On 22 December 2021, a decision of the Austrian Data Protection Authority (DSB), in the case under examination, considered the use of the Google Analytics service to be non-compliant with European legislation.
In fact, a website on health-related issues, netdoktor.at, has been found to be in violation for having exported the IP data of European citizens – mainly Austrians – to the USA, through the use of Google Analytics.
The decision was taken on the basis of a number of elements deemed irregular, including:
- the site did not use any pop-ups for acceptance
- the IPs were not anonymised, due to a technical error
- the security and organisational measures implemented for non-EU transfers were insufficient.
So, what started all this and why could it be considered illegal?
The news reached the general public on 13 January 2022, through a non-profit organisation, NOYB, which, for the first time, published the measure, issued on 22 December 2021. NOYB had already published on its website a list of complaints against 101 websites that, in the opinion of the organisation, do not comply with the guidelines relating to the transfer of personal data from Europe to the United States.
This battle began after, in 2020, the European Court of Justice, invalidated the Privacy Shield, an agreement between the US and the EU allowing American companies to transfer the personal data of European users. Much could be written about this agreement – as well as about the previous attempt, called “Safe Harbor”. But it suffices here to consider that the European Court invalidated it because it believes that United States law (specifically, the rules that allow government agencies to have access to company systems) do not guarantee the fundamental rights of European citizens. Despite this, however, the vast majority of websites still use the services of American companies.
One fact that illustrates the current, confused state of the legislation in this area is that, according to a recent intervention by the European Guarantor (EDPS), which has jurisdiction over European institutions, the European Parliament itself violates the rules by using Google Analytics’ services.
So, where do we go from here?
There are several reasons why this is not the moment to take any hasty decisions about Google Analytics:
- The decision is not aimed at preventing companies from using Google Analytics, it refers to a specific case. What is more, there are numerous other services and tools used every day by millions of companies that are produced by American Big Tech and with servers in the US;
- The Austrian website in question did not have a cookie banner or IP anonymisation.
The first thing to do is to make sure that sites are compliant with the guidelines on cookies and tracking tools: for the rest, we recommend monitoring the interventions of Google and European regulators and, at the same time, carrying out internal analysis with sites’ own DPOs and legal offices.
In the long run, the following scenarios seem possible:
- The US will adopt basic protections for foreign users or a new EU-US agreement will be drawn up;
- US providers will need to be able to host foreign user data outside of the US.
Through its blog, Google, for its part, has tried to provide some answers through Russell Ketchum — Director, Product Management, Google Analytics : “It is companies, and not Google, that control what data is collected with these tools and how they are used. Google only supports them”, he says, before adding, “We comply with what is laid down by the Standard Contractual Clauses.”
As Google specified through Kent Walker in the article “It’s time for a new EU-US data transfer framework”, this is a highly political issue and, until political consensus is reached on the matter, companies and citizens can only wait for a clear and shared decision by regulators, meantime continuing to monitor their compliance.
Why doesn’t Google move servers to the EU?
This might appear simple, but it is not: no American Big Tech can ignore requests by national agencies to obtain data, including those of European citizens. Companies have been looking for technological solutions, such as data encryption, for some time, but these have proved ineffective. On this subject, here is a very interesting explanation about why this transfer is not such a simple fix.
The problem with moving data to the EU, in addition to the technological aspects, is that American companies are subject to American standards, regardless of where the servers are, so they are obliged to provide data to the American authorities, even if these are stored on European territory. The only real solution would be to have a separate company that does not allow access to (or control of) data to the American parent company. In this case, however, it would be necessary to analyse the level of “control ” of the data under US law, since the US is a country of common law (based on judicial precedents) and therefore on ex post cases. In essence, a judge could still consider that there is “control” by the parent company with respect to the European branch and therefore oblige the company to give American agencies access to the data.
This article was written by Edoardo Bulgarelli, Digital Analytics Team Leader.