Is Google Analytics illegal in companies?

Google Analytics

Google Analytics: This is the current assessment of international data protection authorities.

Google Analytics

Is the use of Google Analytics in my company illegal? 

Introduction 

Google Analytics is a well-known web analysis service and is used by many website operators. As part of the processing, user data is collected and analyzed by Google to gain insight into user behavior. From this data, changes for optimization processes of the website can be derived, developed and implemented. The frequent use of the analysis tool can also be attributed to the fact that most of the functions are free of charge. The advantages are therefore obvious. 

However, the use of Google Analytics has repeatedly been subject to criticism from data protection authorities, among other things due to the transfer of data to the USA since the second Schrems ruling of the European Court of Justice. In recent months, several European data protection authorities have been critical of the use of Google Analytics. But is the use actually illegal?

What is the problem with the use? 

First of all, without sufficiently transparent information, website users do not notice how much or which data is collected. This is because these processes run in the background. As part of the analysis, the collected data and the IP address can be clearly assigned to a user. According to Google, this data is pseudonymized. However, according to critics, this pseudonymization is not sufficient as a protective mechanism.  

Furthermore, the USA is considered a third country in the sense of the GDPR. A corresponding legal basis is required for data transfer to third countries. The Privacy Shield was originally used between Germany and the USA for this purpose. However, this legal basis ceased to apply with the ruling of the European Court of Justice in 2020 (“Schrems II”).

For some time now, the European Commission has been working on a new data protection agreement with the USA. An initial agreement was reached in March 2022. After President Joe Biden issued an “Executive Order” on October 7, 2022, to improve the data protection of Europeans against wiretapping activities of the U.S. intelligence services, the ball is now in the EU Commission’s court.

But it will probably be several weeks or even months before the Commission issues an adequacy decision in favor of the United States.  

What is the current assessment of international data protection authorities? 

Due to these problems, the Austrian data protection authority (ÖDSB) was the first authority to rule on the illegal use of Google Analytics in January 2022. The use of the tracking software violated Article 44 of the GDPR, as personal data was transferred to the USA without a legal basis.  

In the course of the year, other European data protection authorities (including CNIL, GPDP) followed this assessment and declared the use of Google Analytics to be unlawful. 

Other authorities are expected to follow this ruling. 

What do I as a website operator now have to consider when using it? 

According to the data protection authorities, there are not many options for website operators to use Google Analytics in a manner that complies with data protection laws.  

On the one hand, an explicit and voluntary consent of the users is essential for the processing as such, i.e. the analysis. Here, the legal basis lies in Art. 6 (1) sentence 1 lit. a, Art. 7 DS-GVO. In addition, with regard to the third country transfer, consent is advisable, which is then based on Art. 49 (1) a DS-GVO.

However, this approach is also largely viewed critically by data protection authorities, because the provision is an exception to Art. 44 of the GDPR. Consent should only be given for individual transfers. In the context of Google Analytics, however, a continuous third-country transfer takes place, so that it is no longer possible to speak of an exceptional case. 

In any case, the code should be adapted so that a complete transfer of the IP address is prevented, making it more difficult to identify the person.  

In addition, the use of Google Analytics and the extent to which this takes place should be stated in the privacy policy. 

Are there alternative tracking models to Google Analytics? 

Yes, there are and the market for them is growing. Website operators who do not want to take any risks should look into alternative tracking and analysis tools that process personal data exclusively in the EU, refrain from tracking across websites and ensure that personal data is anonymized at an early stage.  

Conclusion 

Now that a few data protection authorities have spoken out against the use of Google Analytics and there are already several data protection complaints in another 23 states in this context, using Google Analytics is risky. 

Therefore, it is advisable to inform yourself about the programs used in your company and to look for alternatives if necessary. Meanwhile, there are several alternatives on the market, which can be suitable for your own website depending on your needs.

We are happy to help you with the selection. If you want to be on the safe side, you can avoid using Google Analytics altogether. Ultimately, it is up to the discretion of the website operator. It should be noted that in the event of violations, not only Google but also the website operator may be responsible for data protection violations. 

We will continue to inform you here about the legal development of a legally compliant use of Google Analytics as well as similar programs. 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!

