Background
On 16 July 2020, the European Court of Justice (ECJ) ruled in its Schrems II judgment that transfers of personal data to the USA can no longer be based on the Privacy Shield. Since then, such transfers require a different legal basis. If data is to be transferred to third countries on the basis of standard contractual clauses and the rights of the data subjects in the respective third country do not enjoy an equivalent level of protection as in the EU, additional measures must be taken to achieve an equivalent level of protection.
About a month later, on 18 August 2020, the non-governmental organisation NOYB, founded by Max Schrems among others, filed 101 complaints with data protection authorities across Europe against various companies whose websites shared their users' personal data with Google and Facebook. The European Data Protection Committee (EDSA) then created a working group in which the data protection authorities of the individual nations worked together to deal with these complaints.
Recently, for the first time, a data protection authority issued a decision on one of these complaints: The Austrian data protection authority upheld the complaint and ruled that the transfer of personal data via Google Analytics violated the GDPR in this case. Somewhat later, the French data protection authority (CNIL) followed with a concurring decision.
What exactly did the data protection authorities decide?
The two previous decisions dealt with the use of Google Analytics by website operators in 2020. Website operators had transmitted IP addresses and other so-called online identifiers (i.e. data sets by which users can be identified) of users of their websites to Google LCC, based in the USA, as part of the use of Google Analytics, among other things. Google Analytics is a widespread statistics programme that is used to analyse website traffic. This tool can be used, among other things, to examine the origin of website visitors, the time they spend on individual pages and the use of search engines in order to display individualised advertising to users.
In the process, the data is transferred to Google LCC in the USA. This is problematic because under US law, Google LCC can be obliged by US authorities to hand over personal data without granting legal protection to data subjects who are not US citizens. For this reason, the United States is not considered a safe third country to which one can easily transfer personal data. European website operators, as data exporters, must therefore ensure that they take additional measures to guarantee the security of the data.
The Austrian data protection authority has now ruled that a company cannot rely on the use of standard contractual clauses when using the services of Google LCC for this purpose, as these do not provide an adequate level of protection in the specific case. The additional security measures on the part of Google were not suitable to exclude the risk of access by the US authorities. Since no sufficient measures were taken overall to adequately protect the data, the transfer to Google in this case constituted a breach of the GDPR.
The French authority published a statement shortly afterwards that agreed with the decision of the Austrian authority. It called on the website operator against whom the complaint was directed to comply with the GDPR and, if necessary, to refrain from using Google Analytics in its current form. The website operator had one month to implement these requirements. The authority also recommends that comparable analysis services only be used to generate anonymous statistical data. In addition, the authority emphasised that these findings are not limited to Google Analytics, but can also be applied to other services that involve data transfers to the USA.
What do the decisions mean?
Since the data protection authorities from France and Austria have been working together with representatives of other European data protection authorities to deal with NOYB's complaints, it is to be expected that the other data protection authorities that have not yet commented on the matter will publish similar decisions. In Germany, too, voices had already been raised in recent years that were critical of the data protection conformity of Google Analytics. However, the German data protection authority has not yet issued a statement.
It can therefore generally be assumed that the use of services such as Google Analytics, which transfer personal data to the USA, violates the GDPR unless website operators take extensive measures to guarantee sufficient data protection. For this reason, the providers of such services must in future ensure that the data does not leave the European Union (at least in the direction of the USA). Until then, website operators are advised to use alternative analysis services hosted in Europe. Otherwise, there is a risk of a violation of the GDPR and severe penalties are to be feared.
If Google Analytics or comparable services nevertheless remain in use, website operators should ensure that they are
- obtain the informed, voluntary, active and prior consent of users,
- implement a simple and always accessible mechanism to withdraw consent on their website,
- inform users comprehensively about the processing of their personal data and
- anonymise the IP addresses of the users before transmission, for example by shortening the IP addresses to be transmitted using the function "_anonymizeIP()".
However, even with such measures, there is always a transmission of further online identifiers, so that the scope of application of the GDPR is always opened and a breach of the GDPR provisions is not excluded.
If you have any questions about the rights and obligations arising from the GDPR, the use of services such as Google Analytics or the transfer of personal data to third countries such as the USA, we will be happy to help you.