In the wild west that is the digital transfer of data, the decision made by the Austrian Data protection authority, the Datenschutzbehörde (hereafter ‘DSB’) on the 22nd December 2021 seems like the long awaited beginning of the end for unchecked international data transfers from the EEA to US-based tech giants such as Google and Facebook. Does GDPR mean the end of Google Analytics?
The beginning of the end for Google Analytics.
In the wake of the Schrems II decision, noyb, the non-profit organisation headed by Max Schrems, didn’t stand idly by, but filed a whopping 101 complaints regarding data transfers from EEA-based websites to the USA, which they deemed illegal. A first decision on these complaints has now been issued by the DSB and it looks like things are not getting easier for Google, Facebook, and the like.
Just as a reminder: with the Schrems II decision, the European Court of Justice ruled that any international transfer of personal data from the EEA to US-based providers, who are bound by rules imposing them to provide certain US intelligence services access to these data, are in violation of the international GDPR data transfer rules. This decision made the whole Privacy Shield Framework, allowing ‘safe’ transfers of data from the EEA to the USA, null and void, ushering in a new age where EEA-based companies can no longer use US-based cloud servicing providers such as Google.
Sweeping under the rug, no more.
The recent decision from the DSB shows that the Schrems II ruling is not to be ignored by tech giants and will be enforced on all levels. It is no secret that to this day, the majority of EEA-based websites use Google Analytics as their tool of preference to analyse the behaviour of their website’s visitors. This is logical since the tool itself is free to use (visitors pay with their data) and gives one of the most complete analyses of website data on the current market. This has emboldened Google in its impression that it could continue transferring date from the EEA to the USA as if the Schrems II ruling never happened. The DSB decision has finally put a first stop to this unruly behaviour by the tech giant.
The decision states firstly that in using Google Analytics, the website provider has been sending personal information to Google in the USA. Google and the website provider tried to argue that it didn’t concern Personal Information but rather anonymised information, but this argument was waived by the DSB, seen as Google can easily (re)identify the website visitors, using amongst others, their IP addresses, and other unique identifiers such as cookies. The fact that Google allows its users to opt in and out of personalised ads shows that they possess all means to identify the website visitors.
A losing battle: Does GDPR mean the end of Google Analytics?
Subsequently, the international transfer of data from the EEA to the USA falls under GDPR rules. The transfer was analysed and deemed not compliant with the international data transfer rules of article 44. Moreover, following the measures put in place by the GDPR to ensure an adequate level of data protection, were deemed insufficient. The Standard Contractual Clauses and the basic technical and organisational measures as provided under article 32 of the GDPR that were put in place by Google, notably, do not provide an additional and adequate protection against intrusion of the transferred data by US intelligence services.
This decision, probably the first of many, will have serious implications for both EEA website providers and Google and the likes, seen as the use of its Google analytics tool, a major component of its advertisement basis, is de facto outlawed in its current state. Google has responded in a statement to the decision made by the DSB with the very same arguments that were brushed aside by the decision, which obviously doesn’t help their case any further. The fact that Google’s chief legal officer at the same time is asking for a new EU-US data transfer network, also hints at the fact that they cannot guarantee an adequate level of protection for the current transfer of personal data from the EEA to the USA, and thus have no measurable defence against the decisions made by European Data Protection Authorities that are yet to come.
A Rippling Effect
The decision has already caused a significant rippling effect amongst the other data protection authorities. The Datatilsynet (Danish Data Protection Authority,) for example, will carefully read the decision from the DSB. Others will most definitely follow and create guidelines based on these decisions. This trend will likely be noticed in almost every other EEA-country falling under the GDPR scope.
In addition,, the Guernsey Data Protection Authority has removed Google Analytics from its website as a show of support and compliance with the GDPR rules, following the Schrems II ruling and the decision made by the DSB.
The Dutch Data Protection Authorities, the Autoriteit Persoonsgegevens, has already published a guidance on how to configure the Google Analytics settings for Dutch website providers, clearly stating that it may well be possible its use of Google Analytics might be banned in the near future, an ill omen for Google. There are currently two investigations ongoing regarding the matter, which will probably be completed in the coming months and will decide the fate of Google Analytics in the Netherlands, with more data protection authorities expected to follow suit.