In two recent decisions by the Austrian and French data protection authorities, it was found that Google Analytics is not GDPR-compliant, as the use of the service results in the transfer of personal data to the third country USA, which is not permitted under GDPR data protection law.
First of all, it is important to outline how the implementation of Google Analytics works. To use Google Analytics, the website operator must insert a program code into the source code of the website. The code, in turn, refers to a cookie file, which is then downloaded. This then starts the so-called tracking and transfers information to the Google Analytics server. The transfered information includes, among other things, browser type, browser setting, language, color depth, screen resolution and IP address. In this process, the user is also assigned a unique identification number.
The respective national data protection authorities have seen the collection of personal data in the process. Because Google assigns a unique identification number to each user on the basis of the above-mentioned parameters and can identify the users on the basis of the collected data in the sense of data protection law, the data protection authorities have affirmed the collection of personal data here.
In view of the fact – in the opinion of the data protection authorities – because the data was then also transferred to the United States, there should also have been a deliberate consent of the user (so-called opt-in). The United States are a so-called third country. Alternatively, suitable safeguards must be in place to ensure that the EU level of protection for the personal data is not undermined by the transfer. According to consistent ECJ case law, the transfer of data to the United States requires that, in addition to the new standard contractual clauses, additional measures (additional safeguards) are taken to ensure the level of protection in the recipient country. The sole use of the standard contractual clauses is not sufficient in this regard, as the authorities in the USA are not a party to the contract and are therefore not bound by the standard contractual clauses. However, neither Google nor the website operators were able to convincingly demonstrate additional measures, so the data protection authorities declared the use illegal (Art. 44ff. DSGVO).
The decision is interesting first of all because the data protection authorities here left no doubt that personal data were collected here. The attachment of the personal identification number and the browser data along with the IP address alone were sufficient for this. The French data protection authority has stated that this and the direct HTTPS connection between a person’s terminal device and the servers operated by Google would make it possible to re-identify the user. A possible solution proposed by the French authorities would be the use of a proxy server, which would in particular have to guarantee that no IP address is transmitted to the target device taking measurements. In addition, the technology would have to ensure that all other data that could lead to re-identification would be deleted.
On the second point, the authorities’ comments make clear that the connection of U.S. companies to U.S. authorities continues to be seen as problematic. The possible protective measure put forward by the French authorities is interesting here, namely the encryption of the data flowing to the United States. However, the French authority pointed out that this would only work if Google does not have access to the decryption keys. If that were the case, U.S. authorities could force the company to hand them over. The encryption could work if the keys are in the hands of a data exporter (a third party based in the EU). It remains to be seen whether Google will respond to corresponding considerations.
To complete the picture, it should be noted that not every third country transfer has correspondingly high barriers. For numerous third countries, the European Commission has issued so-called adequacy decisions pursuant to Article 45 (3) of the GDPR. The transfer of data to these countries is thus basically treated the same as the transfer of data within the European Union – argument is a comparable adequate protection established with the European data protection law. Among the countries are Singapore, Canada, Argentina, Japan, South Korea, Switzerland, Israel and the United Kingdom.