Landmark decision: Google Analytics is not compliant with GDPR

The Austrian Data Protection Authority ruled that the use of Google Analytics is illegal in the EU. Illustration: bigtunaonline | Bigstock

The statistics tool Google Analytics is used for numerous websites in the EU, because like many other services from American tech giants, it may be difficult to find European alternatives that can keep up in terms of quality.

The tool is also widespread in Denmark and is used by some of the country’s largest companies: Maersk, Novo Nordisk, DSV, and Vestas.

But that might change in the future because the Austrian Data Protection Authority last week closed a case over an anonymous website operator’s use of Google Analytics. And in conclusion, the widespread service is ruled illegal in the EU:

“In the opinion of the data protection authority, the Google Analytics tool (at least in the version dated August 14, 2020) cannot be used in accordance with the requirements of Chapter V GDPR,” the supervisory authority writes in the decision.

The tool sends personal data of EU citizens to the USA, and Google’s work to ensure the protection of the information in the insecure third country is not good enough, according to the Austrian Data Protection Authority.

Cookie data ends up in the US

The case started with a complaint from privacy activist Max Schrems and his Austrian organization “None of Your Business” (noyb) to the country’s data protection authority.

Noyb believes that the website operator, which is the data controller, has violated the GDPR and Schrems II judgement from the summer of 2020 by using Google Analytics on its website and sending visitors’ data to the USA.

The website operator has integrated a piece of JavaScript code into the website’s source code, which enables Google Analytics to collect information about visitors via a statistics cookie and send the data to www.google-analytics.com. The website owner can use the tool to monitor the traffic and the behaviour of the website visitors.

Specifically, the service collects:

  • A unique online ID
  • The visitor’s IP address
  • The website address and its HTML title as well as the subpages that the user visits
  • Information about the browser, the operating system, the screen resolution, language preferences, and the time of the visit

During the course of the case, Google argued against the fact that a unique online ID can be classified as personal data because it is not possible to deduce anything about the person on that basis. If this information is not personal data, its processing is not subject to the GDPR.

But the Austrian Data Protection Authority disagrees with Google.

The user can be tracked

In the decision, the Austrian supervisory authority emphasizes that the information is personal data, and this is especially true because one can combine the unique online ID with other data to generate more information about the visitor:

“With all of these elements - i.e. unique identification numbers and the other information listed above, such as browser data or IP address - it is all the more likely that the complainant (Max Schrems, ed.) can be identified,” the data protection authority says in the decision.

They further elaborate that it would be against the fundamental right of EU citizens to data protection if the data processing in connection with Google Analytics is not subject to the GDPR. The whole idea of the service is that the tool should be implemented on as many websites as possible to be able to collect information about the users.

“[I]t can be assumed that it can be traced back to the “face” of the complainant - such as his name,” the data protection authority says.

A dangerous combination of information

What can be learned about a person based solely on the information that the cookie collects and sends to Google Analytics may be limited. But the Austrian Data Protection Authority argues that the tech giant has access to other resources, which in combination with the cookie data can generate even more information about the website visitor.

Max Schrems was, in fact, logged into his Google account when he accessed the website, and Google was notified. In this way, it is technically possible for Google to get an overview of the movements of a specific Google account user on websites that use Google Analytics.

However, according to the Austrian Data Protection Authority, it is even more important to look at Americans’ access to cookie data:

“As the complainant has also rightly pointed out, US intelligence services take certain online identifiers (such as the IP address or unique identification numbers) as starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services already have collected information with the help of which the data transferred here can be traced back to the person of the complainant.”

It is not only a theoretical, but a concrete “danger”, the authority elaborates and refers to the Schrems II judgement, where the Court of Justice of the European Union invalidated the Privacy Shield as a basis for transfer because US law goes against the EU’s data protection guarantees.

“This is particularly evident from the - mentioned in the factual findings - transparency report of the second respondent (Google, ed.) who proves that there are data requests from US authorities to the second respondent,” the decision states.

Although the data protection authority acknowledges that it is impossible for the website operator to determine whether US authorities have gained access to the cookie data, it emphasizes that it should not be to the detriment of the website visitors.

Harsh judgement of Google’s measures

Although the USA is an insecure third country with problematic legislation, it is still legal to send personal data to it if one makes sure that the information is properly protected.

The website operator has entered into a standard contract with Google, but as the Court of Justice of the European Union pointed out in the Schrems II judgement, this cannot include US authorities. Therefore, the website operator has to use other methods to protect data.

The website operator sought help from Google, which has made sure to implement so-called “additional measures” for the data transfer in an attempt to make it legal. However, according to the Austrian Data Protection Authority, neither the organizational, contractual nor technical measures are sufficient:

“In relation to the set out contractual and organizational measures it is not recognizable to what extent a notification of the data subject about data requests (should this be permissible in the individual case at all), the publication of a transparency report or a “guideline for handling government inquiries” is effective in the sense of the above considerations.”

The authority further elaborates that it also does not make sense how a “careful examination of every data access request” can be an effective measure when the Court of Justice of the European Union has clearly stated that data requests from US intelligence services are not compatible with the fundamental rights of EU citizens.

“In relation to the technical measures it is also not recognizable—and was also not explained comprehensibly by the respondents (Google and the website operator, ed.)—to what extent the protection of communication between Google services, the protection of data in transit between data centers, the protection of communication between users and websites or “on-site security” actually prevent or restrict access by US intelligence services based on US law,” the data protection authority emphasizes.

Google may also have to hand over the encryption key to the US authorities due to US law, and therefore the technical measures are not good enough as long as the tech giant itself has access to the information in clear text.

Google Analytics is out

As Google’s security measures for transfer of data via Google Analytics cannot protect the information in the USA, the Austrian Data Protection Authority concludes that the service is illegal.

But since Google is the data processor, it is not the tech giant that infringed the GDPR. The website operator is the one responsible for the data and has made the decision to use a service that illegally hands over the data of EU citizens to US intelligence services.

The website operator has not been fined, but has to stop using Google Analytics. And since the GDPR’s requirements apply equally to all data controllers in the EU, the Austrian Data Protection Authority’s decision is also relevant in Denmark.

However, it is up to the Danish Data Protection Agency to assess whether it agrees with its colleagues in Austria, or whether the ambitions to harmonize GDPR across EU’s national borders should suffer a setback, and Google Analytics still has a place on the Danish websites.