I got a notice from a marketing friend of mine that may point to the fact that GDPR forbids the use of Google Analytics. Google Analytics is one of the most widely used ways to identify traffic on websites, and the implications of its non-compliance are wide-reaching as not many viable alternatives exist.
Below is the text of the message:
Apparently, Google Analytics may now be disallowed by GDPR:
The Austrian Data Protection Authority (the DSB) and the EU institutions’ data protection authority (EDPS) have decided that the use of Google Analytics violates the GDPR. In particular, they found that Google Analytics’ transfers of personal data to the US are incompatible with the 2020 European Court of Justice ruling, which stated that the Privacy Shield, the mechanism for EU-US personal data transfers, was unlawful. The decisions, which come following over 100 complaints filed by privacy group None of Your Business, could open the door for other organizations using Google analytics to be in breach of GDPR in the future.
Context
In July 2020, the European Court of Justice invalidated the Privacy Shield, a mechanism used to transfer personal data from the EU to the US (the so-called ‘Schrems II’ ruling). According to the Court, the Privacy Shield’s safeguards were insufficient given that US intelligence services could access data of European citizens. The Court also ruled that Standard Contractual Clauses (SCCs), which companies use as safeguards for data transfers outside of the EU, would not be sufficient to protect personal data in the US.
In August 2020, privacy group None of Your Business (NOYB), led by Max Schrems, filed 101 complaints in 30 EU and EEA member states against website providers, as well as Google and Facebook. The group claimed that Google Analytics and Facebook Connect continue to rely on the Privacy Shield or use SCCs for data transfers from the EU to the US, and therefore, violate the Schrems II ruling and GDPR.
The Austrian and EDPS decisions
Last week, the Austrian DSB found that a health-focused website’s (netdoktor.at) use of Google Analytics was incompatible with the Schrems II ruling. The Austrian data protection authority stated that the use of Google Analytics constituted a transfer of personal data to the US and would therefore require additional safeguards. However, the authority found that the safeguards Google had put in place, including encryption and pseudonymization, were insufficient. Netdoktor.at, as an EU-based company transferring personal data to a US-based recipient, was therefore found in breach of GDPR. It also noted that SCCs, binding corporate rules (BCRs), certification, and other safeguards provided by the GDPR’s Article 46 are not sufficient to protect personal data transferred to the US.
In parallel, the EDPS found that the European Parliament’s COVID-19 test booking website was using Google Analytics and Stripe, both of which transferred personal data to the US in contravention with the Schrems II ruling. The EDPS found that the Parliament had failed to apply any special measures to ensure that any associated personal data transfers to the US were adequately protected.
Implications for advertisers
The Austrian and EDPS decisions emphasize the significance of the Schrems II decision for digital services that advertisers commonly rely on, and could mean that EU website providers are in breach of GDPR for using Google Analytics and other US-based digital services in the future. Most recently, a German court ruled that websites could not set cookies provided by companies using US-based cloud services, as this would involve personal data transfers to the US. Although the Austrian DPA and the EDPS are the first to target Google Analytics’ incompatibility with the Schrems II ruling, other DPAs may soon follow suit. An investigation on this topic is already underway in the Netherlands.
With Bit Discovery, you can identify all sites that use GA by searching for “Google Analytics has any value.”