Can Google Analytics still be used without any problems in the EU? What does the decision by the Austrian data protection authority mean and what does Google say about it? Find out more in our article and in an interview with data protection expert Maciej Zawadzinski.
It was a wake-up call for the entire digital scene: The Austrian data protection authority (DSB) recognized a violation of the GDPR when integrating Google Analytics on websites – and thus triggered uncertainty among users and raised numerous questions. Are companies still allowed to embed Google Analytics on their websites without further ado? And how can the problem with the data transfer of personal data between the European Economic Area and the USA, which is described as illegitimate, be solved?
While further decisions are expected in the future that could classify Google Analytics as non-GDPR-compliant, the data protection activist Max Schrems, after whom the Schrems II judgment, which is groundbreaking for this decision, is named:
In the long run we either need decent data protection in the US or we will end up with separate US and EU products. Personally, I would prefer better protection in the US, but that is up to US lawmakers.
Handling personal data: Google insists on a new framework
After the DSB’s decision, many market participants are wondering to what extent they can currently rely on Google Analytics and which parties are ultimately responsible for which aspects of data processing. Google explains to OnlineMarketing.de:
People want the websites they visit to be well designed, easy to use and respect their privacy. Google Analytics helps retailers, government agencies, NGOs, and many more organizations understand how well their websites and apps are performing for visitors — but not by identifying individuals or tracking them across the web. These companies and organizations, not Google, control what data is collected and how it is used. Google supports you by providing numerous protection and control mechanisms as well as resources for compliance with legal requirements.
In a blog post, Google’s Director of Product Management, Russell Ketchum, documents how Google Analytics can act as a privacy-compliant solution. He cites various facts, including this: “Fact: Google Analytics supports companies and organizations with numerous control mechanisms and resources in complying with legal requirements.” In another post, Kent Walker, President of Global Affairs and Chief Legal Officer, emphasizes Google and Alphabet that after the Privacy Shield has been toppled, a new framework for data transfer between the EU and the USA is urgently needed. Kent Walker explains:
Businesses in both Europe and the US are looking to the European Commission and the US Department of Commerce to quickly finalize a successor agreement to the Privacy Shield that will resolve these issues. Both companies and civil society have been supporting reforms based on an evidence-based approach. The stakes are too high – and international trade between Europe and the US too important to the livelihoods of millions of people – to fail at finding a prompt solution to this imminent problem.
However, Google seems to want to shift the responsibility for the use of one of its most important services to a large extent to politicians and third parties. Is that legitimate, or does the company actually have to fear restrictions on the usability of Google Analytics in the EU? We spoke to the CEO of privacy-centric privacy and analytics company Piwik PRO, Maciej Zawadzinski, to learn more about the status quo on Google Analytics. In the interview, he explains why users should act now and why services from Meta, Microsoft and Co. could also have data protection problems in the future.
OnlineMarketing.de: How big of an impact do you estimate that the widespread use of Google Analytics due to data protection violations could have?
Maciej Zawadzinski: According to W3Techs, Google’s analytics market share is 86.5 percent, or in other words, nine out of ten companies in Europe will be affected.
This means that these companies have to find new analysis tools to process the data as usual. A tool that does not fall under cloud law and is not required to share the data with the US authorities. Another solution is to change the way data is collected by introducing additional explicit user consents for data exports.
The second option will probably be the case when there is a closer relationship with the end customer. Therefore, we believe that US-based CRM providers will be less affected by this ruling. It boils down to the fact that the basic trust between the brand and the user is already established when they are already further along in their customer journey.
Google would like to attribute responsibility for data processing to the respective user. In your opinion, is that a legitimate conclusion or does the company have to ensure compliance with all data protection rules by providing the infrastructure?
Google transfers responsibility to the company. It is the company that decides how to process the data (without much help from Google). The most sensible decision here is that the company informs users about the scope of processing and data transfer and gives them the choice.
Importantly, prior to the decision, the company has no right to enable Google Analytics so that no data is tracked. Introducing consent before launching GA is likely to result in significant data loss (our internal study shows up to 80 percent). Google and marketers fear giving internet users the right to choose.
In your opinion, do companies and users who rely on Google Analytics already have to legally check their data processing?
Yes, in any case! However, to our knowledge, Google does not offer its customers any custom terms and conditions and you cannot influence the functioning of Google Analytics. Personal or not, the service sends the data outside the European Economic Area. This means your rating isn’t significantly different than any other company using Google Analytics.
After the decision, what should website operators take as the first step in order to protect themselves legally when processing data in the context of systems such as Google Analytics?
Start with consent. Introduce a pop-up window or bar asking for consent before deploying a solution that sends the data outside of the EEA. Then assess the situation and the opt-in rates. Decide if you need to find alternatives to your current solutions in Europe.
What consequences must users expect if they integrate and use Google Analytics if the GDPR violations are confirmed by a court, for example?
Fines under the GDPR are up to €20 million or four percent of global sales in the previous financial year, whichever is greater.
Should both Google and users be liable in the case of illegitimate transfers of personal data between the EU and the US?
Yes. Of course, Google has more resources to defend itself. As long as Google Analytics processes online identifiers, which by definition are personal data (e.g. IP addresses, cookie identifiers), they fall under the GDPR.
Do you think it is conceivable that Google Analytics would subsequently be classified as GDPR-compliant if Google could demonstrate an “adequate level of protection pursuant to Art. 44 GDPR”?
It would be possible on the basis of Art. 45, i.e. an adequacy decision by the European Commission with regard to transfers to the United States. As long as this is not the case, there is probably not much Google can do. The Standard Contractual Clauses did not apply in the case discussed here, and Google is unlikely to find any technical or organizational measure to circumvent US surveillance laws.
Can client IP addresses from the EU still be transmitted to Google in the USA under the current data protection regulations?
Yes, if you have the explicit consent of the users.
Data processing entirely in the EU could possibly solve the problem? Do you think Google would ever allow that?
The short answer is no. Google Analytics is similar to other Google services like Search and Ads. It’s not a localized service, which means you can’t host the service on Google Cloud Platform (GCP) in Germany, for example. If this were possible, Google could possibly add an additional layer of protection for the data, such as encryption. But: As long as Google has these encryption keys, it is legally obliged to release both data and keys to the US authorities (due to the Cloud Act).
There have been numerous complaints against Google Analytics, and a trend similar to that in Austria has already been observed in the Netherlands in terms of data protection violations. Do you think that courts and authorities in the EU will all decide similarly?
This case was not part of the one stop shop procedure, but as far as we know there is a task force to coordinate local data protection authorities to decide similarly on other complaints in the rest of the EU countries. It looks like the next similar decision will be made in the Netherlands.
Do you think the decision from Austria could be a kickstarter for similar decisions against US companies? That means, could services from Microsoft, Meta and Co. also be declared non-compliant with data protection in the future?
Yes. Keep in mind that Google Analytics is just one example of tools that collect masses of data. I think the impact could also affect ad technology tools like Facebook Connect, Google Ads or content serving technologies like fonts, captcha or CDNs. With CRM providers like HubSpot or Mailchimp, there would be less repercussion as they will simply adjust the wording of the consent to correctly reflect the data transfers (if this is not already their normal business practice).
We would like to thank Maciej Zawadzinski for the insights in the written interview.