Is Google Analytics Illegal in the UK and EU?

With CNIL (the French Data Protection Authority) following the lead of Austria’s DBS and the EU’s own EDPS, in ruling that use of Google Analytics was contrary to GDPR in its current setup, we take a look at these 3 key decisions from European regulators, Google’s response and what you’re likely to be considering at your organisation.
Google analytics dashboard

Schrems II spawns NOYB 101

These decisions were the result of complaints filed by Max Schrems’ organisation NOYB – 101 complaints in fact, against transfers to Google and Facebook, so we expect many more decisions to come. European regulators even set up a taskforce to process them.

We just need to return quickly to the CJEU’s “Schrems II” decision in July 2020 which dismantled Privacy Shield – the US’s adequacy decision – and immediately made the transfer of data to cloud providers in the States … ‘problematic’ is the word used … under both the EU and UK GDPR.

In summary, the CJEU said that if your US cloud provider could see your personal data in plain text you couldn’t make the transfer unless you could apply something called ‘supplemental measures’. These had to negate the possibility of the US government using surveillance laws (such as FISA 702) to get hold of the data.

(You could also rely on explicit, informed consent or one of the irregular exemptions – neither being very practical nor strategic solutions for regular transfers.)

The EDPB slowly came out with draft Recommendations (which didn’t help much) and then a final document that seemed to offer commercial organisations some hope, as it opened the door to a risk-based approach after all.

We’ll see what these 3 decisions have to say about that in a moment.

 

Why Google Analytics?

You’ll know Google Analytics – it’s the world’s most widely-used web analytics platform, with almost 30 million companies as of Feb 2022 actively using the platform to track how people use their site [BuiltWith, 2022].

It’s used by companies to gain insights into user and buyer behaviour, to make data-driven decisions in their Sales and Marketing. And it does so using cookies.

The issue is that, when you use GA, you’re sending personal data to Google. As the EDPS stated:

‘Tracking cookies, such as the Stripe and the Google analytics cookies, are considered
personal data, even if the traditional identity parameters of the tracked users are unknown
or have been deleted by the tracker after collection.’

And that’s Google in the USA which, being an American corporation, is subject to US surveillance law. Again, as the EDPS noted:

‘For the period between 30 September and 4 November 2020, during which the trackers remained on the website, personal data processed through them were transferred to the US, where both Stripe and Google LLC are located. The conclusion that transfers to the US took place is reinforced by the circumstance highlighted by the complainants, according to which, ‘all data collected through Google Analytics is hosted (i.e. stored and further processed) in the USA’.’

NOYB was going for low-hanging fruit.

Let’s look at the decisions a bit more.

 

The EDPS

In October 2020, the European Data Protection Supervisor (EDPS) received complaints from members of the European Parliament, and from NOYB in January 2021, citing privacy concerns around an internal coronavirus testing website.

For our purposes, the complaints focussed on the cookie banners, vague data protection notices, and the transfer of resulting personal data to the United States.

A year later, as we saw, the EDPS ruled that personal data was collected and transferred to Google in the US. Post Schrems II, the EU Parliament should have had a document to hand detailing whether supplemental measures could make good the issues with US surveillance law and what those measures were.

However:

‘the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.’

On that basis, the EU Parliament had failed to comply with the rules on transfers in GDPR.

 

Austria

In January 2022, the Austrian Data Protection Authority (‘Datenschutzbehörde’ or ‘DSB’) was the first EU Member State regulator to issue a decision resulting from one of NOYB’s 101 complaints.

The complaint had been filed on 18 August 2020, just a month and 2 days after the Schrems II decision.

The DSB’s case concerned GA running on a health website in Austria, and a website visitor logged into their Google account. Again, cookies were dropped and information was sent to Google in the US, leading to the same decision that the transfer was contrary to GDPR.

But the Austrian decision is interesting for a couple of reasons. First, the DSB looked at the SCCs and supplemental measures in place and confirmed (NOYB’s translation):

‘Insofar as the technical measures are concerned, it is also not recognizable (…) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.’

This is the unpopular truth that no amount of contractual wording, stages of review, or physical security, can override a legally-binding order.

