Google Analytics is a popular service, in the Netherlands and many other countries around the world. Imagine then the magnitude of the impact that may be felt after the decision of the Austrian data protection authority (“Datenschutzbehörde”) that the use of Google Analytics was a breach of the GDPR because the data sent to Google in the US were not properly protected. In this blog, Sophie Hendriks explains the decision and its potential repercussions.
What is Google Analytics?
Analytics is a Google application that can be used to monitor and map data traffic from, to and on websites. Site managers use the service to build a clear picture of visitor numbers, traffic flows and page views. A prime gem thrown up by this data mining is visitor profiling: which visitors yield the most profit?
Decision of the Austrian data regulator
The decision of the Datenschutzbehörde has a direct link to the Schrems II ruling of July 2020. It followed from Schrems II that the transfer of personal data to third countries, more specifically the USA, is - in certain circumstances - illegal. In many cases, the appropriate safeguards provided for by Chapter V GDPR require supplementary measures to ensure an adequate level of protection.
This is where, according to the Austrian watchdog, things fall flat. The Standard Contractual Clauses put in place by Google and the supplementary measures Google says to have taken do not - in the view of the regulator - enough to satisfy the criterion of an “adequate level of protection”. Google has in any event seemed to have failed to provide evidence that its measures resulted in an adequate level of protection. As it is, the measures do not properly protect the data against the powers afforded the US authorities by the US surveillance laws. The very laws the Court of Justice of the European Union in its Schrems II ruling held to be a threat to the rights and freedoms of EU citizens.
It led the Datenschutzbehörde to conclude that Google is not or insufficiently capable of offering a level of protection that largely matches the EU's.
The Dutch legal framework
which requires the visitor's permission. That changes when - according to the Dutch Data Protection Authority - the data privacy settings of Google Analytics are configured in such a way that its use hardly affects the data subjects involved. In that case, the visitor's permission is not required. Which leaves the GDPR. Site owners do need to come up with an - alternative - ground to justify the processing of visitors’ personal data under the GDPR. The AP has produced a convenient guide to the Google Analytics privacy data settings.
Consequences of the Austrian decision for Dutch Google Analytics users
Until recently, it appeared that the Dutch DPA was not bothered by the use of Google Analytics. However, in response to the investigation by the Datenschutzbehörde, the AP has added a disclaimer to the guide referred to above.
In this disclaimer, the Dutch DPA states that the use of Google Analytics “may soon no longer be allowed”. Reference is made to not just the Austrian investigation, but also to two investigations the Dutch DPA has recently launched and expects to complete early 2022. Only upon their completion will it be possible to draw any concrete conclusions as to the consequences for Dutch users of Google Analytics, although it appears that the fate of Google Analytics - and possibly that of other US service providers importing personal data from Europe - is sealed already as a result of the Austrian decision.
We will keep a close eye on developments. If this article prompts any questions, feel free to contact Sophie Hendriks.