Google Analytics remains one of the most widely used analytics tools for analysing website traffic and user behaviour. However, it is becoming increasingly difficult to justify the use of Google Analytics on websites in the EU.
Following the ruling of the Court of Justice of the European Union on the invalidity of the Privacy Shield, the data protection association European Centre for Digital Rights (noyb), founded by lawyer and activist Max Schrems, has filed 101 complaints. The first decisions make it clear that the use of Google Analytics in the EU is illegal. Similar decisions by the other authorities are expected to follow.
The German supervisory authorities are also positioning themselves more and more clearly against the use of Google Analytics. In particular, they criticise that the general principles of data transfer to a third country are violated, as Google Analytics transfers personal user information to Google’s corporate headquarters in the U.S. The fact that European authorities are now gradually declaring US services non-compliant particularly increases the pressure on EU companies to opt for secure and compliant tools.
In this article, we take a closer look at the tool and analyse the data protection aspects. We also explain what this means for companies and whether there is an acute need for action.
Current developments concerning Google Analytics
23 March 2023: The Regional Court of Cologne (Germany) held that data transfer to the U.S. in the context of Google Analytics was unlawful
The Regional Court of Cologne prohibited Telekom Germany from transferring personal data to Google servers in the U.S. for analysis and marketing purposes. The lawsuit was filed by North Rhine-Westphalia Consumer Centre.
The Consumer Centre argued that the transfer of personal data to the U.S. violates the provisions of the GDPR, and in particular the requirements of the Schrems II ruling. Telekom Germany argued that the transfer of personal data to the U.S. took place on the basis of standard contractual clauses and was therefore lawful.
The court invoked the CJEU’s Schrems II ruling that standard contractual clauses alone are not sufficient to ensure an adequate level of protection, especially regarding access to data by U.S. authorities. The court pointed out that additional measures are necessary to ensure the protection of personal data, for example using encryption or pseudonymisation. The court also stated that a simple consent via the cookie banner using the “accept all” button is not sufficient for an explicit consent for the third country transfer to the U.S.
Only two weeks after the decision of the Austrian data protection authority, the French data protection authority (CNIL) has also decided that the use of Google Analytics on websites is not compatible with the General Data Protection Regulation (GDPR). Although Google has taken additional protective measures for the transfer to the U.S., these are not sufficient to exclude access to this data by US intelligence services. This decision is based on one of the 101 complaints by noyb mentioned above.
In response to the decision of the Austrian supervisory authority, the Dutch Data Protection Authority (AP) now also warns against the use of Google Analytics. It not only informs about the decision of the Austrian data protection authority, but has already updated its guidance (available in Dutch only) on the data protection-friendly setup of Google Analytics accordingly. Although the AP has not yet withdrawn its guidance, it now includes a warning that the use of Google Analytics may soon no longer be permitted. In addition, the authority announces that it is itself investigating two complaints about the use of Google Analytics in the Netherlands.
As the first national supervisory authority, the Austrian data protection authority took a decision on one of noyb’s complaints regarding the use of Google Analytics. The supervisory authority considers the use of Google Analytics on websites to be against the provisions of the GDPR on third country transfers and therefore unlawful. Above all, the authority sees the general principles of data transfer pursuant to Art. 44 GDPR violated, as Google’s analytics programme transfers personal user information to the parent company in the U.S.
At the beginning of January 2022, the European Data Protection Supervisor (EDPS) sanctioned the EU Parliament for the use of tracking through Google Analytics. This is one of 101 complaints filed across Europe by the data protection association noyb, founded by lawyer and activist Max Schrems. In his decision, the EDPS highlights that on an internal Corona test page of the EU Parliament, Google Analytics was unlawfully integrated. The EDPS confirmed that there was no adequate level of protection in the transfer of data by Google Analytics to the US. The EU Parliament was unable to provide evidence of adequate protections. In addition, the cookie banner, through which users consent to the processing of their data, was unclear and misleading.
