It’s 2022, and the dynamic Data Protection world has seen substantial changes in using Google Analytics (cookies) in the European scenario.
It’s no news to anyone that the use of the US service Google Analytics in the European Economic Area (“EEA”) has become controversial over time, primarily because of the safety concerns about personal data transfers, storage and access.
It’s worth mentioning as a reminder that the GDPR has strict criteria to determine whether a country is considered as a “secure third country” or a “non-secure third country” for data protection purposes. A secure third country is any country outside the EEA, considered by the European Commission as compliant with the GDPR regarding personal data transfer, sharing and storing.
Examining the legitimacy of such a transfer is done in two stages. First, the data transfer itself must be legal since any processing of personal data is prohibited but subjected to the possibility of authorisation. In addition to consent, Art. 6 of the GDPR sets forth further authorisation reasons, such as fulfilling a contract or protecting vital interests.
For special category data which requires a higher level of protection, Art. 9 of the GDPR provides separate legal requirements. If the data transfer meets the general requirements, the next step is to confirm that the transfer to the third country is permitted. In third countries considered “secure”, national laws provide a level of protection for personal data which is comparable to those of EU law.
However, if the country does not meet the requirements for such transfer, this does not mean that the data transfer cannot take place. In this case, the data controller must ensure in a different way that the personal data will be sufficiently protected by the data processor.
The most common way of doing this is by using Standard Contractual Clauses (SCC), for data transfers within a Group through so-called “binding corporate rules”, declared by the European Commission as compliant.
Comparing US and EU approach to data protection laws
The US data protection regulations approach is significantly different from the European approach; the US legislation, instead of formulating one all-encompassing regulation like the GDPR, has decided to implement sector-specific privacy and data protection regulations that work together with state laws to safeguard American citizen’s data.
California is one of the states ahead of the game, offering for example a Security Breach Notification Law since 2022. Still, not all states are on the same page, and that’s one of the issues with US legislation: its lack of consistency and scope.
The essential difference between the US and EU regarding privacy laws and data protection is their point of focus. The US legislation seems more inclined to consider the integrity of data as a commercial asset, while the EU, with the GDPR, has been determined to put individual rights before the interest of businesses. The European companies that fail to protect the data subject rights expose themselves to elevated fines and considerable reputational damage.
Let’s remember as well that the former EU- US Privacy Shield, which was a framework designed by the European Commission and the US Department of Commerce to facilitate transatlantic exchanges of personal data for commercial purposes between the EU and the US, was declared in 2016 as invalid for transfers of personal data from the EU to the US, on the basis that does not fully protect EU citizens given the surveillance by US agencies. After all, this Privacy Shield was always meant to act as an agreement, and not proper regulation, and did not address the individual privacy rights vouchsafed by the GDPR (e.g., the right to be forgotten).
On the 13th of January 2022, the Austrian data protection authority (“DSB”) ruled that the use of Google Analytics (Cookies) violates the GDPR, due to the transfer of personal data to the US, which does not meet the GDPR requirements, specifically regarding the violation of Article 44 of the General Data Protection Regulation for exporting personal data to an importer in the US, Google LLC, through ongoing use of Google Analytics without ensuring an adequate level of protection, as required under chapter V of the GDPR, following a complaint of a complainant represented by NOYB (European centre for digital rights), presented in August 2020 as one of the 101 complaints filed by NOYB against EU companies for continued use of Google Analytics and Facebook Connect, allegedly subjecting EU personal data to US surveillance laws in violation of the requirements of the Court of Justice of the European Union’s (“CJEU”) judgement in Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems (C-311/18) (‘The Schrems II Case’).
As we know, Google Analytics is used to provide statistical data on website visits. US service providers are currently largely failing to ensure the required level of protection since they are not guaranteeing properly regulated consent and/or further limitation of the processing activities by Google. If they did, they could use Google Analytics. This is also raising a systematic concern in the EU about the access to data by the US government.
The decision made by the Austrian DPA, which was also taken by the Netherlands, sets a precedent for the European use of US service providers for data transfers.
In December 2021, the conference of German data protection supervisory authorities (“DSK”) published its Guidance for Providers of Telemedia Services, which focuses on the “cookie provision” of the German Telecommunication and Telemedia Privacy Act (TTDSG), which came into force on 1 December 2021. The document presents guidelines for the consent requirement for cookies and similar tracking technologies, as well as relevant exceptions listed in Section 25 (2).
The TTDSG provides that the storage of information on a user’s device shall be permitted only with the consent of the end-user. Exceptions to the requirement of consent apply for when the storage of information or accessing information already stored on the user’s device, is to carry out the transmission of a message over a public telecommunications network, or the storage and/or access of information is “absolutely necessary” for providing a “service expressly requested by the user”.
The DSK also provides advice on cookie banner design. If the storage or access of information relies on an exception, there is no need to request consent, since a cookie banner requesting consent would unnecessarily interfere with the service. The DSK reasoning is that asking for consent would be misleading in these circumstances since the user does not have in fact have a choice.
When cookies require consent, the DSK dictates that a) consent must be actively given; therefore, opt-out mechanisms, browser settings accepting cookies generally, and the ongoing use of a mobile application or website after notice do not constitute active consent; b) consent must be free; for example “nudging” can invalidate otherwise valid consent. The DSK asserts that such nudging already exists when rejecting cookies requires more clicks than accepting them. Users should be able to continue using the service without accepting, or even actively declining, cookies; and c) consent must be informed; according to the DSK, a cookie banner should provide an overview of all processing operations that require consent, adequately explained, and including the names and functions of any relevant third parties.
For all processing activities, the DSK opines that Article 49 of the GDPR, which allows transfers without appropriate safeguards on the basis of consent, cannot be used to justify transfers of personal data processed in connection with the regular tracking of user behaviour on websites or in mobile applications.
According to the DSK, the scope and regularity of such transfers cannot be reconciled with the character of Article 49 of the GDPR, as an exception to the general rules regarding data transfers, and the requirements of Article 44 GDPR.
Is there a sufficient European alternative for the use of Google Analytics?
After the Austrian data regulator ruled that the use of Goole Analytics is a breach of GDPR, and in the absence of a new EU-US data deal, other countries may follow. This kind of decision could impact how data flows across the entire European and American business ecosystem.
The legal implications of unlawful processing of personal data in the European context are too immense to miss, and data protection is at the core of European digital rights, so website operators won’t risk it. They will prefer to migrate to new alternatives to Google Analytics that are compliant with the GDPR. Regulators in 30 European countries are currently investigating other cases, and the majority of these decisions will likely have the same or similar outcomes.
There are plenty of European cloud-based analytics services that don’t get as much attention as Google Analytics, which is estimated to be used by 28 million websites worldwide. On the other side, Silicon Valley companies have shown no willingness to adapt to the European rules, since they think there aren’t any problems with shipping EU data to the US.
Unless there is a new data deal in place, the scenario looks problematic for the US company. Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic.
- Third Countries – General Data Protection Regulation (GDPR) (gdpr-info.eu)
- EU vs the US: How Do Their Data Privacy Regulations Square Off? | Endpoint Protector
- German regulators publish cookie guidance
- Austria: DSB finds website provider’s use of Google Analytics unlawful in light of Schrems II ruling | News post | DataGuidance
- Europe’s Move Against Google Analytics Is Just the Beginning | WIRED UK