The decision of the Austrian data protection commissioner, who upheld a complaint against a website in connection with the use of Google Analytics, does not bode well for the use of Google Analytics, but also of other US cloud services in Europe.
In addition to the Austrians, the Dutch data protection authority is also currently dealing with two complaints about the use of Google Analytics in the Netherlands. The investigation on this is expected to be completed in early 2022, the agency said in this regard.
The decision raises new doubts about the use of tools that require the transfer of personal data of Europeans to the U.S. for processing. The Austrian Data Protection Supervisor found that IP addresses and identifiers in cookie data are personal data of website visitors, which means that these transfers fall under EU data protection law.
In this particular case, a function to anonymize the IP address had not been properly implemented on the website. Regardless of this technical detail, however, the supervisory authority found that IP addresses are personal data because they can be combined with other digital data to identify a visitor.
Consequently, the Austrian data protection authority found that the website in question – which was netdoktor.at – had violated the EU’s data protection regulation (GDPR) by exporting visitor data to the US as a result of implementing Google Analytics.
- Google could have access to personal data without users’ consent, depending on the configuration of Google Analytics
- Due to surveillance laws in the U.S., Google cannot adequately ensure that the U.S. government does not gain access to personal data
- It is not relevant that Google may need additional information to fully identify an individual
- Google itself can identify a person, as it allows users to reject personalized advertising individually
What is the background of the decision?
In the summer of 2020, the permanent agreement between the US and the EU (known as the Privacy Shield) was declared invalid under the GDPR regulations.
This concerned the transfer of data from the EU to the USA. Because the ruling was not final with respect to contractual clauses, many companies amended their contracts after the ruling to ward off further challenges related to data collection by including wording about data protection.
Following the ruling, Nyob’s Austrian privacy activists filed more than 100 U.S./EU transfer complaints with various data protection authorities in Europe. The decision now before the Austrian data protection authority is the result of the evaluation of some of these complaints.
What is Google’s position?
As expected, Google sees things differently:
“Google Analytics is a service used by companies to understand how their websites and applications are being used so they can better design them. No individuals are tracked or profiled on the Internet.”
You can read the complete statement
What you should do now
- Although this particular case involved Google Analytics, it is quite likely that other U.S.-based services and platforms could also be affected by this decision. We therefore advise companies in the EU to closely monitor developments and further decisions in the coming months.
- However, you should take the current decision as an opportunity to check the anonymization of your users’ IP addresses and the correct implementation of the consent banner.
correct implementation of the Consent Banner.
- Switch to server side tagging (SST) as soon as possible. The data can then be processed in the EU before being sent to the US and other third countries. With SST, you have maximum control over the data that is sent to Google Analytics and other tools. For example, you can make the IP address unrecognizable within the EU.
Is Google Analytics 4 legal?
In March 2022, Google announced the end of Universal Analytics and is now introducing Google Analytics 4.
Google says Google Analytics 4 is a privacy-friendly alternative that does not collect IP addresses. But does it really solve the problems that the notices from data protection authorities in Europe point to?
One of the corrections concerns the anonymization of IP addresses. In Google Analytics 4, Google anonymizes the IP addresses of tracked website and app users even as it collects user data. Google Analytics 4 does not provide its users with an option to turn off this feature.
On this basis, Google claims that it does not collect personal data. However, in the April 2022 partial decision, the Austrian DPA reconfirmed that Google Analytics’ IP anonymization is not sufficient. She reasoned, as follows:
- IP anonymization only affects the IP address as such. Google transmits data such as online identifiers set via cookies or device data in plain text.
- IP anonymization takes place only after the data has been transferred to Google.
- As a consequence, this means that Google still collects personal data.
The Austrian DPO already emphasized in its first partial decision that “IP address (…) is only one of many ‘puzzle pieces’ of the digital footprint (…)”. The anonymization of IP addresses does not necessarily mean that the processed data are not personal. Cookie identification numbers, for example, are personal data.
The Austrian DPA confirmed that the use of these identification numbers allows Google Analytics to “distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor (…).”
Google may link the information that Google Analytics 4 collects on a particular pseudonym with other data submitted by other users of this platform or other Google services. And there are tons of them. This would allow Google to determine the identity of individual website/app users and their behavior on the same website or app, or possibly on other websites and apps.
It is rather unlikely that Google will do so, but website operators should be aware of the risks involved.
Regardless, the main problem with Google Analytics 3 and 4 remains the same: data transfers between the EU and the US.
However, Google announced that Google Analytics 4 will receive and process data from EU users via domains and servers in the EU. As long as the storage still takes place on US servers, a legal residual risk remains.