Is Google Analytics Illegal in the UK and EU?

Update September 2022

There have been various other decisions from EU regulators since we wrote the blog below – all holding Google Analytics in the form reviewed was illegal under GDPR. Nothing new was really added, so we didn’t update this blog. But the latest decision, from the Danish regulator on 21 September 2022, has some interesting pieces to it worth updating.

So is it illegal or not?

The Danish regulator thinks so. Here’s their main statement:

‘The Danish Data Protection Agency has looked into the tool Google Analytics, its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.’

But they take pains to say they may not know of certain tricks one can use to make it legal. This is a bit unlikely given the detail they went into and that their decision is based on a multi-regulator approach championed by the EDPB.

There may be a way, but it’s tough

The Danish regulator refers to the possible use of a proxy server as set out by the French regulator, CNIL:

‘One possible technical measure that may be relevant when using Google Analytics is pseudonymisation. The French Data Protection Authority has created detailed guidance for organisations wishing to establish effective pseudonymisation by means of a so-called reverse proxy. The guidance can be found here: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr’

However, as CNIL itself notes: ‘The implementation of the measures described below can be costly and complex and may not always meet the operational needs of professionals.‘

No ban. But …

There’s some confusion in the marketplace about why GA isn’t just banned. If all these regulators say it’s illegal in all these cases, how come it’s still available? As the Danish DPA notes, regulators can’t champion or ban specific products: ‘… we at the Danish Data Protection Agency are neutral to technology, and therefore have no interest in either approving or banning certain products. We are not at all empowered to do so.‘

Here’s the original post with more info 🙂

Schrems II spawns NOYB 101

These decisions were the result of complaints filed by Max Schrems’ organisation NOYB – 101 complaints in fact, against transfers to Google and Facebook, so we expect many more decisions to come. European regulators even set up a taskforce to process them.

We just need to return quickly to the CJEU’s “Schrems II” decision in July 2020 which dismantled Privacy Shield – the US’s adequacy decision – and immediately made the transfer of data to cloud providers in the States … ‘problematic’ is the word used … under both the EU and UK GDPR.

In summary, the CJEU said that if your US cloud provider could see your personal data in plain text you couldn’t make the transfer unless you could apply something called ‘supplemental measures’. These had to negate the possibility of the US government using surveillance laws (such as FISA 702) to get hold of the data.

(You could also rely on explicit, informed consent or one of the irregular exemptions – neither being very practical nor strategic solutions for regular transfers.)

The EDPB slowly came out with draft Recommendations (which didn’t help much) and then a final document that seemed to offer commercial organisations some hope, as it opened the door to a risk-based approach after all.

We’ll see what these 3 decisions have to say about that in a moment.

Why Google Analytics?

You’ll know Google Analytics – it’s the world’s most widely-used web analytics platform, with almost 30 million companies as of Feb 2022 actively using the platform to track how people use their site [BuiltWith, 2022].

It’s used by companies to gain insights into user and buyer behaviour, to make data-driven decisions in their Sales and Marketing. And it does so using cookies.

The issue is that, when you use GA, you’re sending personal data to Google. As the EDPS stated:

‘Tracking cookies, such as the Stripe and the Google analytics cookies, are considered
personal data, even if the traditional identity parameters of the tracked users are unknown
or have been deleted by the tracker after collection.’

And that’s Google in the USA which, being an American corporation, is subject to US surveillance law. Again, as the EDPS noted:

‘For the period between 30 September and 4 November 2020, during which the trackers remained on the website, personal data processed through them were transferred to the US, where both Stripe and Google LLC are located. The conclusion that transfers to the US took place is reinforced by the circumstance highlighted by the complainants, according to which, ‘all data collected through Google Analytics is hosted (i.e. stored and further processed) in the USA’.’

NOYB was going for low-hanging fruit.

Let’s look at the decisions a bit more.

The EDPS

In October 2020, the European Data Protection Supervisor (EDPS) received complaints from members of the European Parliament, and from NOYB in January 2021, citing privacy concerns around an internal coronavirus testing website.

For our purposes, the complaints focussed on the cookie banners, vague data protection notices, and the transfer of resulting personal data to the United States.

A year later, as we saw, the EDPS ruled that personal data was collected and transferred to Google in the US. Post Schrems II, the EU Parliament should have had a document to hand detailing whether supplemental measures could make good the issues with US surveillance law and what those measures were.

However:

‘the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.’

