The legal basis for the statistics service Google Analytics is shaking across the EU. After the Austrian data protection authority determined that the use of Google Analytics on European Union websites was incompatible with the General Data Protection Regulation (GDPR), the Dutch authority Personal Data Officer (PA) warned: “Please note: the use of Google Analytics’ may soon no longer be permitted”.
On Thursday, the Dutch authority updated its own instructions for the “data protection-friendly Google Analytics service” accordingly. The AP informs about the decision of the Austrian Data Protection Authority of December 22, 2021 (GZ D155.027, 2021-0.586.257), according to which Google Analytics violates the GDPR. At the same time, the AP announces that it is investigating two complaints regarding the use of Google Analytics in the Netherlands.
The PA would like to conclude this investigation in the near future, namely “early 2022”. Then, she will be able to “say whether Google Analytics is authorized or not”. The AP did not withdraw the instructions released in 2018, but warned that Google’s statistics service could soon be recognized as illegal.
Austrian procedure spills over into Bavaria
In the meantime, a German supervisory authority must deal with the outcome of the Austrian decision: the Austrians have asked the Bavarian state commissioner for data protection to decide whether the website in question should be closed.
Here’s how it goes: The reason for the Austrian proceeding was a complaint from a Google user who accessed an Austrian health-themed website on August 14, 2020. Since this website uses Google Analytics, data about the user has been transmitted to Google, from which Google can deduce this. On August 18, 2020, the affected user lodged a complaint with the Austrian data protection authority with the help of the data protection organization NOYB.
During the ongoing proceedings, the website in question was transferred to a Munich-based company. The Austrian Data Protection Authority is responsible for deciding on data transfers in August 2020. However, the Austrian Data Protection Authority no longer considers itself responsible for the decision to shut down the website now, in 2021, due to illegal behavior. As the site is now operated by a Munich publisher, the relevant supervisory authority has been appointed.
Google doesn’t violate it, except maybe it does.
The affected user complained not only about the website operator, but also about the operator Google Analytics itself, i.e. via Google. In addition, the Austrian Data Protection Authority has determined that Google has not violated Article 44 of the GDPR as it concerns the disclosure of personal data. Although the website operator has disclosed personal data to Google, Google itself, to its knowledge, has not disclosed the data to any third party.
So Google did not violate section 44. However, this is expressly only a partial notification. The Austrian data protection authority always checks whether Google Analytics from Google violates other provisions of the GDPR.
Why Google Analytics should not be used
According to the decision of the Austrian Data Protection Authority, the use of Google Analytics on the website was illegal because the service collected personal data and transferred it to Google. Google is subject to surveillance by US intelligence agencies under US law. This means that Google cannot offer an adequate level of protection under Article 44 of the GDPR. The standard contractual clauses introduced by the website operator do not help, as the European Court of Justice (ECJ) recognized in its decision on the “Privacy Shield” (Schrems II) in 2020.
The decisive factor for the legal assessment of the use of Google Analytics is not whether a US secret service actually obtained the data or whether Google actually determined the identity of the user, but that this would be possible. . It is true that Google users can make a setting in their Google accounts with which they prohibit Google from evaluating their use of third-party websites in detail. But that’s just proof that Google is fundamentally capable of merging usage data with the person – otherwise this tuning option would be pointless.
The 2020 ECJ ruling also explains the current warning from the Dutch authority. Your instructions for the “privacy-sensitive configuration of Google Analytics” are dated August 2018; it was almost two years before the ECJ quashed the EU-US data protection agreement “Privacy Shield”. The move is one of the biggest successes of the NOYB data protection organization to date.