Shortly before Christmas, the German Conference of Data Protection Authorities (DSK) took a very strict position on the transfer of tracking data to third countries. In its guidance (available in German only), the DSK clearly positions itself against the use of such tools, which also include Google Analytics. Thus, their use is essentially not permissible in compliance with the law.
In addition, the DSK is of the opinion that consent pursuant to Art. 49 (1) (a) GDPR cannot be used for third-country transfers. However, this legal interpretation is controversial because, if one follows it, citizens are being patronised. An informed citizen should be able to decide for himself about his data. The DSK’s view could be seen as an encroachment on the fundamental right to informational self-determination. A judicial decision will probably have to be made here in order to give clarity.
Data protection aspects with Google Analytics
Google Analytics is now not only a tool for statistical analysis (reach measurement), but has developed into a comprehensive tool with which website operators can track their website performance and analyse the behaviour and needs of their visitors. In order to offer this service, Google Analytics also processes personal data.
However, the complexity of the Google Analytics settings is very high. The collection of (personal) data often takes place unwittingly and thus often remains unnoticed.
Is personal data actually processed with the help of Google Analytics?
Depending on the characteristics and configuration, Google Analytics records different data categories and data amounts of website visitors. Google Analytics at minimum always processes the IP addresses and cookie data of website visitors, as well as other user data, such as information on the browser, operating system and date and time of the website visit.
As data protection officers, we are regularly confronted with the opinion that this data is not personal data and that the website operator cannot draw any conclusions about individuals from it. Google also claims in its Google Analytics help pages that the collected usage data is not “personally identifiable information”. That this statement is incorrect becomes clear in the following explanations.
According to the definition in Art. 4(1) GDPR, personal data is any data that can be used to identify a natural person in any form. The definition explicitly mentions online identifiers, such as those used by Google, with which an assignment can be derived and through which a person becomes identifiable.
Note that identifiability does not require that such numbers also be associated with one uniquely determinable data point, such as the person’s name. By definition, even a digital footprint that allows the specific user to be uniquely individualized constitutes personal data. Due to the uniqueness of the Google Analytics identifiers, the condition is thus fulfilled, especially since these identifiers are combined with other user data (such as browser data or IP addresses). Thus, identification of the user is all the more likely.
It is also not decisive whether an identification is actually made. The mere possibility of being able to identify a person is sufficient for the GDPR to apply.
The fact that the means of identifiability when using Google Analytics lie with Google and not with the respective website operator has no influence on this consideration. It is also not necessary that the website operator alone can establish a personal reference and thus has all the information required for identification. Rather, it is sufficient that any person and with reasonable effort (in this case Google) can establish this personal reference. This can be derived from Recital 26 of the GDPR, according to which the question of identifiability must take into account not only the means of the responsible party (the website operator), but also those of “another person”. It should also not be forgotten that the GDPR aims to provide data subjects with the greatest possible protection of their data, regardless of who processes the data.
The cookies set by Google Analytics, such as “_ga” or “cid”, contain client IDs and the cookie “_gid” contains user IDs that are stored on the end device or browser. Both client IDs and user IDs are unique user identification numbers, i.e. online identifiers that serve to identify natural persons and are specifically assigned to a website visitor.
With the help of the Google Analytics identification numbers, it is therefore possible to distinguish website visitors and, for example, also to obtain information as to whether it is a new or a returning website visitor. The DSK already refers to this and clarifies that the usage data processed by Google Analytics, and other device-specific data that can be assigned to a specific user, is personal data within the meaning of the GDPR.
Furthermore, an even clearer allocation takes place as soon as a website visitor is logged in with his or her own Google account at the time of visiting a website on which Google Analytics is integrated.
Not only the cookies set by Google Analytics contain personal data. The processing of the IP address is also personal data, especially because – as with the cookies – it can be combined with other elements, in particular the Google Analytics identification numbers.
In a statement to the Austrian data protection authority, Google argues that insofar as Google Analytics data is considered personal data, it must be considered a pseudonym. This statement is also untenable. In its guidance for telemedia providers, the DSK already convincingly outlined in March 2019, the fact that users are made identifiable, for example via IDs or identifiers, does not constitute a pseudonymisation measure within the meaning of the GDPR. Unlike in cases where data is pseudonymised in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, the Google Analytics identifiers are used to make the individual website visitors distinguishable and addressable.