On that basis, the EU Parliament had failed to comply with the rules on transfers in GDPR.

Austria

In January 2022, the Austrian Data Protection Authority (‘Datenschutzbehörde’ or ‘DSB’) was the first EU Member State regulator to issue a decision resulting from one of NOYB’s 101 complaints.

The complaint had been filed on 18 August 2020, just a month and 2 days after the Schrems II decision.

The DSB’s case concerned GA running on a health website in Austria, and a website visitor logged into their Google account. Again, cookies were dropped and information was sent to Google in the US, leading to the same decision that the transfer was contrary to GDPR.

But the Austrian decision is interesting for a couple of reasons. First, the DSB looked at the SCCs and supplemental measures in place and confirmed (NOYB’s translation):

‘Insofar as the technical measures are concerned, it is also not recognizable (…) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.’

This is the unpopular truth that no amount of contractual wording, stages of review, or physical security, can override a legally-binding order.

And secondly, according to NOYB’s case summary, the DSB noted that ‘The fact that Google allows a user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.’

France

After a series of complaints, the French Data Protection Agency, CNIL, this month also declared that the use of Google Analytics constitutes a breach of Articles 44 et seq. of the GDPR. It stated that the Privacy of French citizens is at risk when data is sent to the US when accessing websites that use the web analytics platform.

CNIL stated simply: ‘The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.’

In its decision, CNIL noted that various information could be combined to identify the individual, that it’s not necessary to be able to know the name and address for a person to be identifiable, and that Google received further information when a website visitor is logged into their Google account at the time.

CNIL also reviewed the additional measures put in place by Google and held that they ‘are not sufficient to exclude the accessibility of this data for US intelligence services’.

It can’t have helped that CNIL couldn’t find any confirmation from Google whether anonymisation of IP addresses happened before or after transfer.

Interestingly, CNIL:

• noted that Google held the encryption keys and so could provide access if ordered, and
• UUIDs are not pseudonymised data – their whole purpose is to identify individuals.

Google’s response

As well as any response in the cases themselves, Kent Walker (President, Global Affairs & Chief Legal Officer, Google & Alphabet) responded in January 2022 with:

• a pretty clear wish for a Privacy Shield replacement, and
• a heartfelt claim that its supplemental measures are indeed sufficient for Schrems II.

He also held firm to the fact that Google has been supporting businesses with Google Analytics for 15 years and, in that time, they’ve ‘never once received the type of demand the DPA speculated about’, referring to the Austrian DSB’s decision.

So, what about risk?

Well, these decisions do not look good for the risk-based approach.

• The EDPS didn’t even talk about the risk to individuals of their data being accessed by the US authorities.
• The DSB held that the measures did ‘​​nicht beseitigen’ (machine translated as ‘not eliminate’) such access.
• Like DSB, CNIL held that none of the measures ‘exclude’ such access.

What does this mean for you?

It’s very hard to disagree with these 3 decisions – given Schrems II and that the DPAs held there were transfers.

Unless and until the architecture and data flow for GA changes to resolve these transfer issues – and it’s important to note Google have just made changes to make GCP a 100%-European service in an effort to meet Schrems II – you’re running a risk if you use GA in the UK or EEA.

There’s lots of chatter on LinkedIn and in email lists on alternatives. We ourselves use Matomo, but there are many others. Regardless of the tool you choose, you have to abide by the rules on consent.

Keepabl’s “Schremsification”

As a Privacy Management Software provider, we should lead by example in choosing the cloud providers we work with. That’s why we embarked on our own ‘Schremsification’ journey.

So far, we’ve migrated our entire data centre to be housed in AWS UK, using AWS equivalents of Sendgrid, New Relic and similar US-origin services. And, outside the app, we’ve for example changed our CRM, email marketing platform and meeting planner to include providers in the EEA or adequacy countries.

For news on which products we chose, and why we chose them, sign up to our newsletter below. We’ll be putting out information there in the coming months:

Want to make sure your business stays GDPR compliant?

Why not choose Keepabl’s Privacy Management Software to help you on your compliance journey?

Our solution helps you to create a robust privacy framework, while managing risks and handling GDPR breaches, allowing you to operate stress-free knowing your GDPR compliance is in check. You’ll also see in our case studies that Keepabl users get the benefits of substantial savings in time and cost. Bonus!

Why not go ahead and request a demo or free trial of our service?

And, as always, we’d love you to get in touch with any questions.