Cloud providers in the USA illegal?

cloud providers

Karlsruhe Higher Regional Court overturns controversial decision!

cloud providers

How much EU is there in data protection in the UK and CH?

Introduction

News on data transfer to the USA! After the Public Procurement Chamber of Baden-Württemberg found in a decision on July 13, 2022 that cloud providers in the USA, and among others also their EU subsidiaries, violate the General Data Protection Regulation (GDPR), the Higher Regional Court (OLG) of Karlsruhe has now overturned this highly controversial decision.

According to the decision of the Procurement Chamber, the use of these cloud providers is unlawful because they involve an unlawful transfer of data to a third country in which the data of EU citizens is not adequately protected. In 2020, the European Court of Justice (ECJ) overturned the Privacy Shield in the Schrems II decision, which had previously justified the data transfer. The main reason for this was the extensive surveillance laws and the access possibilities to the data on the part of the US authorities (please see the blog article we have already written on this).

How did the decision of the Procurement Chamber come about? And on what grounds did the Karlsruhe Higher Regional Court overturn the decision of the Public Procurement Chamber?

The problem is the US CLOUD Act

Although the case in question involved a dispute under procurement law, the conformity of a piece of software with the GDPR was also being examined at the same time. In addition to price and quality, data protection and IT security were also decisive factors in awarding the contract.

The company concerned is based in the EU and is the subsidiary of a US group. Due to the US CLOUD Act, US authorities may also be permitted to access data located on servers outside the USA, provided that this involves data from subsidiaries. Because of this access possibility to data of EU citizens, the Procurement Chamber has classified the cloud service as inadmissible. Whether and to what extent access takes place was irrelevant for the Procurement Chamber.

When would a data transfer to a third country be justified?

The transfer of data to a third country, i.e., a country outside the EU/EEA, may be justified under Artt. 44 et seq. of the GDPR. For this purpose, either an adequacy decision must have been issued for the respective country (this is not the case for the USA) or other means of justification such as standard contractual clauses must be used, although it must be verified in each individual case whether EU data protection law has been complied with.

However, in the opinion of the Procurement Chamber, the standard contractual clauses were not sufficient in the present case, because there was a “latent” risk of access by U.S. agencies due to the CLOUD Act and this therefore violated EU data protection law.

Criticism of the decision and grounds for reversal

The decision of the Procurement Chamber faced a lot of headwind from the beginning. In particular, the State Data Protection Commissioner for Baden-Württemberg voiced some criticism. This criticism was then echoed by the Karlsruhe Higher Regional Court, which reviewed the validity of the decision and ultimately overturned it on September 7, 2022. The decision of the OLG Karlsruhe is also legally binding.

But what was so questionable about the decision of the Procurement Chamber? Why did the OLG overturn the decision?

The State Data Protection Commissioner for Baden-Württemberg found the following points questionable:

  • The Procurement Chamber did not review the current EU standard contractual clauses, but older ones.
  • In addition, the Procurement Chamber equated a possible access risk on the part of the U.S. agencies with an actual transfer of data.

In addition, data protection experts criticized the fact that the Procurement Chamber completely disregarded the possibility of encrypting the data in its decision.

The OLG has now based its decision primarily on the latter point of criticism by the Baden-Württemberg data protection authority. As long as the provider makes a binding promise that no third-country transfer will take place when the online service is used, this can be relied on. Such contractual promises can be relied on until there are concrete indications that give cause for doubt.

In the present case, however, there were no such doubts. The mere fact that the U.S. parent company could access the data is not sufficient to cast doubt on the reliability of the contractual information. In principle, therefore, you can trust the information provided by software providers when it comes to data protection compliance.

Conclusion

The decision, if it had been upheld, would have had a considerable impact on private law issues in IT and data protection law! However, since it has now been overturned, providers with U.S. corporate parent companies are still to be considered in award procedures and the use of such cloud providers may also continue to be possible in individual cases.

It is also clear from the decision of the OLG Karlsruhe that, in principle, one can rely on the contractual information with regard to data protection conformity and only in the case of concrete indications must further information be obtained and the performance promise reviewed.

In addition, the EU Commission is currently working with the responsible bodies in the U.S. on a future solution for data transfers between the EU and the U.S.. However, such a follow-up agreement is not expected before the end of the year.

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!