Is Google Analytics illegal in companies?

Google Analytics

Google Analytics: This is the current assessment of international data protection authorities.

Google Analytics

Is the use of Google Analytics in my company illegal? 

Introduction 

Google Analytics is a well-known web analysis service and is used by many website operators. As part of the processing, user data is collected and analyzed by Google to gain insight into user behavior. From this data, changes for optimization processes of the website can be derived, developed and implemented. The frequent use of the analysis tool can also be attributed to the fact that most of the functions are free of charge. The advantages are therefore obvious. 

However, the use of Google Analytics has repeatedly been subject to criticism from data protection authorities, among other things due to the transfer of data to the USA since the second Schrems ruling of the European Court of Justice. In recent months, several European data protection authorities have been critical of the use of Google Analytics. But is the use actually illegal?

What is the problem with the use? 

First of all, without sufficiently transparent information, website users do not notice how much or which data is collected. This is because these processes run in the background. As part of the analysis, the collected data and the IP address can be clearly assigned to a user. According to Google, this data is pseudonymized. However, according to critics, this pseudonymization is not sufficient as a protective mechanism.  

Furthermore, the USA is considered a third country in the sense of the GDPR. A corresponding legal basis is required for data transfer to third countries. The Privacy Shield was originally used between Germany and the USA for this purpose. However, this legal basis ceased to apply with the ruling of the European Court of Justice in 2020 (“Schrems II”).

For some time now, the European Commission has been working on a new data protection agreement with the USA. An initial agreement was reached in March 2022. After President Joe Biden issued an “Executive Order” on October 7, 2022, to improve the data protection of Europeans against wiretapping activities of the U.S. intelligence services, the ball is now in the EU Commission’s court.

But it will probably be several weeks or even months before the Commission issues an adequacy decision in favor of the United States.  

What is the current assessment of international data protection authorities? 

Due to these problems, the Austrian data protection authority (ÖDSB) was the first authority to rule on the illegal use of Google Analytics in January 2022. The use of the tracking software violated Article 44 of the GDPR, as personal data was transferred to the USA without a legal basis.  

In the course of the year, other European data protection authorities (including CNIL, GPDP) followed this assessment and declared the use of Google Analytics to be unlawful. 

Other authorities are expected to follow this ruling. 

What do I as a website operator now have to consider when using it? 

According to the data protection authorities, there are not many options for website operators to use Google Analytics in a manner that complies with data protection laws.  

On the one hand, an explicit and voluntary consent of the users is essential for the processing as such, i.e. the analysis. Here, the legal basis lies in Art. 6 (1) sentence 1 lit. a, Art. 7 DS-GVO. In addition, with regard to the third country transfer, consent is advisable, which is then based on Art. 49 (1) a DS-GVO.

However, this approach is also largely viewed critically by data protection authorities, because the provision is an exception to Art. 44 of the GDPR. Consent should only be given for individual transfers. In the context of Google Analytics, however, a continuous third-country transfer takes place, so that it is no longer possible to speak of an exceptional case. 

In any case, the code should be adapted so that a complete transfer of the IP address is prevented, making it more difficult to identify the person.  

In addition, the use of Google Analytics and the extent to which this takes place should be stated in the privacy policy. 

Are there alternative tracking models to Google Analytics? 

Yes, there are and the market for them is growing. Website operators who do not want to take any risks should look into alternative tracking and analysis tools that process personal data exclusively in the EU, refrain from tracking across websites and ensure that personal data is anonymized at an early stage.  

Conclusion 

Now that a few data protection authorities have spoken out against the use of Google Analytics and there are already several data protection complaints in another 23 states in this context, using Google Analytics is risky. 

Therefore, it is advisable to inform yourself about the programs used in your company and to look for alternatives if necessary. Meanwhile, there are several alternatives on the market, which can be suitable for your own website depending on your needs.

We are happy to help you with the selection. If you want to be on the safe side, you can avoid using Google Analytics altogether. Ultimately, it is up to the discretion of the website operator. It should be noted that in the event of violations, not only Google but also the website operator may be responsible for data protection violations. 

We will continue to inform you here about the legal development of a legally compliant use of Google Analytics as well as similar programs. 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!