Problem IP anonymisation
It is regularly claimed that the evaluations are carried out anonymously using Google Analytics and that no reference to a specific user is possible. Website operators can use the function “_anonymizeIp()” in the tracking code to shorten the IP addresses.
Although the shortening of the IP address represents an additional measure in accordance with Art. 25 (1) GDPR (data protection through technology design and through data protection-friendly default settings), it does not result in the complete data processing being anonymised. Firstly, it should be noted that the IP address is initially collected in full and only anonymised subsequently in a second step. Secondly, regardless of the settings selected, the data processing by Google Analytics, as described above, is not anonymised. This is because, in addition to the use of the IP address, further usage data is collected that is to be assessed as personal data. Thus, the scope of application of the GDPR is opened in any case, i.e. even if the shortening of the IP addresses is initiated.
Does a data transfer take place?
However, by collecting data from multiple sources, additional user characteristics such as gender and location can be identified. For example, thanks to the Google Analytics code on the company website, advertisers can evaluate the preferences of visitors in Google Ads based on the content they consume. This in turn makes it possible to target these users with advertising.
With the data collected by Google Analytics, Google can therefore create user profiles of website visitors.
Problem: third country transfer
As soon as personal data is transferred to a third country, it must be confirmed whether there are appropriate safeguards for this transfer. Google distributes the data collected via Google Analytics to randomly selected cloud data centres, most of which are located in the U.S.
In the absence of an adequacy decision for the U.S., Standard Contractual Clauses must be concluded. The Court of Justice of the European Union (CJEU) has stated in its judgment of 16 July 2020 (“Schrems II”, Ref.: C-311/18) that the recipient of the data cannot, however, guarantee the necessary level of data protection in the third country concerned on the basis of the Standard Contractual Clauses alone. Moreover, there may be situations where the rules contained in the clauses may not be a sufficient means to ensure in practice the effective protection of personal data transferred to the third country concerned. This is regularly the case when the law of that third country allows its authorities to interfere with the rights of the data subject in relation to that data. After all, the clauses are concluded between the companies concerned and state authorities are regularly not party to the contract, and thus not bound by its content.
Where the law of the third country affects the effectiveness of appropriate safeguards such as the Standard Contractual Clauses, the data exporter must either suspend the data transfer or implement additional measures.
Due to the legal situation in the U.S. and the implementation of regulatory monitoring programmes (e.g. based on Section 702 FISA), the mere conclusion of Standard Contractual Clauses does not provide an adequate level of protection under Art. 44 GDPR for data transfers to Google in the USA.
Thus, website operators are required to implement additional measures in addition to the conclusion of the Standard Contractual Clauses. In connection with the use of tracking services, such as Google Analytics, it is usually not possible to implement additional measures.
In its recommendations 01/2020 on supplementary measures on transfer instruments for international data transfers, the European Data Protection Board (EDPB) also clarifies that there are currently no technical solutions – neither for cloud computing nor for intra-group data transfers. Above all, a sufficient encryption of the data is not possible, since due to the necessity of data access by the recipient to unencrypted data, the encryption must after all be temporarily lifted.
As a rule, service providers such as Google secure supplementary contractual clauses to protect the data in the third country, e.g., the obligation of the data importer to inform the data exporter immediately if changes in security laws make it impossible for him to fulfil his contractual obligations. However, such contractual obligations are likely to be insufficient, as such contractual measures cannot prevent access. In addition, American authorities in particular can order affected companies not to inform their customers about the access request (so-called gag orders). It should be noted once again that contractual measures of any kind cannot generally bind the authorities of the third country if they are not themselves a party to the contract.
Measures taken by Google
- Notification of data subjects about data requests by the intelligence services (if this is permissible at all in individual cases).
- Publication of a transparency report or a “policy for dealing with government enquiries”.
