not be used, nor had it been used, to derive an individual's identity. However, NOYB successfully argued that this data, in addition to other data also held or transferred by Google Analytics, could identify an individual.
Google’s extensive employment of supplementary measures to protect the transferred EU personal data was considered irrelevant by the Austrian Court, which held that, despite these extensive measures, the transferred personal data of EU citizens was still at risk of unwarranted surveillance by US intelligence agencies due to FISA and therefore personal data transfers to Google Analytics fell foul of the CJEU’s judgment in Schrems II.
What Next?
The Dutch Authority for Personal Data (AP) has already updated its guide on using Google Analytics, reflecting the dim and almost non-existent future for Google Analytics in the Netherlands and the EU. There is a scant chance of either the FISA or the GDPR being repealed or amended anytime soon. Hence, the onus is on Google itself or its customers, the web site owners, to amend their data practices vis-a-vis Google Analytics.
The CNIL, France’s data protection authority has followed suit and declared Google Analytics to be in breach of GDPR with the following statement,
“The CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service [Google Analytics] is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions."
This should be a wake-up call for businesses, big and small, to rethink their approach towards data privacy and compliance.
What Can I Do?
This IAPP article is a great source of more information and recommendations, specifically individual consent. https://iapp.org/news/a/what-do-the-google-analytics-enforcement-cases-mean-for-privacy-compliance/
For individual consent, see below:
If you are using Google Analytics on your website, you need to make this clear to data subjects and allow them to opt in of data collection via Google Analytics. Analytics cookies or audience measurement cookies are “non-essential” cookies as per the guidelines of Irish, UK, and Finnish regulatory authorities and should be classified as such. This is because of the reason that analytics cookies are used as measuring tools for websites - they can collect information about how people access an online service, the number of users on a website, how long they stay on the site for, and what parts of the site they visit.
As per the French regulatory authority's guidance, audience measurement cookies can be essential cookies only if they are strictly limited to the sole measurement of the audience on the site for the exclusive account of the website publisher and produces purely anonymous statistical data. However, where such cookies track the navigation of the person using different applications or browsing different websites or allow the data to be cross-checked with other processing or for the data to be transmitted to third parties, then, under those circumstances, those cookies are not essential.
Since the criteria for analytics or audience measurement cookies is strict, extra care must be adopted while categorizing them as either essential or non-essential and as a general rule, they should be placed in the non-essential cookie category.
This requires reviewing your current privacy notices and if you previously considered Google Analytics to be an “essential” cookie, moving it to the “non-essential” cookie category ultimately allowing users to select (opt-in) and decide whether to accept GA as an individual cookie.
Securiti is a market leader in providing enterprise solutions related to data compliance, including cookie consent, privacy notices, and universal consent that can help you remain compliant with data protection regulations around the world.
Request a demo today to see Securiti's plethora of data privacy tools in action.