And secondly, according to NOYB’s case summary, the DSB noted that ‘The fact that Google allows a user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.’

 

France

After a series of complaints, the French Data Protection Agency, CNIL, this month also declared that the use of Google Analytics constitutes a breach of Articles 44 et seq. of the GDPR. It stated that the Privacy of French citizens is at risk when data is sent to the US when accessing websites that use the web analytics platform.

CNIL stated simply: ‘The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.’

In its decision, CNIL noted that various information could be combined to identify the individual, that it’s not necessary to be able to know the name and address for a person to be identifiable, and that Google received further information when a website visitor is logged into their Google account at the time.

CNIL also reviewed the additional measures put in place by Google and held that they ‘are not sufficient to exclude the accessibility of this data for US intelligence services’.

It can’t have helped that CNIL couldn’t find any confirmation from Google whether anonymisation of IP addresses happened before or after transfer.

Interestingly, CNIL:

  • noted that Google held the encryption keys and so could provide access if ordered, and
  • UUIDs are not pseudonymised data – their whole purpose is to identify individuals.

 

Google’s response

As well as any response in the cases themselves, Kent Walker (President, Global Affairs & Chief Legal Officer, Google & Alphabet) responded in January 2022 with:

  • a pretty clear wish for a Privacy Shield replacement, and
  • a heartfelt claim that its supplemental measures are indeed sufficient for Schrems II.

He also held firm to the fact that Google has been supporting businesses with Google Analytics for 15 years and, in that time, they’ve ‘never once received the type of demand the DPA speculated about’, referring to the Austrian DSB’s decision.

 

So, what about risk?

Well, these decisions do not look good for the risk-based approach.

  • The EDPS didn’t even talk about the risk to individuals of their data being accessed by the US authorities.
  • The DSB held that the measures did ‘​​nicht beseitigen’ (machine translated as ‘not eliminate’) such access.
  • Like DSB, CNIL held that none of the measures ‘exclude’ such access.

 

What does this mean for you?

It’s very hard to disagree with these 3 decisions – given Schrems II and that the DPAs held there were transfers.

Unless and until the architecture and data flow for GA changes to resolve these transfer issues – and it’s important to note Google have just made changes to make GCP a 100%-European service in an effort to meet Schrems IIyou’re running a risk if you use GA in the UK or EEA.

There’s lots of chatter on LinkedIn and in email lists on alternatives. We ourselves use Matomo, but there are many others. Regardless of the tool you choose, you have to abide by the rules on consent.

 

Keepabl’s “Schremsification”

As a Privacy Management Software provider, we should lead by example in choosing the cloud providers we work with. That’s why we embarked on our own ‘Schremsification’ journey.

So far, we’ve migrated our entire data centre to be housed in AWS UK, using AWS equivalents of Sendgrid, New Relic and similar US-origin services. And, outside the app, we’ve for example changed our CRM, email marketing platform and meeting planner to include providers in the EEA or adequacy countries.

For news on which products we chose, and why we chose them, sign up to our newsletter below. We’ll be putting out information there in the coming months:

 

 

 

 

 

 

Want to make sure your business stays GDPR compliant?

Why not choose Keepabl’s Privacy Management Software to help you on your compliance journey?

Our solution helps you to create a robust privacy framework, while managing risks and handling GDPR breaches, allowing you to operate stress-free knowing your GDPR compliance is in check. You’ll also see in our case studies that Keepabl users get the benefits of substantial savings in time and cost. Bonus!

Why not go ahead and request a demo or free trial of our service?

And, as always, we’d love you to get in touch with any questions.


Related Articles

News & Awards
Chris Tate becomes Advisor to Keepabl

It’s a huge honour for us to announce that Chris Tate (self-styled #hardestworkingmanintheChannel) has become an Advisor to Keepabl! Chris has long been a good friend of Keepabl (you can…

Read More
Privacy Kitchen
Brexit and the EU (& UK) Representative

Brexit & the EU Representative What you need to know and do now! Join us for a Coffee Break in Privacy Kitchen as we interview Tim Bell, Founder & MD…

Read More