Google Analytics under fire in Europe – are we another step closer to data localisation?

While many of you might wonder why this should even be of interest, particularly since the UK is no longer part of the EU, this decision is likely to have major ramifications not only across Europe but in the US as well. It will be hard for the ICO not to at least consider commentary from European regulators in this area; and for clients with European operations as well as UK operations it is of course directly relevant.

The decision has been made in response to a complaint made by Max Schrems’ privacy activist group None of Your Business (NOYB) in relation to use of Google analytic cookies (following on from Max Schrems’ landmark case on international transfers in 2020 (Schrems II) (for more information see our article here Schrems II). This complaint is one of the 101 complaints filed by NOYB across 30 EU and EEA member states, that allege companies using Google Analytics were failing to comply with the Schrems II decision and the requirements of Chapter V of the GDPR.

This particular complaint in this case from NYOB involved the use by NetDoktor, the Austrian website in question, of Google Analytics (one of the most popular analytics tools on the market) for website analytics purposes. It was argued here that use of these Google analytics cookies enabled IP addresses and other identifiers that were being collected by the Google analytics cookies to be directly transferred to the US (to Google LLC).

The key issues in this case were:

• Was the data transferred using Google Analytics “personal data” as defined in the GDPR?

• Was the data transfer to the US via Google Analytics a GDPR compliant transfer?

Was the data in question “personal data”?

The first question was whether this data transfer was a transfer of “personal data” and thereby caught by requirements of the GDPR. In response to previous investigations carried out by German data protection authorities, Google Analytics do offer website operators an anonymise IP function, which website operators can select when deploying the Google Analytics cookie. This function was offered by Google to enable website operators to measure the website traffic without collecting personal data and as such Google argued in the case that no personal data was involved.

The DPA however found that the anonymisation function was not properly implemented and therefore it would be possible to link the transferred data back to a natural person if it was combined with other data. Regardless of this deficient implementation, the DPA went on to conclude that the unique identifiers stored within certain cookies could be used to differentiate and identify users by either the company or Google, meaning that there was processing of personal data as defined in the GDPR. This reasoning is another example of how broadly EU regulators interpret the notion of personal data when considering whether personal data processing was established.

Did the transfer comply with GDPR?

Once it was established that the processing did involve personal data the DPA found that the transfer of personal data to Google LLC in the US was in breach of Article 44 GDPR.

While the company and Google LLC had entered into data processing agreements, which included the old EU Standard Contractual Clauses (SCCs), and had implemented additional technical and organisational - and contractual - measures, the DPA found these did not provide the adequate level of protection required. Google LLC could qualify as an “electronic communication service provider” under US surveillance law, and therefore the transfer required not only SCCs but the relevant supplementary measures, “if possible and sufficient to remediate the problem”, i.e. to prevent or mitigate access to the data by surveillance agencies.

The Austrian DPA did not consider the measures put in place between the company and Google LLC, including the encryption measures deployed, sufficient as they did not remove the possibility of US authorities conducting surveillance nor of them accessing the personal data.

In particular, the DPA concluded (referring to the EDPB Recommendations 01/2020) that as Google LLC have a “direct obligation with regard to the imported data that is in his possession, custody or control to grant access to or release them. This obligation can expressly also apply to the cryptographic key without which the data cannot be read” therefore the data was not sufficiently protected.

Opening of the floodgates?

As mentioned above, in light of the other 100 claims issued by NOYB, it is expected we will see decisions on the use of Google Analytics from other regulators. In particular, the Dutch DPA has confirmed it is investigating two complaints about the use of Google Analytics and has updated its website referring to the Austrian DPA decision, saying:

“After completion of that investigation, in early 2022, the DPA can say whether Google Analytics is now allowed or not.”

So what does this mean for anyone using Google analytics?

Although we are still awaiting a more formal response from Google as to whether they will appeal (so far we have just heard from Kent Walker, President, Global Affairs & Chief Legal Officer, Google & Alphabet who has flagged the risks of this unpractical decision and called for an EU-US transfer framework asap It’s time for a new EU-US data transfer framework), as it currently stands this decision appears problematic for continued use of Google analytics cookies which involve data being transferred to the US unless a EU-US data transfer framework is implemented imminently. This decision also questions the use of Google anonymise IP function which will be a concern for many, particularly in Germany where it is a legal requirement to implement the anonymise IP function.

