Background

The developments surrounding the use of Google Analytics need to be viewed in the context of the 101 complaints initiated in several EU countries by None of Your Business (NOYB), the privacy rights advocacy organisation of Max Schrems. NOYB specifically targeted the services of US tech companies and the legality of their transfers of personal data to the US. 

Since the CJEU’s Schrems II decision in July 2020 (by which it invalidated the EU-US Privacy Shield), international data transfers to countries which are not subject to an adequacy decision of the European Commission require a data transfer impact/risk assessment. Companies should not only make sure that they implement an appropriate international data transfer mechanism (such as Standard Contractual Clauses – SCCs), but also verify and reasonably ascertain that an adequate level of data protection will be maintained in practice after the transfer has taken place. US surveillance laws make this exercise more challenging. To help organizations carry out such impact assessment and implement supplementary contractual, technical or organisational measures, the European Data Protection Board (EDPB) published guidelines in November 2020.

GDPR concerns for Google Analytics

When transferring data from the EU to servers in the US in the context of its Google Analytics services offering, Google relies on intra-group SCCs and additional technical and organisational measures (such as pseudonymisation, encryption and reports on the possibility of government access to data) to justify such international transfer under GDPR. NOYB still challenged the transfer, alleging that Google did not provide sufficient safeguards to effectively protect personal data from government access and surveillance. 

Several decisions followed: 

  • The EDPS, the supervisory authority for the European institutions and bodies, decided that the transfer of data taking place through Google Analytics did not comply with data protection laws. The decision followed a complaint filed by several MEPs against a COVID-19 testing website, which was set up by the European Parliament for its members and which implemented Google Analytics. As the European Parliament did not provide any documentation, evidence or other information regarding the contractual, technical or organisational measures put in place to ensure an essentially equivalent level of protection of the personal data transferred to the US, the EDPS deemed the transfer to be non-compliant. 
  • The Austrian DSB was the first to officially decide on one of the NOYB complaints. In January 2022, it held that:
    • for personal data processed through Google Analytics (i.e. IP-addresses, user-ID and browser information), the website owner is the controller of the data, while Google processes the data as a processor;
    • personal data is transferred data to Google LLC in the US;
    • Google LLC is a provider of electronic communication services under US law, and therefore subject to supervision of the US intelligence services, which can request access to the personal data of EU data subjects; and
    • the additional measures taken by Google (pseudonymisation, encryption and reports on government access) are not sufficient to decrease this risk. 
  • In February 2022, the French CNIL came to a similar decision, also following a NOYB complaint. The CNIL held that:
    • Google’s supplementary measures do not suffice to ensure adequate protection of the personal data transferred to the US, as they cannot reduce or prevent access by US authorities (US authorities could e.g. still request the encryption keys held by Google to bypass the encryption measures);
    • Google’s argument on anonymisation of IP addresses does not change this conclusion, as this feature is only optional and no clarity was provided on whether anonymization was implemented prior to the transfer or only after the transfer already took place; and
    • the website operator could not rely on the exception of explicit consent to the transfer, as a general cookies consent cannot be seen as equivalent to informed consent to the international data transfer. 
  • Outside the context of a NOYB complaint, also the Danish Datatilsynet touched upon the topic of international transfers of personal data under the current version of Google Analytics. It held that a website operator’s legitimate interest to gain a better understanding of visitors' surfing behaviour in itself did not outweigh the legitimate privacy interests of the data subject, especially as Google did not take sufficient supplemental measures to protect the EU-US data transfers, in addition to the SCCs. 

  • The Dutch Autoriteit Persoonsgegevens is still in the process of investigating the NOYB complaints brought before it. In the meantime, however, it has posted a disclaimer in its Guidance for Google Analytics stipulating that the use of Google Analytics may be banned in the future, following the conclusion of its investigation.

Impact of these decisions

To date, only the Austrian and French authorities have formally issued a decision on the use of Google Analytics by website operators. There is therefore no general EU-wide ban on Google Analytics. However, as the decisions were taken in coordination (through the EDPB) with the other EU national supervisory authorities, they will eventually have a European-wide effect. The Belgian Data Protection Authority (BDPA) and the Dutch Autoriteit Persoonsgegevens are currently investigating similar cases and will soon need to take an official position on Google Analytics. 

Since NOYB filed its 101 claims in August 2020, Google has published a document called “Safeguards for international data transfers with Google’s advertising and analytics products”. The supplementary measures mentioned in this document were put forward by Google in the cases discussed above, but they were deemed to be insufficient to protect the personal data of EU citizens. More substantial changes to the Google Analytics service therefore appear to be required (including e.g. full IP address anonymisation before transfer to the US, setting up EU-based servers, etc.). A more long-term solution to this problem would of course be a new and more robust adequacy decision for the US (a new Privacy Shield), which would however require changes in US surveillance laws and is therefore not expected any time soon.

What does this mean for you as a website operator?

In light of the recent developments, many website operators are switching to alternative providers of website analytics and online advertising services, in particular those guaranteeing full data storage in the EU/EEA. Even though the use of such services and tools may raise other GDPR concerns, the absence of data transfers to the US already greatly facilitates the compliance exercise. 

Other website operators are waiting for Google to implement additional measures to satisfy the EU data protection authorities, unsure however of when this will happen and whether the additional measures will be deemed sufficient. 

Finally, some operators are also looking into more creative technical solutions, including the use of third-party tools to anonymise data before it is accessed by Google Analytics. 

More generally, data controllers should also continue to check whether they are using services which transfer data outside of the EEA, assess the necessity of relying on such services and examine the possibilities such services offer to process the data within the EEA.

Special thanks to our winter intern Kristof Nouille for assisting with the preparation of this article.