Contractors, does the ruling against Google Analytics affect you?

In a case brought by the non-profit group None Of Your Business (NOYB) against an Austrian website operator and Google, the Austrian Data Protection Authority (DPA) has published a decision finding that the use of Google Analytics is currently violating the GDPR, writes Evane Alexandre of Gerrish Legal.

What are the implications of this decision against Google Analytics?

As a reminder, ever since the European Court of Justice invalidated the Privacy Shield in its Shrems II decision of July 2020, the transfer of personal data from the EU to the US is only possible under Article 46 of the GDPR (i.e. if ‘appropriate safeguards’ are in place).

The European Commission’s Standard Contractual Clauses (SCCs) were, for a time, thought to constitute an appropriate safeguard. However, because of US surveillance laws, SCCs were found to be insufficient to ensure an adequate level of data protection and it is thus necessary for data controllers or processors to set up additional technical and organisational measures.

The Austrian DPA’s decision: what it says

In the case at hand, the Austrian website operator had entered into old SCCs with Google, and not the new ones that were published by the European Commission in June 2021. Moreover, the authority found that the technical measures implemented by Google (i.e. data encryption) were insufficient, as they do not eliminate the possibility of surveillance of, and access to, personal data by US intelligence authorities, to the extent Google has the possibility to access the data in plain text.

Finally, regarding the organisational and contractual measures implemented by Google, which include an obligation to notify data subjects about government access requests, to publish transparency reports, maintain a policy on the handling of government authority requests, and carefully assess each government authority request, the Austrian DPA found that they were generally insufficient to ensure an adequate level of protection for data transfers to the US.

Legally binding?

Accordingly, the Austrian DPA’s view, generally, is that using SCCs (and especially old SCCs), even with supplemental measures, does not guarantee a safe transfer of data to the US. Therefore, Google Analytics cannot be used in accordance with the requirements of Chapter 5 of the GDPR (transfers of data to third countries), meaning that the use of it by data controllers, such as website operators, would be contrary to the data protection laws such as the GDPR.

While the decision from the Austrian DPA is not yet legally binding, its effects should not be underestimated, especially in the light of the recent European Data Protection Supervisor’s decision, ruling that the EU Parliament also violated data protection law on its COVID testing website, highlighting that the use of Google Analytics violated the GDPR. In this case, the EDPS also found that the EU Parliament failed to demonstrate it had applied any supplemental measures to ensure that personal data transfers to the US would be adequately protected.

What can website administrators, and others do for protection?

There are still many uncertainties surrounding this decision and its effect for data controllers and processors using the Google Analytics tool. The group NOYB, having filed over 100 identical complaints before 30 other European DPAs, insights from these other cases, notably in the Netherlands where the Dutch DPA already published an update to its guide on how to configure Google Analytics cookies, will help give a steer on how to proceed.

In the meantime, as an EU-based data controller or processor using Google Analytics, while awaiting for a more definitive outcome, two directions can be considered:

• avoiding any risk by turning off and no longer using Google Analytics or similar cookies/analytics tool, or
• if you accept the potential risk of continuing to use Google Analytics, ensuring at the very least the new SCCs are in place with Google and cookies/analytics providers located in the US.

What can companies do to protect themselves?

Moreover, companies should reassess all other tracking technologies used so they can be easily turned off in respect of EU data subjects, or being able to provide the necessary documentation and evidence of supplemental measures upon request by a relevant DPA depending on the strategy adopted.

More broadly, if you are a US company or if you regularly use suppliers in the US, ensure that you have your own supplemental measures in place -- as soon as possible, and be able to present these to customers/data subjects/DPAs, as needed.

Finally, if you are a UK based business using Google Analytics, then we recommend you pay close attention to the rules, as this is a changing landscape. Indeed, the Information Commissioner’s Office has confirmed that the new UK version of the SCCs should come into force in March 2022, subject to parliament’s sign-off. Almost needless to say, it will be very interesting to see the UK government’s approach to this Google Analytics case!