- Careful examination of every data access request by intelligence services.
- Protecting communications between Google services, protecting data in transit between data centres, and protecting communications between users and websites.
- Implementation of “on-site security”.
- Encryption of “data at rest” in the data centres.
The extent to which such measures help to ensure the required level of data protection is not apparent. It cannot be deduced from these measures how “a careful examination of a data access request” constitutes an effective measure to prevent or limit access by US intelligence services.
The encryption technologies put forward by Google also do not indicate how they actually prevent or limit the access possibilities of US authorities on the basis of US law. In particular, the encryption of “data at rest” in Google’s data centres is not a suitable guarantee. This is also explicitly highlighted in the EDPB’s Recommendations 01/2020, which state that a data importer subject to FISA 702, such as Google, has a direct obligation to provide access to or surrender imported data in its possession or custody or under its control. This obligation therefore extends to the cryptographic keys without which the data cannot be read.
Since it is currently not possible for website operators to achieve an essentially equivalent level of data protection with additional measures, a service such as Google Analytics may not be used in this form and thus may not be integrated on the website.
Consent as a solution?
Since no suitable guarantees can be applied in connection with the integration of Google Analytics and the use of its services, it must be confirmed whether an exceptional circumstance pursuant to Art. 49 of the GDPR exists. In this case, transmission based on the explicit consent of the data subject is possible (letter a).
Website visitors must be clearly informed that data is stored in the U.S. and that both Google and government authorities have access to this data and that there is no legal remedy against the latter.
Whether consent can be used as an exceptional circumstance for third-country transfers is currently being discussed by experts.
Arguments against consent as an exception include, in particular, the requirement that consent must be obtained for the specific individual case at hand. It is argued that general consent for the permanent transfer of data to a third country for one or more purposes cannot be based on Art. 49(1)(a) GDPR. Recital 111 of the GDPR states that the transfer may only take place occasionally. If it is a repeated transfer, as is the case with Google Analytics, consent cannot be used as an exception to the rule that personal data may only be transferred to a third country if that third country provides adequate data protection or, alternatively, appropriate safeguards are applied. In this context, it means that occasionally the transmission may take place more than once but by no means regularly.
In contrast, statements are made that such an interpretation of the law is patronising to citizens. An informed citizen should be able to decide for himself about his data. This is an encroachment on the fundamental right to informational self-determination.
Although it can be seen from the opinions of the EDPB and the DSK which requirements the authorities have for consent with regard to third country transfers, these do not have a binding character. A final review is still subject to the courts.
It should also be mentioned at this point that for consent to be effective, the website operator must always fulfil the requirements of Art. 7 of the GDPR. This means that in addition to information about the third-country transfer and the associated processing, data subjects must receive information about the data processing by the data controller, i.e. also about the processing that Google carries out for its own purposes. Especially the latter will regularly cause difficulties, as Google does not clearly indicate what the data are processed for. Irrespective of the third country transfer, it will therefore be difficult to obtain informed consent from website visitors.
In addition to the informed and voluntary nature of the consent, it must also be ensured that a corresponding declaration of consent is issued by the website visitor before data is processed with the help of Google Analytics.
Conclusion: stay away from Google Analytics
Essentially, the use of Google Analytics is currently not possible in a legally compliant manner. One could even go so far as to draw the conclusion from the above that EU companies cannot actually use US cloud services any more. As the first originator of the data, the website operator is always responsible for using and implementing compliant solutions. The decisions of the supervisory authorities are therefore always directed at the website operators, and not at Google Analytics. Website operators are requested to stop using the Google Analytics functionality under the current conditions, and to rely on tools that do not transfer personal information to an unsecure third country.
US companies would have to technically adapt their services to be compliant with the GDPR. Unfortunately, we currently only see the tendency of inserting a few fancy advertising texts into privacy policies and the CJEU ruling continues to be ignored.
Companies that do not want to suspend Google Analytics can, of course, risk using it on the basis of consent pursuant to Art. 49 GDPR. It certainly would be interesting to see how the courts decide on this approach.