Interestingly, it has not yet been published what penalty, if any, Netdoktor will suffer as a result of this infringement but one would hope that the relevant enforcers (we understand the penalty will not be determined by Austrian DPA but referred to a German supervisory authority due to fact the relevant Netdocktor entity was based in Germany) will show some pragmatism here, bearing in mind how many websites use Google analytics.

Whilst we don’t encourage an over-reaction at this stage until more detail emerges and we start seeing how regulators follow suit, this decision will certainly be yet another headache for those website operators who are heavily reliant on the use of third-party cookies. It is important that if you are a website using cookies you are completely on top of the international data flows and what Schrems II mitigations you have put/got in place; and how they stack up against this decision.

Not just Google under fire!

On 5 January 2022, the EDPS issued a reprimand to the European Parliament for infringing the GDPR on several grounds, including:

“Article 46 and Article 48(2)(b) of the Regulation, due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection; …

Article 37 read in the light of Article 5(3) of the ePrivacy Directive, due to its failure to protect information (the cookies) transmitted to, stored in, related to, processed by and collected from the users’ terminal equipment”.

The reprimand related to a Covid-19 test booking website, dating from September 2020, which was using cookies associated with Google Analytics and Stripe. The cookies in question were only present on the website between 30 September and 4 November 2020.

Again, the US surveillance regime was in the spotlight, as the EDPS held that the European Parliament had failed to demonstrate the adequate level of protection for data transferred to the US. The Parliament had not provided any “documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”

While the offending cookies were no longer on the website (as of November 2020), the European Parliament was ordered “to update its data protection notices in the dedicated website in order to provide all relevant information relating to the processing of personal data” within one month of the decision.

Whether or not a co-incidence (suspect not!), the timing of the Austrian decision being made public only a few weeks after the EDPS commentary is interesting.

What about the wider implications? Can Europe stop its inevitable slide into data localisation?

While problematic from a practical perspective, the Schrems II decision has encouraged those data exporters and data importers who had previously regarded the use of SCCs as a paper exercise to take more measures to ensure the safe transfer of personal data. As a result (and despite the headaches it poses), it was largely welcomed by DPAs that more thought was being given to whether a transfer was proportionate and ensuring data importers have proper, robust systems and processes in place to protect the data. In addition, the new EU SCCs and the related commentary from the European Commission and the EDPB with practical guidance about Schrems II and risk profile, had all added to the sense that if you were a reasonable and diligent controller or processor exporting data you might not get criticised.

However, over the last 18 months since the Schrems II, sentiment in some quarters has changed.

The constant attacks on US service providers from the EU (of which both the EDPS and the Austrian decision discussed above are examples) are starting to wear thin particularly when they are based on technical theory not practical reality. As Kent Walker points out, to date Google has never received a Governmental request for Google analytics data! It is one thing sending data to a territory with no protections, with no due diligence and no thought, it is another sending vanilla data to the US to a company that has spent billions on data protection. As a result, to some this constant attack makes the EU look over-protective, and hell-bent on a road to data localisation (or a change to the US legal framework).

Max Schrems has of course made the point the Austrian decision might not be read just in relation to Google Analytics, or cookies, but to all transfers to the US (and presumably to many other countries). It will be interesting to see what the Dutch DPA decides in the coming weeks and whether other EU countries follow suit; and whether they limit their commentary to cookies only or widen the net to catch all transfers more generally.

It will also be interesting to see how the ICO react to this latest decision (particularly with a new person at the top and existing UK/US data partnership negotiations on the table). Will the ICO follow suit with the other EU regulators or take their own stance? We hope that the ICO will continue to adopt a measured approach, although, with the UK’s own adequacy in the balance, if EU institutions do follow the Austrian DPA it will certainly not be an easy decision for the ICO to adopt a position that is contrary to the rest of the EU.