| Posted by Miks Ulmanis
Recently, the French and Austrian data protection authorities declared that the use of Google Analytics is illegal.
Read more to find out what this might mean for you and your business.
According to BuiltWith, in April 2022, more than 28 million websites (including more than 70% of the top 10,000 websites worldwide) use Google Analytics.
Google Analytics is a FREE, but powerful analytics tool in every marketer’s arsenal. It allows businesses to see which content gets the most engagement, where their visitors come from, track marketing campaigns and much more.
To provide this service, Google Analytics collects hundreds of data points about individuals. These include their IP address, browser type and operating system. Also, it collects data about language settings, time of visit and referral site details.
But the French and Austrian authorities ruled that the use of Google Analytics is illegal. This is due to the GDPR rules on transfers of personal data outside the EU/EEA.
Will other countries follow suit and declare Google Analytics illegal as well?
Can you use Google Analytics in compliance with the GDPR?
Should you switch to an EU/EEA-based alternative instead of Google Analytics?
The NOYB has filed 101 complaints against websites for illegally using Google Analytics and Facebook Connect. NOYB is an Austria-based non-profit organisation. It argued that these tools were transferring personal data from the EU/EEA to US companies without enough protection.
This is because US companies like Google are subject to US Surveillance laws. These laws give US law enforcement authorities like the FBI excess power to access personal data transferred from the EU/EEA.
As the NOYB pointed out, the European Court of Justice (CJEU) ruled that the US law does not provide adequate privacy protection (Schrems II decision).
Furthermore, the NOYB argued that businesses cannot rely on standard contractual clauses (SCCs) to transfer data to the US. It is because the SCCs do not prevent US authorities from accessing personal data from the EU/EEA.
After reviewing the complaints, the French and Austrian authorities declared Google Analytics illegal.
Let’s now turn to how and why they decided that the use of Google Analytics was illegal under the GDPR.
Based on NOYB’s claims, the French authority (CNIL) has already made three decisions where it has ordered that the use of Google Analytics is illegal.
The French authority referred to the CJEU’s Schrems II decision. In this decision, the CJEU stated that to ensure the protection of personal data, additional safeguards may need to be implemented on top of the SCCs.
The fined website operators had concluded SCCs with Google. Despite extra measures like encryption to prevent unlawful access, the French authority stated that the current measures are not enough because they cannot stop US authorities from accessing the data.
Thus, it ordered the website to fix this non-compliant activity. Moreover, it stated the website operators should stop using Google Analytics altogether if necessary.
In December 2021 the Austrian authority decided that the use of Google Analytics was illegal under the GDPR.
One significant thing to note is this: Austria's authority emphasised that companies cannot take a risk-based approach. Simply, they should eliminate the risk altogether.
For example, Google claimed that the US Government had never asked for Google Analytics data. Besides, Google argued that encryption and IP anonymisation greatly reduces the risks.
But the Austrian authority rejected the risk-based approach and stated: Extra measures must “eliminate the possibility of surveillance and access [to the personal data] by US intelligence agencies”.
In other words, the risk of access should be zero. Otherwise, the transfer of data to the US by using Google Analytics will be illegal.
Can you put in place extra measures to use Google Analytics in a legal way?
While some may think IP anonymisation is effective, this is not completely true.
A user's IP address is one piece of the puzzle and Google Analytics collects far more personal data. Google Analytics also assigns unique IDs to each user.
Moreover, it collects data about subpages each user has visited, their device types and browser types.
This data, combined with other data can identify or single out data subjects.
Thus, IP anonymisation is not enough to stop the US authorities.
The Austrian authority noted that the SCCs signed with Google are not enough. Thus, businesses should put in place extra measures to eliminate the risk of access. Otherwise, Google Analytics is illegal to use under the GDPR.
While encryption in transit and at rest is useful, it cannot stop US authorities from accessing personal data.
This is because the US authorities can force Google to disclose encryption keys. With the keys, they can gain access to personal data.
When the NOYB raised these complaints, Google US was providing Google Analytics.
However, since April 2021, the Google Analytics service is provided by Google Ireland.
One question you may ask: When you use Google Analytics and transfer data to Google Ireland, is it an international data transfer?
Would the use of Google Analytics be illegal regardless?
Unfortunately, there is no clear answer to that question. When the European Data Protection Board (EDPB) published its draft Guidelines on Data Transfers, it did not address transfers to subsidiary companies located in the EU/EEA yet.
While the decisions are not final, the EU/EEA authorities are determined to enforce the Schrems II decision.
More importantly, the NOYB filed identical complaints concerning companies in all EU/EEA countries. Thus, more EU/EEA authorities will issue their decisions on whether Google Analytics is illegal or not.
For example, on 13 January 2022, the Netherlands authority warned that the use of Google Analytics may soon be illegal.
On 3 March 2022, the Liechtenstein authority advised using an alternative, data-protection-compliant solution instead of Google Analytics. There have already been many complaints in Liechtenstein that were resolved by the website operators immediately deactivating Google Analytics.
On 25 March 2022, the EU and the US announced that they have agreed in principle on a new mechanism for transfers of personal data to the US. However, it is only a political announcement and it is not known when this new mechanism will be adopted and when the companies will be able to start using it.
At the moment, it is uncertain how companies can lawfully use Google Analytics.
Thus, companies may consider alternative service providers to avoid potential fines.
While Google Analytics is a great analytics tool, there are other alternatives in the market.
Since other EU/EEA countries may also declare the use of Google Analytics illegal, you might have to adopt an alternative.
Here is a list of a few Google Analytics alternatives that we have found. They are listed in no specific order.
An open-source solution might be useful for businesses that are under strict regulation and use on-premise solutions to ensure full control over their data (e.g. banks or businesses that process special category data).
Open-source also allows to inspect the entire codebase before setting up analytics on your premises to be 100% sure that no analytics data will be leaked.
Currently, only the Austrian and French authorities have decided that the use of Google Analytics is illegal.
It is likely that other EU/EEA countries will take similar decisions and declare the use of Google Analytics illegal for similar reasons. Thus, using Google Analytics exposes businesses to potential GDPR compliance risks.
The EU and the US have announced that they have agreed in principle on a new mechanism for transfers of personal data to the US. While this mechanism is not implemented yet, we will follow the news on this.
Now, businesses should think about alternative solutions to Google Analytics to avoid potential fines.
There are many Google Analytics alternatives that provide similar features in a GDPR-compliant way.
While in this article we mainly talk about Google Analytics, the situation is not specific to Google Analytics. It is basically about US authorities having the ability to access personal data transferred from the EU/EEA. Hence, companies must review all their transfers of personal data outside the EU/EEA and make sure that they comply with the GDPR.
Other Ligalio blog posts you may be interested in: